Ortelius Blog

Topics include Supply Chain Security, Vulnerability Management, Neat Tricks, and Contributor insights.

How to Bake an Ortelius Pi Part 5 | Ortelius Marries Jenkins

Introduction

In part 4 we configured a certificate for our domain using Cloudflare, LetsEncrypt and Traefik.

In part 5 we will deploy Jenkins on our Kubernetes cluster and configure integration with Ortelius and Github. We will then build a demo application and have Ortelius create a component, record an SBOM and Discord will receive a notification to give developers feedback on the state of the build.

Jenkins

Jenkins is an open-source automation server that helps developers build, test, and deploy their software reliably and efficiently. It’s widely known for its role in continuous integration (CI) and continuous delivery (CD), allowing teams to automate tasks, improve workflows, and streamline software development pipelines.

Below we can see a typical architecture that you might find in the wild.

Connecting a Jenkins master and agent involves setting up the Jenkins master server to distribute tasks to agents for execution. Jenkins agents help offload work from the master, allowing for parallel execution of jobs, and can be set up to handle specific tasks such as building on different platforms or environments. You can either use SSH, Java Web Start (JNLP), or a custom agent setup for communication.

Gimlet GitOps Infrastructure

Deploy Jenkins

Right lets get stuck in and deploy Jenkins using Gimlet, Fluxcd, Helm and a sprig of GitOps. Just before we start I can thoroughly recommend this course to start your journey with becoming Jenkins savvy Jenkins Course (Zero To Production Ready)

  • Kubectl quick reference guide here
  • Helm cheat sheet here
  • Jenkins on Github here
  • Jenkins docs here
  • Jenkins Helm Chart on ArtifactHub here
  • Jenkins Plugins here

Plugins

Jenkins plugins are add-ons that extend the core functionality of Jenkins. Plugins allow Jenkins to integrate with various tools, languages, and services that you may use in your development pipeline. Plugins can be added through the GUI without being affected by Fluxcd’s drift detection.

Helm-Repository | Jenkins

  • Lets add the Jenkins Helm repository
  • A Helm repository is a collection of Helm charts that are made available for download and installation
  • Helm repositories serve as centralised locations where Helm charts can be stored, shared, and managed
  • Create a file called jenkins.yaml in the helm-repositories directory and paste the following YAML
--- apiVersion: source.toolkit.fluxcd.io/v1beta1 kind: HelmRepository metadata: name: jenkins namespace: infrastructure spec: interval: 60m url: https://charts.jenkins.io

Helm-Release | Jenkins

  • Lets create a Helm release for Jenkins
  • A Helm release is an instance of a Helm chart running in a Kubernetes cluster
  • Each release is a deployment of a particular version of a chart with a specific configuration
  • Create a file called jenkins.yaml in the helm-releases directory and paste the following YAML

Helm Chart Configuration Highlights

# -- Ingress annotations annotations: kubernetes.io/ingress.class: traefik # Only change this if you are not using Traefik # kubernetes.io/tls-acme: "true" # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress # ingressClassName: nginx # Set this path to jenkinsUriPrefix above or use annotations to rewrite path # -- Ingress path path: # configures the hostname e.g. jenkins.example.com # -- Ingress hostname hostName: jenkins.pangarabbit.com # Update this to your domain name ##RECOMMENDED## ########################################################################################################################## # If your CSI NFS Kubernetes driver is setup correctly and you enabled persistence in the Helm Chart your Jenkins server # # configuration files will be stored on your NFS server thus preserving your Jenkins configuration # ########################################################################################################################## persistence: # -- Enable the use of a Jenkins PVC enabled: true # A manually managed Persistent Volume and Claim # Requires persistence.enabled: true # If defined, PVC must be created manually before volume will be bound # -- Provide the name of a PVC existingClaim: # jenkins data Persistent Volume Storage Class # If defined, storageClassName: <storageClass> # If set to "-", storageClassName: "", which disables dynamic provisioning # If undefined (the default) or set to null, no storageClassName spec is # set, choosing the default provisioner (gp2 on AWS, standard on GKE, AWS & OpenStack) # -- Storage class for the PVC storageClass: nfs-csi-jenkins # Replace with your storage class # -- Annotations for the PVC
--- apiVersion: helm.toolkit.fluxcd.io/v2beta2 kind: HelmRelease metadata: name: jenkins namespace: infrastructure spec: interval: 60m releaseName: jenkins chart: spec: chart: jenkins version: v5.5.14 # Simply change the version to upgrade sourceRef: kind: HelmRepository name: jenkins interval: 10m values: # Default values for jenkins. # This is a YAML-formatted file. # Declare name/value pairs to be passed into your templates. # name: value ## Overrides for generated resource names # See templates/_helpers.tpl # -- Override the resource name prefix # @default -- `Chart.Name` nameOverride: # -- Override the full resource names # @default -- `jenkins-(release-name)` or `jenkins` if the release-name is `jenkins` fullnameOverride: # -- Override the deployment namespace # @default -- `Release.Namespace` namespaceOverride: # For FQDN resolving of the controller service. Change this value to match your existing configuration. # ref: https://github.com/kubernetes/dns/blob/master/docs/specification.md # -- Override the cluster name for FQDN resolving clusterZone: "cluster.local" # -- The URL of the Kubernetes API server kubernetesURL: "https://kubernetes.default" # -- The Jenkins credentials to access the Kubernetes API server. For the default cluster it is not needed. credentialsId: # -- Enables rendering of the helm.sh/chart label to the annotations renderHelmLabels: true controller: # -- Used for label app.kubernetes.io/component componentName: "jenkins-controller" image: # -- Controller image registry registry: "docker.io" # -- Controller image repository repository: "jenkins/jenkins" # -- Controller image tag override; i.e., tag: "2.440.1-jdk17" tag: # -- Controller image tag label tagLabel: jdk17 # -- Controller image pull policy pullPolicy: "Always" # -- Controller image pull secret imagePullSecretName: # -- Lifecycle specification for controller-container lifecycle: {} # postStart: # exec: # command: # - "uname" # - "-a" # -- Disable use of remember me disableRememberMe: false # -- Set Number of executors numExecutors: 0 # -- Sets the executor mode of the Jenkins node. Possible values are "NORMAL" or "EXCLUSIVE" executorMode: "NORMAL" # -- Append Jenkins labels to the controller customJenkinsLabels: [] hostNetworking: false # When enabling LDAP or another non-Jenkins identity source, the built-in admin account will no longer exist. # If you disable the non-Jenkins identity store and instead use the Jenkins internal one, # you should revert controller.admin.username to your preferred admin user: admin: # -- Admin username created as a secret if `controller.admin.createSecret` is true username: "admin" # -- Admin password created as a secret if `controller.admin.createSecret` is true # @default -- <random password> password: # -- The key in the existing admin secret containing the username userKey: jenkins-admin-user # -- The key in the existing admin secret containing the password passwordKey: jenkins-admin-password # The default configuration uses this secret to configure an admin user # If you don't need that user or use a different security realm, then you can disable it # -- Create secret for admin user createSecret: true # -- The name of an existing secret containing the admin credentials existingSecret: "" # -- Email address for the administrator of the Jenkins instance jenkinsAdminEmail: # This value should not be changed unless you use your custom image of jenkins or any derived from. # If you want to use Cloudbees Jenkins Distribution docker, you should set jenkinsHome: "/var/cloudbees-jenkins-distribution" # -- Custom Jenkins home path jenkinsHome: "/var/jenkins_home" # This value should not be changed unless you use your custom image of jenkins or any derived from. # If you want to use Cloudbees Jenkins Distribution docker, you should set jenkinsRef: "/usr/share/cloudbees-jenkins-distribution/ref" # -- Custom Jenkins reference path jenkinsRef: "/usr/share/jenkins/ref" # Path to the jenkins war file which is used by jenkins-plugin-cli. jenkinsWar: "/usr/share/jenkins/jenkins.war" # Override the default arguments passed to the war # overrideArgs: # - --httpPort=8080 # -- Resource allocation (Requests and Limits) resources: requests: cpu: "50m" memory: "256Mi" limits: cpu: "2000m" memory: "4096Mi" # Share process namespace to allow sidecar containers to interact with processes in other containers in the same pod shareProcessNamespace: true # Overrides the init container default values # -- Resources allocation (Requests and Limits) for Init Container initContainerResources: {} # initContainerResources: # requests: # cpu: "50m" # memory: "256Mi" # limits: # cpu: "2000m" # memory: "4096Mi" # -- Environment variable sources for Init Container initContainerEnvFrom: [] # useful for i.e., http_proxy # -- Environment variables for Init Container initContainerEnv: [] # initContainerEnv: # - name: http_proxy # value: "http://192.168.64.1:3128" # -- Environment variable sources for Jenkins Container containerEnvFrom: [] # -- Environment variables for Jenkins Container containerEnv: [] # - name: http_proxy # value: "http://192.168.64.1:3128" # Set min/max heap here if needed with "-Xms512m -Xmx512m" # -- Append to `JAVA_OPTS` env var javaOpts: # -- Append to `JENKINS_OPTS` env var jenkinsOpts: # If you are using the ingress definitions provided by this chart via the `controller.ingress` block, # the configured hostname will be the ingress hostname starting with `https://` # or `http://` depending on the `tls` configuration. # The Protocol can be overwritten by specifying `controller.jenkinsUrlProtocol`. # -- Set protocol for Jenkins URL; `https` if `controller.ingress.tls`, `http` otherwise jenkinsUrlProtocol: # -- Set Jenkins URL if you are not using the ingress definitions provided by the chart jenkinsUrl: # If you set this prefix and use ingress controller, then you might want to set the ingress path below # I.e., "/jenkins" # -- Root URI Jenkins will be served on jenkinsUriPrefix: # -- Enable pod security context (must be `true` if podSecurityContextOverride, runAsUser or fsGroup are set) usePodSecurityContext: true # Note that `runAsUser`, `fsGroup`, and `securityContextCapabilities` are # being deprecated and replaced by `podSecurityContextOverride`. # Set runAsUser to 1000 to let Jenkins run as non-root user 'jenkins', which exists in 'jenkins/jenkins' docker image. # When configuring runAsUser to a different value than 0 also set fsGroup to the same value: # -- Deprecated in favor of `controller.podSecurityContextOverride`. uid that jenkins runs with. runAsUser: 1000 # -- Deprecated in favor of `controller.podSecurityContextOverride`. uid that will be used for persistent volume. fsGroup: 1000 # If you have PodSecurityPolicies that require dropping of capabilities as suggested by CIS K8s benchmark, put them here # securityContextCapabilities: # drop: # - NET_RAW securityContextCapabilities: {} # In the case of mounting an ext4 filesystem, it might be desirable to use `supplementalGroups` instead of `fsGroup` in # the `securityContext` block: https://github.com/kubernetes/kubernetes/issues/67014#issuecomment-589915496 # podSecurityContextOverride: # runAsUser: 1000 # runAsNonRoot: true # supplementalGroups: [1000] # capabilities: {} # -- Completely overwrites the contents of the pod security context, ignoring the values provided for `runAsUser`, `fsGroup`, and `securityContextCapabilities` podSecurityContextOverride: ~ # -- Allow controlling the securityContext for the jenkins container containerSecurityContext: runAsUser: 1000 runAsGroup: 1000 readOnlyRootFilesystem: true allowPrivilegeEscalation: false # For minikube, set this to NodePort, elsewhere uses LoadBalancer # Use ClusterIP if your setup includes ingress controller # -- k8s service type serviceType: ClusterIP # -- k8s service clusterIP. Only used if serviceType is ClusterIP clusterIp: # -- k8s service port servicePort: 8080 # -- k8s target port targetPort: 8080 # -- k8s node port. Only used if serviceType is NodePort nodePort: # Use Local to preserve the client source IP and avoids a second hop for LoadBalancer and NodePort type services, # but risks potentially imbalanced traffic spreading. serviceExternalTrafficPolicy: # -- Jenkins controller service annotations serviceAnnotations: {} # -- Jenkins controller custom labels for the StatefulSet statefulSetLabels: {} # foo: bar # bar: foo # -- Labels for the Jenkins controller-service serviceLabels: {} # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https # Put labels on Jenkins controller pod # -- Custom Pod labels (an object with `label-key: label-value` pairs) podLabels: {} # Enable Kubernetes Startup, Liveness and Readiness Probes # if Startup Probe is supported, enable it too # ~ 2 minutes to allow Jenkins to restart when upgrading plugins. Set ReadinessTimeout to be shorter than LivenessTimeout. # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes # -- Enable Kubernetes Probes configuration configured in `controller.probes` healthProbes: true probes: startupProbe: # -- Set the failure threshold for the startup probe failureThreshold: 12 httpGet: # -- Set the Pod's HTTP path for the startup probe path: '{{ default "" .Values.controller.jenkinsUriPrefix }}/login' # -- Set the Pod's HTTP port to use for the startup probe port: http # -- Set the time interval between two startup probes executions in seconds periodSeconds: 10 # -- Set the timeout for the startup probe in seconds timeoutSeconds: 5 livenessProbe: # -- Set the failure threshold for the liveness probe failureThreshold: 5 httpGet: # -- Set the Pod's HTTP path for the liveness probe path: '{{ default "" .Values.controller.jenkinsUriPrefix }}/login' # -- Set the Pod's HTTP port to use for the liveness probe port: http # -- Set the time interval between two liveness probes executions in seconds periodSeconds: 10 # -- Set the timeout for the liveness probe in seconds timeoutSeconds: 5 # If Startup Probe is not supported on your Kubernetes cluster, you might want to use "initialDelaySeconds" instead. # It delays the initial liveness probe while Jenkins is starting # -- Set the initial delay for the liveness probe in seconds initialDelaySeconds: readinessProbe: # -- Set the failure threshold for the readiness probe failureThreshold: 3 httpGet: # -- Set the Pod's HTTP path for the liveness probe path: '{{ default "" .Values.controller.jenkinsUriPrefix }}/login' # -- Set the Pod's HTTP port to use for the readiness probe port: http # -- Set the time interval between two readiness probes executions in seconds periodSeconds: 10 # -- Set the timeout for the readiness probe in seconds timeoutSeconds: 5 # If Startup Probe is not supported on your Kubernetes cluster, you might want to use "initialDelaySeconds" instead. # It delays the initial readiness probe while Jenkins is starting # -- Set the initial delay for the readiness probe in seconds initialDelaySeconds: # PodDisruptionBudget config podDisruptionBudget: # ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ # -- Enable Kubernetes Pod Disruption Budget configuration enabled: false # For Kubernetes v1.5+, use 'policy/v1beta1' # For Kubernetes v1.21+, use 'policy/v1' # -- Policy API version apiVersion: "policy/v1beta1" annotations: {} labels: {} # -- Number of pods that can be unavailable. Either an absolute number or a percentage maxUnavailable: "0" # -- Create Agent listener service agentListenerEnabled: true # -- Listening port for agents agentListenerPort: 50000 # -- Host port to listen for agents agentListenerHostPort: # -- Node port to listen for agents agentListenerNodePort: # ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-policies # -- Traffic Policy of for the agentListener service agentListenerExternalTrafficPolicy: # -- Allowed inbound IP for the agentListener service agentListenerLoadBalancerSourceRanges: - 0.0.0.0/0 # -- Disabled agent protocols disabledAgentProtocols: - JNLP-connect - JNLP2-connect csrf: defaultCrumbIssuer: # -- Enable the default CSRF Crumb issuer enabled: true # -- Enable proxy compatibility proxyCompatability: true # Kubernetes service type for the JNLP agent service # agentListenerServiceType is the Kubernetes Service type for the JNLP agent service, # either 'LoadBalancer', 'NodePort', or 'ClusterIP' # Note if you set this to 'LoadBalancer', you *must* define annotations to secure it. By default, # this will be an external load balancer and allowing inbound 0.0.0.0/0, a HUGE # security risk: https://github.com/kubernetes/charts/issues/1341 # -- Defines how to expose the agentListener service agentListenerServiceType: "ClusterIP" # -- Annotations for the agentListener service agentListenerServiceAnnotations: {} # Optionally, assign an IP to the LoadBalancer agentListenerService LoadBalancer # GKE users: only regional static IPs will work for Service Load balancer. # -- Static IP for the agentListener LoadBalancer agentListenerLoadBalancerIP: # -- Whether legacy remoting security should be enabled legacyRemotingSecurityEnabled: false # Example of a 'LoadBalancer'-type agent listener with annotations securing it # agentListenerServiceType: LoadBalancer # agentListenerServiceAnnotations: # service.beta.kubernetes.io/aws-load-balancer-internal: "True" # service.beta.kubernetes.io/load-balancer-source-ranges: "172.0.0.0/8, 10.0.0.0/8" # LoadBalancerSourcesRange is a list of allowed CIDR values, which are combined with ServicePort to # set allowed inbound rules on the security group assigned to the controller load balancer # -- Allowed inbound IP addresses loadBalancerSourceRanges: - 0.0.0.0/0 # -- Optionally assign a known public LB IP loadBalancerIP: # Optionally configure a JMX port. This requires additional javaOpts, for example, # javaOpts: > # -Dcom.sun.management.jmxremote.port=4000 # -Dcom.sun.management.jmxremote.authenticate=false # -Dcom.sun.management.jmxremote.ssl=false # jmxPort: 4000 # -- Open a port, for JMX stats jmxPort: # -- Optionally configure other ports to expose in the controller container extraPorts: [] # - name: BuildInfoProxy # port: 9000 # targetPort: 9010 (Optional: Use to explicitly set targetPort if different from port) # Plugins will be installed during Jenkins controller start # -- List of Jenkins plugins to install. If you don't want to install plugins, set it to `false` installPlugins: - kubernetes:4285.v50ed5f624918 - workflow-aggregator:600.vb_57cdd26fdd7 - git:5.4.1 - configuration-as-code:1850.va_a_8c31d3158b_ # If set to false, Jenkins will download the minimum required version of all dependencies. # -- Download the minimum required version or latest version of all dependencies installLatestPlugins: true # -- Set to true to download the latest version of any plugin that is requested to have the latest version installLatestSpecifiedPlugins: false # -- List of plugins to install in addition to those listed in controller.installPlugins additionalPlugins: [] # Without this; whenever the controller gets restarted (Evicted, etc.) it will fetch plugin updates that have the potential to cause breakage. # Note that for this to work, `persistence.enabled` needs to be set to `true` # -- Initialize only on first installation. Ensures plugins do not get updated inadvertently. Requires `persistence.enabled` to be set to `true` initializeOnce: false # Enable to always override the installed plugins with the values of 'controller.installPlugins' on upgrade or redeployment. # -- Overwrite installed plugins on start overwritePlugins: false # Configures if plugins bundled with `controller.image` should be overwritten with the values of 'controller.installPlugins' on upgrade or redeployment. # -- Overwrite plugins that are already installed in the controller image overwritePluginsFromImage: true # Configures the restrictions for naming projects. Set this key to null or empty to skip it in the default config. projectNamingStrategy: standard # Useful with ghprb plugin. The OWASP plugin is not installed by default, please update controller.installPlugins. # -- Enable HTML parsing using OWASP Markup Formatter Plugin (antisamy-markup-formatter) enableRawHtmlMarkupFormatter: false # This is ignored if enableRawHtmlMarkupFormatter is true # -- Yaml of the markup formatter to use markupFormatter: plainText # Used to approve a list of groovy functions in pipelines used the script-security plugin. Can be viewed under /scriptApproval # -- List of groovy functions to approve scriptApproval: [] # - "method groovy.json.JsonSlurperClassic parseText java.lang.String" # - "new groovy.json.JsonSlurperClassic" # -- Map of groovy init scripts to be executed during Jenkins controller start initScripts: {} # test: |- # print 'adding global pipeline libraries, register properties, bootstrap jobs...' # -- Name of the existing ConfigMap that contains init scripts initConfigMap: # 'name' is a name of an existing secret in the same namespace as jenkins, # 'keyName' is the name of one of the keys inside the current secret. # the 'name' and 'keyName' are concatenated with a '-' in between, so for example: # an existing secret "secret-credentials" and a key inside it named "github-password" should be used in JCasC as ${secret-credentials-github-password} # 'name' and 'keyName' must be lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', # and must start and end with an alphanumeric character (e.g. 'my-name', or '123-abc') # existingSecret existing secret "secret-credentials" and a key inside it named "github-username" should be used in JCasC as ${github-username} # When using existingSecret no need to specify the keyName under additionalExistingSecrets. existingSecret: # -- List of additional existing secrets to mount additionalExistingSecrets: [] # ref: https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets # additionalExistingSecrets: # - name: secret-name-1 # keyName: username # - name: secret-name-1 # keyName: password # -- List of additional secrets to create and mount additionalSecrets: [] # ref: https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets # additionalSecrets: # - name: nameOfSecret # value: secretText # Generate SecretClaim resources to create Kubernetes secrets from HashiCorp Vault using kube-vault-controller. # 'name' is the name of the secret that will be created in Kubernetes. The Jenkins fullname is prepended to this value. # 'path' is the fully qualified path to the secret in Vault # 'type' is an optional Kubernetes secret type. The default is 'Opaque' # 'renew' is an optional secret renewal time in seconds # -- List of `SecretClaim` resources to create secretClaims: [] # - name: secretName # required # path: testPath # required # type: kubernetes.io/tls # optional # renew: 60 # optional # -- Name of default cloud configuration. cloudName: "PangaRabbit K8s" # Below is the implementation of Jenkins Configuration as Code. Add a key under configScripts for each configuration area, # where each corresponds to a plugin or section of the UI. Each key (prior to | character) is just a label, and can be any value. # Keys are only used to give the section a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label # characters: lowercase letters, numbers, and hyphens. The keys become the name of a configuration yaml file on the controller in # /var/jenkins_home/casc_configs (by default) and will be processed by the Configuration as Code Plugin. The lines after each | # become the content of the configuration yaml file. The first line after this is a JCasC root element, e.g., jenkins, credentials, # etc. Best reference is https://<jenkins_url>/configuration-as-code/reference. The example below creates a welcome message: JCasC: # -- Enables default Jenkins configuration via configuration as code plugin defaultConfig: true # If true, the init container deletes all the plugin config files and Jenkins Config as Code overwrites any existing configuration # -- Whether Jenkins Config as Code should overwrite any existing configuration overwriteConfiguration: false # -- Remote URLs for configuration files. configUrls: [] # - https://acme.org/jenkins.yaml # -- List of Jenkins Config as Code scripts configScripts: {} # welcome-message: | # jenkins: # systemMessage: Welcome to our CI\CD server. This Jenkins is configured and managed 'as code'. # Allows adding to the top-level security JCasC section. For legacy purposes, by default, the chart includes apiToken configurations # -- Jenkins Config as Code security-section security: apiToken: creationOfLegacyTokenEnabled: false tokenGenerationOnCreationEnabled: false usageStatisticsEnabled: true # Ignored if securityRealm is defined in controller.JCasC.configScripts # -- Jenkins Config as Code Security Realm-section securityRealm: |- local: allowsSignup: false enableCaptcha: false users: - id: "${chart-admin-username}" name: "Jenkins Admin" password: "${chart-admin-password}" # Ignored if authorizationStrategy is defined in controller.JCasC.configScripts # -- Jenkins Config as Code Authorization Strategy-section authorizationStrategy: |- loggedInUsersCanDoAnything: allowAnonymousRead: false # -- Annotations for the JCasC ConfigMap configMapAnnotations: {} # -- Custom init-container specification in raw-yaml format customInitContainers: [] # - name: custom-init # image: "alpine:3" # imagePullPolicy: Always # command: [ "uname", "-a" ] sidecars: configAutoReload: # If enabled: true, Jenkins Configuration as Code will be reloaded on-the-fly without a reboot. # If false or not-specified, JCasC changes will cause a reboot and will only be applied at the subsequent start-up. # Auto-reload uses the http://<jenkins_url>/reload-configuration-as-code endpoint to reapply config when changes to # the configScripts are detected. # -- Enables Jenkins Config as Code auto-reload enabled: true image: # -- Registry for the image that triggers the reload registry: docker.io # -- Repository of the image that triggers the reload repository: kiwigrid/k8s-sidecar # -- Tag for the image that triggers the reload tag: 1.27.6 imagePullPolicy: IfNotPresent resources: {} # limits: # cpu: 100m # memory: 100Mi # requests: # cpu: 50m # memory: 50Mi # -- Enables additional volume mounts for the config auto-reload container additionalVolumeMounts: [] # - name: auto-reload-config # mountPath: /var/config/logger # - name: auto-reload-logs # mountPath: /var/log/auto_reload # -- Config auto-reload logging settings logging: # See default settings https://github.com/kiwigrid/k8s-sidecar/blob/master/src/logger.py configuration: # -- Enables custom log config utilizing using the settings below. override: false logLevel: INFO formatter: JSON logToConsole: true logToFile: false maxBytes: 1024 backupCount: 3 # -- The scheme to use when connecting to the Jenkins configuration as code endpoint scheme: http # -- Skip TLS verification when connecting to the Jenkins configuration as code endpoint skipTlsVerify: false # -- How many connection-related errors to retry on reqRetryConnect: 10 # -- How many seconds to wait before updating config-maps/secrets (sets METHOD=SLEEP on the sidecar) sleepTime: # -- Environment variable sources for the Jenkins Config as Code auto-reload container envFrom: [] # -- Environment variables for the Jenkins Config as Code auto-reload container env: {} # - name: REQ_TIMEOUT # value: "30" # SSH port value can be set to any unused TCP port. The default, 1044, is a non-standard SSH port that has been chosen at random. # This is only used to reload JCasC config from the sidecar container running in the Jenkins controller pod. # This TCP port will not be open in the pod (unless you specifically configure this), so Jenkins will not be # accessible via SSH from outside the pod. Note if you use non-root pod privileges (runAsUser & fsGroup), # this must be > 1024: sshTcpPort: 1044 # folder in the pod that should hold the collected dashboards: folder: "/var/jenkins_home/casc_configs" # If specified, the sidecar will search for JCasC config-maps inside this namespace. # Otherwise, the namespace in which the sidecar is running will be used. # It's also possible to specify ALL to search in all namespaces: # searchNamespace: # -- Enable container security context containerSecurityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false # -- Configures additional sidecar container(s) for the Jenkins controller additionalSidecarContainers: [] ## The example below runs the client for https://smee.io as sidecar container next to Jenkins, ## that allows triggering build behind a secure firewall. ## https://jenkins.io/blog/2019/01/07/webhook-firewalls/#triggering-builds-with-webhooks-behind-a-secure-firewall ## ## Note: To use it you should go to https://smee.io/new and update the url to the generated one. # - name: smee # image: docker.io/twalter/smee-client:1.0.2 # args: ["--port", "{{ .Values.controller.servicePort }}", "--path", "/github-webhook/", "--url", "https://smee.io/new"] # resources: # limits: # cpu: 50m # memory: 128Mi # requests: # cpu: 10m # memory: 32Mi # -- Name of the Kubernetes scheduler to use schedulerName: "" # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector # -- Node labels for pod assignment nodeSelector: {} # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature # -- Toleration labels for pod assignment tolerations: [] # -- Set TerminationGracePeriodSeconds terminationGracePeriodSeconds: # -- Set the termination message path terminationMessagePath: # -- Set the termination message policy terminationMessagePolicy: # -- Affinity settings affinity: {} # Leverage a priorityClass to ensure your pods survive resource shortages # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ # -- The name of a `priorityClass` to apply to the controller pod priorityClassName: # -- Annotations for controller pod podAnnotations: {} # -- Annotations for controller StatefulSet statefulSetAnnotations: {} # ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies # -- Update strategy for StatefulSet updateStrategy: {} # -- Topology spread constraints topologySpreadConstraints: {} ingress: # -- Enables ingress enabled: true # Override for the default paths that map requests to the backend # -- Override for the default Ingress paths paths: [] # - backend: # serviceName: ssl-redirect # servicePort: use-annotation # - backend: # serviceName: >- # {{ template "jenkins.fullname" . }} # # Don't use string here, use only integer value! # servicePort: 8080 # For Kubernetes v1.14+, use 'networking.k8s.io/v1beta1' # For Kubernetes v1.19+, use 'networking.k8s.io/v1' # -- Ingress API version apiVersion: "extensions/v1beta1" # -- Ingress labels labels: {} # -- Ingress annotations annotations: kubernetes.io/ingress.class: traefik # kubernetes.io/tls-acme: "true" # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress # ingressClassName: nginx # Set this path to jenkinsUriPrefix above or use annotations to rewrite path # -- Ingress path path: # configures the hostname e.g. jenkins.example.com # -- Ingress hostname hostName: jenkins.pangarabbit.com # -- Hostname to serve assets from resourceRootUrl: # -- Ingress TLS configuration tls: [] # - secretName: jenkins.cluster.local # hosts: # - jenkins.cluster.local # often you want to have your controller all locked down and private, # but you still want to get webhooks from your SCM # A secondary ingress will let you expose different urls # with a different configuration secondaryingress: enabled: false # paths you want forwarded to the backend # ex /github-webhook paths: [] # For Kubernetes v1.14+, use 'networking.k8s.io/v1beta1' # For Kubernetes v1.19+, use 'networking.k8s.io/v1' apiVersion: "extensions/v1beta1" labels: {} annotations: {} # kubernetes.io/ingress.class: traefik # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress # ingressClassName: nginx # configures the hostname e.g., jenkins-external.example.com hostName: tls: # - secretName: jenkins-external.example.com # hosts: # - jenkins-external.example.com # If you're running on GKE and need to configure a backendconfig # to finish ingress setup, use the following values. # Docs: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig backendconfig: # -- Enables backendconfig enabled: false # -- backendconfig API version apiVersion: "extensions/v1beta1" # -- backendconfig name name: # -- backendconfig labels labels: {} # -- backendconfig annotations annotations: {} # -- backendconfig spec spec: {} # Openshift route route: # -- Enables openshift route enabled: false # -- Route labels labels: {} # -- Route annotations annotations: {} # -- Route path path: # -- Allows for adding entries to Pod /etc/hosts hostAliases: [] # ref: https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ # hostAliases: # - ip: 192.168.50.50 # hostnames: # - something.local # - ip: 10.0.50.50 # hostnames: # - other.local # Expose Prometheus metrics prometheus: # If enabled, add the prometheus plugin to the list of plugins to install # https://plugins.jenkins.io/prometheus # -- Enables prometheus service monitor enabled: false # -- Additional labels to add to the service monitor object serviceMonitorAdditionalLabels: {} # -- Set a custom namespace where to deploy ServiceMonitor resource serviceMonitorNamespace: # -- How often prometheus should scrape metrics scrapeInterval: 60s # Defaults to the default endpoint used by the prometheus plugin # -- The endpoint prometheus should get metrics from scrapeEndpoint: /prometheus # See here: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ # The `groups` root object is added by default, add the rule entries # -- Array of prometheus alerting rules alertingrules: [] # -- Additional labels to add to the PrometheusRule object alertingRulesAdditionalLabels: {} # -- Set a custom namespace where to deploy PrometheusRule resource prometheusRuleNamespace: "" # RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds # relabelings for a few standard Kubernetes fields. The original scrape job’s name # is available via the __tmp_prometheus_job_name label. # More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config relabelings: [] # MetricRelabelConfigs to apply to samples before ingestion. metricRelabelings: [] googlePodMonitor: # If enabled, It creates Google Managed Prometheus scraping config enabled: false # Set a custom namespace where to deploy PodMonitoring resource # serviceMonitorNamespace: "" scrapeInterval: 60s # This is the default endpoint used by the prometheus plugin scrapeEndpoint: /prometheus # -- Can be used to disable rendering controller test resources when using helm template testEnabled: true httpsKeyStore: # -- Enables HTTPS keystore on jenkins controller enable: false # -- Name of the secret that already has ssl keystore jenkinsHttpsJksSecretName: "" # -- Name of the key in the secret that already has ssl keystore jenkinsHttpsJksSecretKey: "jenkins-jks-file" # -- Name of the secret that contains the JKS password, if it is not in the same secret as the JKS file jenkinsHttpsJksPasswordSecretName: "" # -- Name of the key in the secret that contains the JKS password jenkinsHttpsJksPasswordSecretKey: "https-jks-password" disableSecretMount: false # When HTTPS keystore is enabled, servicePort and targetPort will be used as HTTPS port # -- HTTP Port that Jenkins should listen to along with HTTPS, it also serves as the liveness and readiness probes port. httpPort: 8081 # -- Path of HTTPS keystore file path: "/var/jenkins_keystore" # -- Jenkins keystore filename which will appear under controller.httpsKeyStore.path fileName: "keystore.jks" # -- Jenkins keystore password password: "password" # -- Base64 encoded Keystore content. Keystore must be converted to base64 then being pasted here jenkinsKeyStoreBase64Encoded: # Convert keystore.jks files content to base64 > $ cat keystore.jks | base64 # /u3+7QAAAAIAAAABAAAAAQANamVua2luc2NpLmNvbQAAAW2r/b1ZAAAFATCCBP0wDgYKKwYBBAEq # AhEBAQUABIIE6QbCqasvoHS0pSwYqSvdydMCB9t+VNfwhFIiiuAelJfO5sSe2SebJbtwHgLcRz1Z # gMtWgOSFdl3bWSzA7vrW2LED52h+jXLYSWvZzuDuh8hYO85m10ikF6QR+dTi4jra0whIFDvq3pxe # TnESxEsN+DvbZM3jA3qsjQJSeISNpDjO099dqQvHpnCn18lyk7J4TWJ8sOQQb1EM2zDAfAOSqA/x # QuPEFl74DlY+5DIk6EBvpmWhaMSvXzWZACGA0sYqa157dq7O0AqmuLG/EI5EkHETO4CrtBW+yLcy # 2dUCXOMA+j+NjM1BjrQkYE5vtSfNO6lFZcISyKo5pTFlcA7ut0Fx2nZ8GhHTn32CpeWwNcZBn1gR # pZVt6DxVVkhTAkMLhR4rL2wGIi/1WRs23ZOLGKtyDNvDHnQyDiQEoJGy9nAthA8aNHa3cfdF10vB # Drb19vtpFHmpvKEEhpk2EBRF4fTi644Fuhu2Ied6118AlaPvEea+n6G4vBz+8RWuVCmZjLU+7h8l # Hy3/WdUPoIL5eW7Kz+hS+sRTFzfu9C48dMkQH3a6f3wSY+mufizNF9U298r98TnYy+PfDJK0bstG # Ph6yPWx8DGXKQBwrhWJWXI6JwZDeC5Ny+l8p1SypTmAjpIaSW3ge+KgcL6Wtt1R5hUV1ajVwVSUi # HF/FachKqPqyLJFZTGjNrxnmNYpt8P1d5JTvJfmfr55Su/P9n7kcyWp7zMcb2Q5nlXt4tWogOHLI # OzEWKCacbFfVHE+PpdrcvCVZMDzFogIq5EqGTOZe2poPpBVE+1y9mf5+TXBegy5HToLWvmfmJNTO # NCDuBjgLs2tdw2yMPm4YEr57PnMX5gGTC3f2ZihXCIJDCRCdQ9sVBOjIQbOCzxFXkVITo0BAZhCi # Yz61wt3Ud8e//zhXWCkCsSV+IZCxxPzhEFd+RFVjW0Nm9hsb2FgAhkXCjsGROgoleYgaZJWvQaAg # UyBzMmKDPKTllBHyE3Gy1ehBNGPgEBChf17/9M+j8pcm1OmlM434ctWQ4qW7RU56//yq1soFY0Te # fu2ei03a6m68fYuW6s7XEEK58QisJWRAvEbpwu/eyqfs7PsQ+zSgJHyk2rO95IxdMtEESb2GRuoi # Bs+AHNdYFTAi+GBWw9dvEgqQ0Mpv0//6bBE/Fb4d7b7f56uUNnnE7mFnjGmGQN+MvC62pfwfvJTT # EkT1iZ9kjM9FprTFWXT4UmO3XTvesGeE50sV9YPm71X4DCQwc4KE8vyuwj0s6oMNAUACW2ClU9QQ # y0tRpaF1tzs4N42Q5zl0TzWxbCCjAtC3u6xf+c8MCGrr7DzNhm42LOQiHTa4MwX4x96q7235oiAU # iQqSI/hyF5yLpWw4etyUvsx2/0/0wkuTU1FozbLoCWJEWcPS7QadMrRRISxHf0YobIeQyz34regl # t1qSQ3dCU9D6AHLgX6kqllx4X0fnFq7LtfN7fA2itW26v+kAT2QFZ3qZhINGfofCja/pITC1uNAZ # gsJaTMcQ600krj/ynoxnjT+n1gmeqThac6/Mi3YlVeRtaxI2InL82ZuD+w/dfY9OpPssQjy3xiQa # jPuaMWXRxz/sS9syOoGVH7XBwKrWpQcpchozWJt40QV5DslJkclcr8aC2AGlzuJMTdEgz1eqV0+H # bAXG9HRHN/0eJTn1/QAAAAEABVguNTA5AAADjzCCA4swggJzAhRGqVxH4HTLYPGO4rzHcCPeGDKn # xTANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMCY2ExEDAOBgNVBAgMB29udGFyaW8xEDAOBgNV # BAcMB3Rvcm9udG8xFDASBgNVBAoMC2plbmtpbnN0ZXN0MRkwFwYDVQQDDBBqZW5raW5zdGVzdC5p # bmZvMR0wGwYJKoZIhvcNAQkBFg50ZXN0QHRlc3QuaW5mbzAeFw0xOTEwMDgxNTI5NTVaFw0xOTEx # MDcxNTI5NTVaMIGBMQswCQYDVQQGEwJjYTEQMA4GA1UECAwHb250YXJpbzEQMA4GA1UEBwwHdG9y # b250bzEUMBIGA1UECgwLamVua2luc3Rlc3QxGTAXBgNVBAMMEGplbmtpbnN0ZXN0LmluZm8xHTAb # BgkqhkiG9w0BCQEWDnRlc3RAdGVzdC5pbmZvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC # AQEA02q352JTHGvROMBhSHvSv+vnoOTDKSTz2aLQn0tYrIRqRo+8bfmMjXuhkwZPSnCpvUGNAJ+w # Jrt/dqMoYUjCBkjylD/qHmnXN5EwS1cMg1Djh65gi5JJLFJ7eNcoSsr/0AJ+TweIal1jJSP3t3PF # 9Uv21gm6xdm7HnNK66WpUUXLDTKaIs/jtagVY1bLOo9oEVeLN4nT2CYWztpMvdCyEDUzgEdDbmrP # F5nKUPK5hrFqo1Dc5rUI4ZshL3Lpv398aMxv6n2adQvuL++URMEbXXBhxOrT6rCtYzbcR5fkwS9i # d3Br45CoWOQro02JAepoU0MQKY5+xQ4Bq9Q7tB9BAwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAe # 4xc+mSvKkrKBHg9/zpkWgZUiOp4ENJCi8H4tea/PCM439v6y/kfjT/okOokFvX8N5aa1OSz2Vsrl # m8kjIc6hiA7bKzT6lb0EyjUShFFZ5jmGVP4S7/hviDvgB5yEQxOPpumkdRP513YnEGj/o9Pazi5h # /MwpRxxazoda9r45kqQpyG+XoM4pB+Fd3JzMc4FUGxfVPxJU4jLawnJJiZ3vqiSyaB0YyUL+Er1Q # 6NnqtR4gEBF0ZVlQmkycFvD4EC2boP943dLqNUvop+4R3SM1QMM6P5u8iTXtHd/VN4MwMyy1wtog # hYAzODo1Jt59pcqqKJEas0C/lFJEB3frw4ImNx5fNlJYOpx+ijfQs9m39CevDq0= agent: # -- Enable Kubernetes plugin jnlp-agent podTemplate enabled: true # -- The name of the pod template to use for providing default values defaultsProviderTemplate: "" # Useful for not including a serviceAccount in the template if `false` # -- Use `serviceAccountAgent.name` as the default value for defaults template `serviceAccount` useDefaultServiceAccount: true # -- Override the default service account # @default -- `serviceAccountAgent.name` if `agent.useDefaultServiceAccount` is `true` serviceAccount: # For connecting to the Jenkins controller # -- Overrides the Kubernetes Jenkins URL jenkinsUrl: # connects to the specified host and port, instead of connecting directly to the Jenkins controller # -- Overrides the Kubernetes Jenkins tunnel jenkinsTunnel: # -- Disables the verification of the controller certificate on remote connection. This flag correspond to the "Disable https certificate check" flag in kubernetes plugin UI skipTlsVerify: false # -- Enable the possibility to restrict the usage of this agent to specific folder. This flag correspond to the "Restrict pipeline support to authorized folders" flag in kubernetes plugin UI usageRestricted: false # -- The connection timeout in seconds for connections to Kubernetes API. The minimum value is 5 kubernetesConnectTimeout: 5 # -- The read timeout in seconds for connections to Kubernetes API. The minimum value is 15 kubernetesReadTimeout: 15 # -- The maximum concurrent connections to Kubernetes API maxRequestsPerHostStr: "32" # -- Time in minutes after which the Kubernetes cloud plugin will clean up an idle worker that has not already terminated retentionTimeout: 5 # -- Seconds to wait for pod to be running waitForPodSec: 600 # -- Namespace in which the Kubernetes agents should be launched namespace: # -- Custom Pod labels (an object with `label-key: label-value` pairs) podLabels: {} # -- Custom registry used to pull the agent jnlp image from jnlpregistry: image: # -- Repository to pull the agent jnlp image from repository: "jenkins/inbound-agent" # -- Tag of the image to pull tag: "3261.v9c670a_4748a_9-1" # -- Configure working directory for default agent workingDir: "/home/jenkins/agent" nodeUsageMode: "NORMAL" # -- Append Jenkins labels to the agent customJenkinsLabels: [] # -- Name of the secret to be used to pull the image imagePullSecretName: componentName: "jenkins-agent" # -- Enables agent communication via websockets websocket: false directConnection: false # -- Agent privileged container privileged: false # -- Configure container user runAsUser: # -- Configure container group runAsGroup: # -- Enables the agent to use the host network hostNetworking: false # -- Resources allocation (Requests and Limits) resources: requests: cpu: "512m" memory: "512Mi" # ephemeralStorage: limits: cpu: "512m" memory: "512Mi" # ephemeralStorage: livenessProbe: {} # execArgs: "cat /tmp/healthy" # failureThreshold: 3 # initialDelaySeconds: 0 # periodSeconds: 10 # successThreshold: 1 # timeoutSeconds: 1 # You may want to change this to true while testing a new image # -- Always pull agent container image before build alwaysPullImage: false # When using Pod Security Admission in the Agents namespace with the restricted Pod Security Standard, # the jnlp container cannot be scheduled without overriding its container definition with a securityContext. # This option allows to automatically inject in the jnlp container a securityContext # that is suitable for the use of the restricted Pod Security Standard. # -- Set a restricted securityContext on jnlp containers restrictedPssSecurityContext: false # Controls how agent pods are retained after the Jenkins build completes # Possible values: Always, Never, OnFailure podRetention: "Never" # Disable if you do not want the Yaml the agent pod template to show up # in the job Console Output. This can be helpful for either security reasons # or simply to clean up the output to make it easier to read. showRawYaml: true # You can define the volumes that you want to mount for this container # Allowed types are: ConfigMap, EmptyDir, EphemeralVolume, HostPath, Nfs, PVC, Secret # Configure the attributes as they appear in the corresponding Java class for that type # https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes # -- Additional volumes volumes: [] # - type: ConfigMap # configMapName: myconfigmap # mountPath: /var/myapp/myconfigmap # - type: EmptyDir # mountPath: /var/myapp/myemptydir # memory: false # - type: EphemeralVolume # mountPath: /var/myapp/myephemeralvolume # accessModes: ReadWriteOnce # requestsSize: 10Gi # storageClassName: mystorageclass # - type: HostPath # hostPath: /var/lib/containers # mountPath: /var/myapp/myhostpath # - type: Nfs # mountPath: /var/myapp/mynfs # readOnly: false # serverAddress: "192.0.2.0" # serverPath: /var/lib/containers # - type: PVC # claimName: mypvc # mountPath: /var/myapp/mypvc # readOnly: false # - type: Secret # defaultMode: "600" # mountPath: /var/myapp/mysecret # secretName: mysecret # Pod-wide environment, these vars are visible to any container in the agent pod # You can define the workspaceVolume that you want to mount for this container # Allowed types are: DynamicPVC, EmptyDir, EphemeralVolume, HostPath, Nfs, PVC # Configure the attributes as they appear in the corresponding Java class for that type # https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes/workspace # -- Workspace volume (defaults to EmptyDir) workspaceVolume: {} ## DynamicPVC example # - type: DynamicPVC # configMapName: myconfigmap ## EmptyDir example # - type: EmptyDir # memory: false ## EphemeralVolume example # - type: EphemeralVolume # accessModes: ReadWriteOnce # requestsSize: 10Gi # storageClassName: mystorageclass ## HostPath example # - type: HostPath # hostPath: /var/lib/containers ## NFS example # - type: Nfs # readOnly: false # serverAddress: "192.0.2.0" # serverPath: /var/lib/containers ## PVC example # - type: PVC # claimName: mypvc # readOnly: false # Pod-wide environment, these vars are visible to any container in the agent pod # -- Environment variables for the agent Pod envVars: [] # - name: PATH # value: /usr/local/bin # -- Mount a secret as environment variable secretEnvVars: [] # - key: PATH # optional: false # default: false # secretKey: MY-K8S-PATH # secretName: my-k8s-secret # -- Node labels for pod assignment nodeSelector: {} # Key Value selectors. Ex: # nodeSelector # jenkins-agent: v1 # -- Command to execute when side container starts command: # -- Arguments passed to command to execute args: "${computer.jnlpmac} ${computer.name}" # -- Side container name sideContainerName: "jnlp" # Doesn't allocate pseudo TTY by default # -- Allocate pseudo tty to the side container TTYEnabled: false # -- Max number of agents to launch containerCap: 10 # -- Agent Pod base name podName: "default" # Enables garbage collection of orphan pods for this Kubernetes cloud. (beta) garbageCollection: # -- When enabled, Jenkins will periodically check for orphan pods that have not been touched for the given timeout period and delete them. enabled: false # -- Namespaces to look at for garbage collection, in addition to the default namespace defined for the cloud. One namespace per line. namespaces: "" # namespaces: |- # namespaceOne # namespaceTwo # -- Timeout value for orphaned pods timeout: 300 # -- Allows the Pod to remain active for reuse until the configured number of minutes has passed since the last step was executed on it idleMinutes: 0 # The raw yaml of a Pod API Object, for example, this allows usage of toleration for agent pods. # https://github.com/jenkinsci/kubernetes-plugin#using-yaml-to-define-pod-templates # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ # -- The raw yaml of a Pod API Object to merge into the agent spec yamlTemplate: "" # yamlTemplate: |- # apiVersion: v1 # kind: Pod # spec: # tolerations: # - key: "key" # operator: "Equal" # value: "value" # -- Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates. Possible values: "merge" or "override" yamlMergeStrategy: "override" # -- Controls whether the defined yaml merge strategy will be inherited if another defined pod template is configured to inherit from the current one inheritYamlMergeStrategy: false # -- Timeout in seconds for an agent to be online connectTimeout: 100 # -- Annotations to apply to the pod annotations: {} # Containers specified here are added to all agents. Set key empty to remove container from additional agents. # -- Add additional containers to the agents additionalContainers: [] # - sideContainerName: dind # image: # repository: docker # tag: dind # command: dockerd-entrypoint.sh # args: "" # privileged: true # resources: # requests: # cpu: 500m # memory: 1Gi # limits: # cpu: 1 # memory: 2Gi # Useful when configuring agents only with the podTemplates value, since the default podTemplate populated by values mentioned above will be excluded in the rendered template. # -- Disable the default Jenkins Agent configuration disableDefaultAgent: false # Below is the implementation of custom pod templates for the default configured kubernetes cloud. # Add a key under podTemplates for each pod template. Each key (prior to | character) is just a label, and can be any value. # Keys are only used to give the pod template a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label # characters: lowercase letters, numbers, and hyphens. Each pod template can contain multiple containers. # For this pod templates configuration to be loaded, the following values must be set: # controller.JCasC.defaultConfig: true # Best reference is https://<jenkins_url>/configuration-as-code/reference#Cloud-kubernetes. The example below creates a python pod template. # -- Configures extra pod templates for the default kubernetes cloud podTemplates: python2-template: | - name: python2-template label: python2-template serviceAccount: jenkins containers: - name: python image: python:2 command: "/bin/sh -c" args: "cat" ttyEnabled: true privileged: true resourceRequestCpu: "400m" resourceRequestMemory: "512Mi" resourceLimitCpu: "1" resourceLimitMemory: "1024Mi" python3-template: | - name: python3-template label: python3-template serviceAccount: jenkins containers: - name: python image: python:3 command: "/bin/sh -c" args: "cat" ttyEnabled: true privileged: true resourceRequestCpu: "400m" resourceRequestMemory: "512Mi" resourceLimitCpu: "1" resourceLimitMemory: "1024Mi" mavenjdk8-template: | - name: mavenjdk8-template label: mavenjdk8-template serviceAccount: jenkins containers: - name: maven image: maven:latest command: "/bin/sh -c" args: "cat" ttyEnabled: true privileged: true resourceRequestCpu: "400m" resourceRequestMemory: "512Mi" resourceLimitCpu: "1" resourceLimitMemory: "1024Mi" mavenjdk11-template: | - name: mavenjdk11-template label: mavenjdk11-template serviceAccount: jenkins containers: - name: maven image: maven:jdk11 command: "/bin/sh -c" args: "cat" ttyEnabled: true privileged: true resourceRequestCpu: "400m" resourceRequestMemory: "512Mi" resourceLimitCpu: "1" resourceLimitMemory: "1024Mi" mavenjdk17-template: | - name: mavenjdk17-template label: mavenjdk17-template serviceAccount: jenkins containers: - name: maven image: maven:jdk17 command: "/bin/sh -c" args: "cat" ttyEnabled: true privileged: true resourceRequestCpu: "400m" resourceRequestMemory: "512Mi" resourceLimitCpu: "1" resourceLimitMemory: "1024Mi" mavenjdk21-template: | - name: mavenjdk21-template label: mavenjdk21-template serviceAccount: jenkins containers: - name: maven image: maven:jdk21 command: "/bin/sh -c" args: "cat" ttyEnabled: true privileged: true resourceRequestCpu: "400m" resourceRequestMemory: "512Mi" resourceLimitCpu: "1" resourceLimitMemory: "1024Mi" # Inherits all values from `agent` so you only need to specify values which differ # -- Configure additional additionalAgents: mavenjdk8: podName: mavenjdk8 customJenkinsLabels: mavenjdk8 sideContainerName: mavenjdk8 image: repository: jenkins/jnlp-agent-maven tag: latest mavenjdk11: podName: mavenjdk11 customJenkinsLabels: mavenjdk11 sideContainerName: mavenjdk11 image: repository: jenkins/jnlp-agent-maven tag: latest-jdk11 mavenjdk17: podName: mavenjdk17 customJenkinsLabels: mavenjdk17 sideContainerName: mavenjdk17 image: repository: jenkins/jnlp-agent-maven tag: latest-jdk17 mavenjdk21: podName: mavenjdk21 customJenkinsLabels: mavenjdk21 sideContainerName: mavenjdk21 image: repository: jenkins/jnlp-agent-maven tag: latest-jdk21 python2: podName: python2 customJenkinsLabels: python2 sideContainerName: python2 image: repository: python tag: "2" command: "/bin/sh -c" args: "cat" TTYEnabled: true python3: podName: python3 customJenkinsLabels: python3 sideContainerName: python3 image: repository: python tag: "3" command: "/bin/sh -c" args: "cat" TTYEnabled: true # Here you can add additional clouds # They inherit all values from the default cloud (including the main agent), so # you only need to specify values which differ. If you want to override # default additionalAgents with the additionalClouds.additionalAgents set # additionalAgentsOverride to `true`. additionalClouds: {} # remote-cloud-1: # kubernetesURL: https://api.remote-cloud.com # additionalAgentsOverride: true # additionalAgents: # maven-2: # podName: maven-2 # customJenkinsLabels: maven # # An example of overriding the jnlp container # # sideContainerName: jnlp # image: # repository: jenkins/jnlp-agent-maven # tag: latest # namespace: my-other-maven-namespace # remote-cloud-2: # kubernetesURL: https://api.remote-cloud.com persistence: # -- Enable the use of a Jenkins PVC enabled: true # A manually managed Persistent Volume and Claim # Requires persistence.enabled: true # If defined, PVC must be created manually before volume will be bound # -- Provide the name of a PVC existingClaim: # jenkins data Persistent Volume Storage Class # If defined, storageClassName: <storageClass> # If set to "-", storageClassName: "", which disables dynamic provisioning # If undefined (the default) or set to null, no storageClassName spec is # set, choosing the default provisioner (gp2 on AWS, standard on GKE, AWS & OpenStack) # -- Storage class for the PVC storageClass: nfs-csi-jenkins # Replace with your storage class # -- Annotations for the PVC annotations: {} # -- Labels for the PVC labels: {} # -- The PVC access mode accessMode: "ReadWriteOnce" # -- The size of the PVC size: "8Gi" # ref: https://kubernetes.io/docs/concepts/storage/volume-pvc-datasource/ # -- Existing data source to clone PVC from dataSource: {} # name: PVC-NAME # kind: PersistentVolumeClaim # -- SubPath for jenkins-home mount subPath: # -- Additional volumes volumes: [] # - name: nothing # emptyDir: {} # -- Additional mounts mounts: [] # - mountPath: /var/nothing # name: nothing # readOnly: true networkPolicy: # -- Enable the creation of NetworkPolicy resources enabled: false # For Kubernetes v1.4, v1.5 and v1.6, use 'extensions/v1beta1' # For Kubernetes v1.7, use 'networking.k8s.io/v1' # -- NetworkPolicy ApiVersion apiVersion: networking.k8s.io/v1 # You can allow agents to connect from both within the cluster (from within specific/all namespaces) AND/OR from a given external IP range internalAgents: # -- Allow internal agents (from the same cluster) to connect to controller. Agent pods will be filtered based on PodLabels allowed: true # -- A map of labels (keys/values) that agent pods must have to be able to connect to controller podLabels: {} # -- A map of labels (keys/values) that agents namespaces must have to be able to connect to controller namespaceLabels: {} # project: myproject externalAgents: # -- The IP range from which external agents are allowed to connect to controller, i.e., 172.17.0.0/16 ipCIDR: # -- A list of IP sub-ranges to be excluded from the allowlisted IP range except: [] # - 172.17.1.0/24 ## Install Default RBAC roles and bindings rbac: # -- Whether RBAC resources are created create: true # -- Whether the Jenkins service account should be able to read Kubernetes secrets readSecrets: false serviceAccount: # -- Configures if a ServiceAccount with this name should be created create: true # The name of the ServiceAccount is autogenerated by default # -- The name of the ServiceAccount to be used by access-controlled resources name: # -- Configures annotations for the ServiceAccount annotations: {} # -- Configures extra labels for the ServiceAccount extraLabels: {} # -- Controller ServiceAccount image pull secret imagePullSecretName: serviceAccountAgent: # -- Configures if an agent ServiceAccount should be created create: false # If not set and create is true, a name is generated using the fullname template # -- The name of the agent ServiceAccount to be used by access-controlled resources name: # -- Configures annotations for the agent ServiceAccount annotations: {} # -- Configures extra labels for the agent ServiceAccount extraLabels: {} # -- Agent ServiceAccount image pull secret imagePullSecretName: # -- Checks if any deprecated values are used checkDeprecation: true awsSecurityGroupPolicies: enabled: false policies: - name: "" securityGroupIds: [] podSelector: {} # Here you can configure unit tests values when executing the helm unittest in the CONTRIBUTING.md helmtest: # A testing framework for bash bats: # Bash Automated Testing System (BATS) image: # -- Registry of the image used to test the framework registry: "docker.io" # -- Repository of the image used to test the framework repository: "bats/bats" # -- Tag of the image to test the framework tag: "1.11.0"
  • Lets git it
git add . git commit -m "deploy jenkins" git push

Fluxcd is doing the following under the hood | Jenkins

  • Helm repo add
helm repo add jenkins https://charts.jenkins.io --force-update
  • Helm install Jenkins
helm install [RELEASE_NAME] jenkins/jenkins [flags]

Kubernetes check | Jenkins

  • Kubectl switch to the infrastructure namespace
kubectl config set-context --current --namespace=infrastructure
  • Kubectl show me the pod for Jenkins
kubectl get pods -n infrastructure | grep jenkins
jenkins pod

If everything went well you should be able to access the Jenkins frontend with your domain name for example mine is https://jenkins.pangarabbit.com

jenkins frontend

How do we login?

  • By default the username is admin and the password is base64 encoded.
  • Open your terminal and run the following command but make sure you have switched to the infrastructure namespace first.
# Switch to the infrastructure namespace kubectl config set-context --current --namespace=infrastructure # Get the Jenkins admin password jsonpath="{.data.jenkins-admin-password}" kubectl get secret jenkins -o jsonpath=$jsonpath
  • You should get a string similar to this fictious example generated by ChatGPT
U29mdHdhcmUgbGVhcm5pbmcgaXMgdGhlIGZ1dHVyZSBvZiB0ZWNobm9sb2d5IQ==
  • Head over to this URL to decode the base64 string to reveal your password and login.
  • If you don’t feel comfortable decoding the base64 encoded string on the public internet I can recommend DevToys to do this locally, plus it comes with many other great dev tools.

Jenkins admin password change

  • Click Jenkins Admin drop down in the top right hand corner of the GUI
jenkins admin

  • Click Configure
jenkins configure

  • Scroll down until you see the Password section
jenkins password

  • Change your password and Save

Jenkins Github Setup

  • Click Manage Jenkins in the left hand menu
jenkins manage

  • Click Plugins
jenkins plugins

  • Check that you see the following Plugins installed if not install Github API Plugin, Github Branch Source Plugin, Github Plugin
jenkins plugins github

  • Go to Github and create a repository called ortelius-jenkins-demo-app
  • Now we need to create a PAT (personal access token) for Jenkins to use to access your repos
  • Click on your profile in the top right hand corner of the browser and select settings
gh settings

  • Scroll down a bit and click on Developer Settings
gh developer settings

  • Drop down Personal Access Tokens
gh pat

  • Click on Tokens (classic)
gh tokens classic

  • Give it a meaningful name and assign the following permissions
gh pat repo

  • Record the key safely in a password manager such as Bitwarden as you will only get one chance to do so
  • Go back to Jenkins to add the PAT to your Jenkins credentials
  • Click on Manage Jenkins
jenkins manage

  • Click on Credentials
jenkins credentials

  • Select Global credentials and click on Add Credentials
  • Select Secret text and create an ID that will be used to reference the credentials in your Jenkins pipeline file
  • Paste you Github PAT in the Secret field and when you are ready select Create
jenkins credentials gh pat secret text

  • Once created the credential will look like this example
jenkins credentials gh pat

  • Select Dashboard in the top left of your browser to go back to the home page
jenkins dashboard

Jenkins Agent Setup

Agents and agent templates are managed inside your Helm Chart. If you add them through the Jenkins GUI Fluxcd will reconcile the configuration in your Helm Chart and your config will vanish so thats why we store our config in our Helm Chart which honours the GitOps methodology where your repo is the source of truth. You will see this happening in Gimlet under Helm Releases.

Here we can see the configured pod templates which can be used for building various flavours of code which you can use in your own Helm Chart.

# Below is the implementation of custom pod templates for the default configured kubernetes cloud. # Add a key under podTemplates for each pod template. Each key (prior to | character) is just a label, and can be any value. # Keys are only used to give the pod template a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label # characters: lowercase letters, numbers, and hyphens. Each pod template can contain multiple containers. # For this pod templates configuration to be loaded, the following values must be set: # controller.JCasC.defaultConfig: true # Best reference is https://<jenkins_url>/configuration-as-code/reference#Cloud-kubernetes. The example below creates a python pod template. # -- Configures extra pod templates for the default kubernetes cloud podTemplates: python2-template: | - name: python2-template label: python2-template serviceAccount: jenkins containers: - name: python image: python:2 command: "/bin/sh -c" args: "cat" ttyEnabled: true privileged: true resourceRequestCpu: "400m" resourceRequestMemory: "512Mi" resourceLimitCpu: "1" resourceLimitMemory: "1024Mi" python3-template: | - name: python3-template label: python3-template serviceAccount: jenkins containers: - name: python image: python:3 command: "/bin/sh -c" args: "cat" ttyEnabled: true privileged: true resourceRequestCpu: "400m" resourceRequestMemory: "512Mi" resourceLimitCpu: "1" resourceLimitMemory: "1024Mi" mavenjdk8-template: | - name: mavenjdk8-template label: mavenjdk8-template serviceAccount: jenkins containers: - name: maven image: maven:latest command: "/bin/sh -c" args: "cat" ttyEnabled: true privileged: true resourceRequestCpu: "400m" resourceRequestMemory: "512Mi" resourceLimitCpu: "1" resourceLimitMemory: "1024Mi" mavenjdk11-template: | - name: mavenjdk11-template label: mavenjdk11-template serviceAccount: jenkins containers: - name: maven image: maven:jdk11 command: "/bin/sh -c" args: "cat" ttyEnabled: true privileged: true resourceRequestCpu: "400m" resourceRequestMemory: "512Mi" resourceLimitCpu: "1" resourceLimitMemory: "1024Mi" mavenjdk17-template: | - name: mavenjdk17-template label: mavenjdk17-template serviceAccount: jenkins containers: - name: maven image: maven:jdk17 command: "/bin/sh -c" args: "cat" ttyEnabled: true privileged: true resourceRequestCpu: "400m" resourceRequestMemory: "512Mi" resourceLimitCpu: "1" resourceLimitMemory: "1024Mi" mavenjdk21-template: | - name: mavenjdk21-template label: mavenjdk21-template serviceAccount: jenkins containers: - name: maven image: maven:jdk21 command: "/bin/sh -c" args: "cat" ttyEnabled: true privileged: true resourceRequestCpu: "400m" resourceRequestMemory: "512Mi" resourceLimitCpu: "1" resourceLimitMemory: "1024Mi" # Inherits all values from `agent` so you only need to specify values which differ # -- Configure additional additionalAgents: mavenjdk8: podName: mavenjdk8 customJenkinsLabels: mavenjdk8 sideContainerName: mavenjdk8 image: repository: jenkins/jnlp-agent-maven tag: latest mavenjdk11: podName: mavenjdk11 customJenkinsLabels: mavenjdk11 sideContainerName: mavenjdk11 image: repository: jenkins/jnlp-agent-maven tag: latest-jdk11 mavenjdk17: podName: mavenjdk17 customJenkinsLabels: mavenjdk17 sideContainerName: mavenjdk17 image: repository: jenkins/jnlp-agent-maven tag: latest-jdk17 mavenjdk21: podName: mavenjdk21 customJenkinsLabels: mavenjdk21 sideContainerName: mavenjdk21 image: repository: jenkins/jnlp-agent-maven tag: latest-jdk21 python2: podName: python2 customJenkinsLabels: python2 sideContainerName: python2 image: repository: python tag: "2" command: "/bin/sh -c" args: "cat" TTYEnabled: true python3: podName: python3 customJenkinsLabels: python3 sideContainerName: python3 image: repository: python tag: "3" command: "/bin/sh -c" args: "cat" TTYEnabled: true
  • Lets git it
git add . git commit -m "Add Jenkins templates" git push

You can view your pod templates by following these steps.

  • Click Manage Jenkins in the left hand menu
jenkins manage

  • Click Clouds
jenkins clouds

  • Click the name of your cloud, mine is PangaRabbit K8s
  • Click Pod Templates
jenkins pod templates

Jenkins Backup Setup

  • Let backup the Jenkins config
  • Click Manage Jenkins in the left hand menu
jenkins manage

  • Click Plugins
jenkins plugins

  • Check that you see the following Plugin installed if not install ThinBackups
jenkins plugins thinbackup

  • Now you don’t need to do this manual exercise as the backup tool will create the directory for you but it is a nice to understand the volume mount process and to see how it works
  • Open your terminal and lets exec onto the Jenkins pod and manually create the backup directory
# Exec onto the pod kubectl exec -it jenkins-0 -- /bin/bash # Create a backup folder for ThinBackup mkdir /var/jenkins_home/backup
  • If your CSI NFS Kubernetes driver is setup correctly and you enabled persistence in the Helm Chart your Jenkins server configuration files will be stored here and Jenkins can make backups to the backup directory
  • To see which PVC your Jenkins POD has mounted run this command
kubectl get pvc
  • The name we want is under VOLUME and mine for example mine was the following
jenkins pvc

  • You should see the backup directory you created on your NFS storage server inside the jenkins directory
jenkins backup directory nfs

  • Click Manage Jenkins
jenkins manage

  • Click System
jenkins system

  • Scroll down until you see ThinBackup Configuration and fill in the following
jenkins thinbackup configuration

  • Add /var/jenkins_home/backup as the Backup Directory
  • If you would like to backup your files once everyday at midnight use this cron H 12 * * 0-6
jenkins thinbackup configuration directory cron

  • If you don’t like that idea you can make your own cron here
  • Go through the rest of the settings and click on the ? for more information about the checkboxes
  • Click Save
  • You should see backups appearing in your backup directory on your NFS storage server at midnight if you used the cron above
  • Jenkins coveniently zips the backup set to save storage space

Jenkins Restore

I tested a restore by simply deleting all the Jenkins config off the NFS server, unzipped one of the backups and copied the Jenkins config files back then deleted the pod and waited for it to be recreated. It worked a charm, all my data, plugins, config, jobs and secrets were restored. I thought that was pretty neat. The Jenkins pod is simply a looking glass that presents all the Jenkins config in a human readable format.

jenkins thinbackup backups

Jenkins and Credentials

Repeat after me “We never use hardcoded sensitive values in our code…ever”, “Setting up security is part of the process”

  • Jenkins gives you ways to mask your secrets being displayed in pipeline builds and jobs
  • Jenkins allows you to set credentials at different levels which is described in greater detail here
  • In this case we are setting credentials at the Global level which can be referenced by the pipeline securely
  • Go to Manage Jenkins –> Credentials –> Global –> Add Credentials
  • They can be used in your Jenkins pipeline configuration file to call the ID of the secret like this
pipeline { environment { DHUSER = credentials('dh-pangarabbit') DHPASS = credentials('dh-pangarabbit') DISCORD = credentials('pangarabbit-discord-jenkins') }
  • In the Jenkins build log you will see the following
[Pipeline] withCredentials Masking supported pattern matches of $DHPASS or $DHPASS_PSW or $DISCORD or $DHUSER or $DHUSER_PSW

Jenkins and Discord Notifications

  • To use this plugin you will need a Discord server of your own which you can find out how to setup here
  • We will be installing the Discord plugin from here
  • Go to Manage Jenkins –> Plugins –> Available plugins and search for Discord Notifier, then install and restart Jenkins by putting this URL in your browser https://<your jenkins server>/restart
  • For example mine was https://jenkins.pangarabbit.com/restart
jenkins plugin discord notifier

  • The DISCORD = credentials('pangarabbit-discord-jenkins') is the generated webhook url that gets created by mousing over a Discord channel and selecting the cog to get to the menu where you can create a webhook dedicated to that channel
  • You will need to go through the same process you did to add the Github credentials to add the Discord webhook as a Jenkins credential
jenkins discord channel cog

  • Discord channel webhooks are configured here and are sensitive information
jenkins discord channel hook

  • This code snippet sets up the Discord variables to mark the cloned repo as safe and pull in the user of the Git commit
stage('Git Committer') { steps { container('python3') { script { // Mark the directory as safe to prevent Git errors sh 'git config --global --add safe.directory ${WORKSPACE}' // Get the user who made the latest commit env.GIT_COMMIT_USER = sh( script: "git log -1 --pretty=format:'%an'", returnStdout: true ).trim() } } } }
  • Below is the code snippet that invokes the Discord build notification
post { always { withCredentials([string(credentialsId: 'pangarabbit-discord-jenkins', variable: 'DISCORD')]) { discordSend description: """ Result: ${currentBuild.currentResult} Service: ${env.JOB_NAME} Build Number: [#${env.BUILD_NUMBER}](${env.BUILD_URL}) Branch: ${env.GIT_BRANCH} Commit User: ${env.GIT_COMMIT_USER} Duration: ${currentBuild.durationString} """, footer: "Wall E love you!", link: env.BUILD_URL, result: currentBuild.currentResult, title: env.JOB_NAME, webhookURL: DISCORD } } } }
  • A notification will look like this and you can correlate the information sent with the code above
jenkins discord notification

Creating a Multibranch Pipeline

  • Open a terminal and create a new Kubernetes namespace called app
kubectl create ns app
  • Back in Jenkins click on New Item
jenkins new item

  • Give it a name ortelius-jenkins-demo-app
  • Select Multibranch Pipeline
jenkins multibranch pipeline

  • Configure the Multibranch Pipeline as follows
  • Ignore the Jenkins Shared Library configuration
jenkins multibranch pipeline configuration

  • Don’t forget to hit that Save button
jenkins multibranch pipeline save

Jenkins meets Ortelius

  • Create the following Jenkinsfile in the Github repo you created and push it to your Github repo
  • A Jenkinsfile is the logic to instruct Jenkins what to build
  • The TOML file instructs Jenkins how to record the component and SBOM data in Ortelius using the Ortelius CLI which can be found here
  • The Jenkins pipeline file below installs the Ortelius CLI as part of the build process
  • Ortelius Open-Source Vulnerability Managment Platform POC document to help you get going
  • Create the Ortelius TOML configuration file
# Application Name and Version - optional. If not used the Component will not be associated to an Application Application = "GLOBAL.PangaRabbit.Jenkins Demo App" Application_Version = "1.0.0" # Define Component Name, Variant and Version - required Name = "GLOBAL.PangaRabbit.Jenkins Demo App" Variant = "${GIT_BRANCH}" Version = "v1.0.0.${BUILD_NUM}-g${SHORT_SHA}" # Key/Values to associate to the Component Version [Attributes] DockerBuildDate = "${BLDDATE}" DockerRepo = "${DOCKERREPO}" DockerSha = "${DIGEST}" DockerTag = "${IMAGE_TAG}" ServiceOwner = "${DHUSER}" ServiceOwnerEmail = "aliens@pangarabbit.com"
  • The complete Ortelius Jenkins pipeline file with Discord notifications
pipeline { environment { DOCKERREPO = "quay.io" DHUSER = credentials('dh-pangarabbit') DHPASS = credentials('dh-pangarabbit') DHORG = "pangarabbit" DHPROJECT = "ortelius-jenkins-demo-app" DHURL = "https://ortelius.pangarabbit.com" DISCORD = credentials('pangarabbit-discord-jenkins') } agent { kubernetes { cloud 'PangaRabbit K8s' defaultContainer 'python3' inheritFrom 'python3' namespace 'app' } } stages { stage('Checkout') { steps { container('python3') { withCredentials([string(credentialsId: 'gh-walle', variable: 'GITHUB_PAT')]) { sh 'git clone https://${GITHUB_PAT}@github.com/dstar55/docker-hello-world-spring-boot.git' } } } } stage('Git Committer') { steps { container('python3') { script { // Mark the directory as safe to prevent Git errors sh 'git config --global --add safe.directory ${WORKSPACE}' // Get the user who made the latest commit env.GIT_COMMIT_USER = sh( script: "git log -1 --pretty=format:'%an'", returnStdout: true ).trim() } } } } stage('Setup') { steps { container('python3') { sh ''' // Install Docker to use Docker commands e.g. docker login, docker build, docker push apt-get update && apt-get install -y docker.io // Install the Ortelius CLI pip install ortelius-cli git clone https://github.com/dstar55/docker-hello-world-spring-boot cd docker-hello-world-spring-boot // Setting up Ortelius environment variables from the component.toml file dh envscript --envvars component.toml --envvars_sh ${WORKSPACE}/dhenv.sh ''' } } } stage('Docker Login') { steps { container('python3') { sh ''' echo ${DHPASS} | docker login -u ${DHUSER} --password-stdin ${DHURL} ''' } } } stage('Build and Push Image') { steps { container('python3') { sh ''' . ${WORKSPACE}/dhenv.sh docker build --tag ${DOCKERREPO}:${IMAGE_TAG} . docker push ${DOCKERREPO}:${IMAGE_TAG} # This line determines the docker digest for the image echo export DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${DOCKERREPO}:${IMAGE_TAG} | cut -d: -f2 | cut -c-12) >> ${WORKSPACE}/dhenv.sh ''' } } } stage('Capture SBOM') { steps { container('python3') { sh ''' . ${WORKSPACE}/dhenv.sh # install Syft curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b . # create the SBOM ./syft packages ${DOCKERREPO}:${IMAGE_TAG} --scope all-layers -o cyclonedx-json > ${WORKSPACE}/cyclonedx.json # display the SBOM cat ${WORKSPACE}/cyclonedx.json ''' } } } stage('Create Component with Build Data and SBOM') { steps { container('python3') { sh ''' . ${WORKSPACE}/dhenv.sh dh updatecomp --rsp component.toml --deppkg "cyclonedx@${WORKSPACE}/cyclonedx.json" ''' } } } } post { always { withCredentials([string(credentialsId: 'pangarabbit-discord-jenkins', variable: 'DISCORD')]) { discordSend description: """ Result: ${currentBuild.currentResult} Service: ${env.JOB_NAME} Build Number: [#${env.BUILD_NUMBER}](${env.BUILD_URL}) Branch: ${env.GIT_BRANCH} Commit User: ${env.GIT_COMMIT_USER} Duration: ${currentBuild.durationString} """, footer: "WallE love you!", link: env.BUILD_URL, result: currentBuild.currentResult, title: env.JOB_NAME, webhookURL: DISCORD } } } }
  • Lets git it
git add . git commit -m "Add Jenkinsfile" git push
  • Go back to Jenkins and select the Multibranch Pipeline you just created
  • Select Main or whatever name appears there
jenkins multibranch pipeline main

  • Select Build Now
jenkins multibranch pipeline build now

  • A build job will begin and you can see the build log by clicking on the circle with the cross inside
jenkins multibranch pipeline build job

  • Open your terminal and run the following command
  • This will show you the Python agent pod running which will build your Python app
  • Don’t worry if there are some hiccups with the pod getting going we have limited resources
kubectl get pod -n app
jenkins multibranch pipeline build pod

  • Here is a snippet of the build log from my Jenkins server
  • You can see Jenkins stepping through the configuration in your Jenkinsfile
Created Pod: PangaRabbit K8s app/ortelius-jenkins-demo-app-main-51-9gxfn-qzrgj-2hnmt Agent ortelius-jenkins-demo-app-main-51-9gxfn-qzrgj-2hnmt is provisioned from template ortelius-jenkins-demo-app_main_51-9gxfn-qzrgj --- apiVersion: "v1" kind: "Pod" metadata: annotations: kubernetes.jenkins.io/last-refresh: "1726324871013" buildUrl: "http://jenkins.infrastructure.svc.cluster.local:8080/job/ortelius-jenkins-demo-app/job/main/51/" runUrl: "job/ortelius-jenkins-demo-app/job/main/51/" labels: jenkins/jenkins-jenkins-agent: "true" jenkins/label-digest: "fadc57588f0db543f93173def36c3565d0dfcc52" jenkins/label: "ortelius-jenkins-demo-app_main_51-9gxfn" kubernetes.jenkins.io/controller: "http___jenkins_infrastructure_svc_cluster_local_8080x" name: "ortelius-jenkins-demo-app-main-51-9gxfn-qzrgj-2hnmt" namespace: "app" spec: containers: - args: - "cat" command: - "/bin/sh" - "-c" env: - name: "JENKINS_URL" value: "http://jenkins.infrastructure.svc.cluster.local:8080/" image: "python:3" imagePullPolicy: "IfNotPresent" name: "python3" resources: limits: memory: "512Mi" cpu: "512m" requests: memory: "512Mi" cpu: "512m" tty: true volumeMounts: - mountPath: "/home/jenkins/agent" name: "workspace-volume" readOnly: false workingDir: "/home/jenkins/agent" - env: - name: "JENKINS_SECRET" value: "********" - name: "JENKINS_TUNNEL" value: "jenkins-agent.infrastructure.svc.cluster.local:50000" - name: "JENKINS_AGENT_NAME" value: "ortelius-jenkins-demo-app-main-51-9gxfn-qzrgj-2hnmt" - name: "REMOTING_OPTS" value: "-noReconnectAfter 1d" - name: "JENKINS_NAME" value: "ortelius-jenkins-demo-app-main-51-9gxfn-qzrgj-2hnmt" - name: "JENKINS_AGENT_WORKDIR" value: "/home/jenkins/agent" - name: "JENKINS_URL" value: "http://jenkins.infrastructure.svc.cluster.local:8080/" image: "jenkins/inbound-agent:3261.v9c670a_4748a_9-2" name: "jnlp" resources: requests: memory: "256Mi" cpu: "100m" volumeMounts: - mountPath: "/home/jenkins/agent" name: "workspace-volume" readOnly: false nodeSelector: kubernetes.io/os: "linux" restartPolicy: "Never" serviceAccountName: "default" volumes: - emptyDir: medium: "" name: "workspace-volume" Running on ortelius-jenkins-demo-app-main-51-9gxfn-qzrgj-2hnmt in /home/jenkins/agent/workspace/ortelius-jenkins-demo-app_main [Pipeline] { [Pipeline] stage [Pipeline] { (Declarative: Checkout SCM) [Pipeline] checkout The recommended git tool is: NONE using credential gh-pangarabbit-jenkins Cloning the remote Git repository Cloning with configured refspecs honoured and without tags Cloning repository https://github.com/sachajw/ortelius-jenkins-demo-app.git > git init /home/jenkins/agent/workspace/ortelius-jenkins-demo-app_main # timeout=10 Fetching upstream changes from https://github.com/sachajw/ortelius-jenkins-demo-app.git > git --version # timeout=10 > git --version # 'git version 2.39.2' using GIT_ASKPASS to set credentials > git fetch --no-tags --force --progress -- https://github.com/sachajw/ortelius-jenkins-demo-app.git +refs/heads/main:refs/remotes/origin/main # timeout=10 > git config remote.origin.url https://github.com/sachajw/ortelius-jenkins-demo-app.git # timeout=10 > git config --add remote.origin.fetch +refs/heads/main:refs/remotes/origin/main # timeout=10 Avoid second fetch Checking out Revision 3d51ff295a43b243bd1ba65602a000b93522af9e (main) > git config core.sparsecheckout # timeout=10 > git checkout -f 3d51ff295a43b243bd1ba65602a000b93522af9e # timeout=10 Commit message: "🛠 NEW: jenkins pod templates" > git rev-list --no-walk 3d51ff295a43b243bd1ba65602a000b93522af9e # timeout=10

FYI make sure you backup your persistent volumes on the NFS server

Conclusion

Hopefully you got this far and I did not forget some crucial configuration or step along the way. If I did please ping me so I can make any fixes. This illustrates how Ortelius can be used to create a component and record SBOMs in a CI tool such as Jenkins.

Happy alien hunting…..

Next Steps

How to Bake an Ortelius Pi | Part 6 | Cloud Dev At Home With Localstack

Meet the Author


Learn More About:

Sachawharton