chore(updates.jenkins.io): use new mirrorbits-parent helm chart (#4320

) * chore(updates.jenkins.io): use new `mirrorbits-parent` helm chart * add nameOverrides * comment out fullnameOverride * cleanup * wip * bump mirrorbits-parent chart version * add updatecli manifest * bump mirrorbits-parent version, include rsyncd 1.x.x helm chart version * please YAML linter * restore 'i' * add rsyncd component * use last chart version with completed hardening * remove old config * cleanup * fix yaml lint errors --------- Co-authored-by: Damien Duportal <[email protected]>
jenkins-infra · Sep 11, 2023 · 0b660f2 · 0b660f2
1 parent d79e559
commit 0b660f2
Show file tree

Hide file tree

Showing 4 changed files with 157 additions and 83 deletions.
diff --git a/clusters/publick8s.yaml b/clusters/publick8s.yaml
@@ -234,11 +234,11 @@ releases:
       - public-nginx-ingress/public-nginx-ingress
     values:
       - "../config/ipv6-lb-service.yaml"
-  # - name: updates-jenkins-io
-  #   namespace: updates-jenkins-io
-  #   chart: jenkins-infra/mirrorbits
-  #   version: 0.63.0
-  #   values:
-  #     - "../config/updates.jenkins.io.yaml"
-  #   secrets:
-  #     - "../secrets/config/updates.jenkins.io/secrets.yaml"
+  - name: updates-jenkins-io
+    namespace: updates-jenkins-io
+    chart: jenkins-infra/mirrorbits-parent
+    version: 0.0.8
+    values:
+      - "../config/updates.jenkins.io.yaml"
+    secrets:
+      - "../secrets/config/updates.jenkins.io/secrets.yaml"
diff --git a/config/ldap.yaml b/config/ldap.yaml
@@ -10,7 +10,7 @@ service:
     - '20.12.27.65/32'  # 107 accept inbound LDAPS request from puppet.jenkins.io
     - '104.209.128.236/32'  # accept inbound LDAPS from trusted.ci.jenkins.io vnet (public IP for the outbound NAT gateway)
     - '172.176.126.194/32'  # accept inbound LDAPS from private.vpn.jenkins.io
-    - '104.209.153.13/32' # accept inbound LDAPS from cert.ci.jenkins.io vnet (public IP for the outbound NAT gateway)
+    - '104.209.153.13/32'  # accept inbound LDAPS from cert.ci.jenkins.io vnet (public IP for the outbound NAT gateway)
     - '52.252.104.110/32'  # Accept inbound LDAPS from ci.jenkins.io
     - '34.211.101.61/32'  # Accept inbound connections from Linux Foundation test machine
     - '44.240.22.235/32'  # Accept inbound connections from Linux Foundation prod machine

diff --git a/config/updates.jenkins.io.yaml b/config/updates.jenkins.io.yaml
@@ -1,94 +1,127 @@
-nameOverride: updates-jenkins-io
-
-ingress:
+mirrorbits-lite:
   enabled: true
-  className: public-nginx
-  annotations:
-    "cert-manager.io/cluster-issuer": "letsencrypt-prod"
-    "nginx.ingress.kubernetes.io/ssl-redirect": "true"
-  hosts:
-    - host: azure.updates.jenkins.io
-      paths:
-        - path: /
-          serviceNameSuffix: files
-        - path: /.*[.](deb|hpi|war|rpm|msi|pkg|sha256|md5sum|zip|gz|pdf|json|svg|sh|jpeg|ico|png|html)$
-          pathType: ImplementationSpecific
-  tls:
-    - secretName: updates-jenkins-io-tls
-      hosts:
-        - azure.updates.jenkins.io
 
-resources:
-  mirrorbits:
+  ingress:
+    enabled: true
+    className: public-nginx
+    annotations:
+      "cert-manager.io/cluster-issuer": "letsencrypt-prod"
+      "nginx.ingress.kubernetes.io/ssl-redirect": "true"
+    hosts:
+      - host: azure.updates.jenkins.io
+        paths:
+          - path: /
+            serviceNameSuffix: files
+          - path: /.*[.](deb|hpi|war|rpm|msi|pkg|sha256|md5sum|zip|gz|pdf|json|svg|sh|jpeg|ico|png|html)$
+            pathType: ImplementationSpecific
+    tls:
+      - secretName: updates-jenkins-io-tls
+        hosts:
+          - azure.updates.jenkins.io
+
+  resources:
     limits:
       cpu: 500m
       memory: 1024Mi
     requests:
       cpu: 500m
       memory: 1024Mi
-  files:
+
+  repository:
+    name: updates-jenkins-io-binary
+    persistentVolumeClaim:
+      enabled: true
+      spec:
+        accessModes:
+          - ReadOnlyMany
+        storageClassName: azurefile-csi-premium
+        volumeName: updates-jenkins-io-binary
+        resources:
+          requests:
+            storage: 2Gi  # See file share size in https://github.com/jenkins-infra/azure/blob/main/updates.jenkins.io.tf
+    # As the storage account is independently declared and created elsewhere (jenkins-infra/azure/updates.jenkins.io.tf),
+    # we're adding the PV definition to rattach the PVC to the existing storage account without creating a new one
+    # and especially without deleting it when the cluster has to be recreated.
+    persistentVolume:
+      enabled: true
+      spec:
+        capacity:
+          storage: 2Gi  # See file share size in https://github.com/jenkins-infra/azure/blob/main/updates.jenkins.io.tf
+        storageClassName: azurefile-csi-premium
+        accessModes:
+          - ReadOnlyMany
+        persistentVolumeReclaimPolicy: Retain
+        csi:
+          driver: file.csi.azure.com
+          readOnly: false
+          volumeHandle: updates-jenkins-io-binary  # make sure this volumeid is unique for every identical share in the cluster
+          volumeAttributes:
+            resourceGroup: updates-jenkins-io
+            shareName: updates-jenkins-io
+          nodeStageSecretRef:
+            name: updates-jenkins-io-mirrorbits-lite-binary
+            namespace: updates-jenkins-io
+        mountOptions:
+          - dir_mode=0755
+          - file_mode=0644
+          - uid=1000
+          - gid=1000
+          - mfsymlinks
+          - nobrl
+          - serverino
+          - cache=strict
+
+  nodeSelector:
+    agentpool: x86medium
+
+httpd:
+  enabled: true
+
+  resources:
     limits:
       cpu: 2000m
       memory: 2048Mi
     requests:
       cpu: 2000m
       memory: 2048Mi
 
-repository:
-  name: updates-jenkins-io-binary
-  persistentVolumeClaim:
-    enabled: true
-    spec:
-      accessModes:
-        - ReadOnlyMany
-      storageClassName: azurefile-csi-premium
-      volumeName: updates-jenkins-io-binary
-      resources:
-        requests:
-          storage: 2Gi # See file share size in https://github.com/jenkins-infra/azure/blob/main/updates.jenkins.io.tf
-  # As the storage account is independently declared and created elsewhere (jenkins-infra/azure/updates.jenkins.io.tf),
-  # we're adding the PV definition to rattach the PVC to the existing storage account without creating a new one
-  # and especially without deleting it when the cluster has to be recreated.
-  persistentVolume:
-    enabled: true
-    spec:
-      capacity:
-        storage: 2Gi # See file share size in https://github.com/jenkins-infra/azure/blob/main/updates.jenkins.io.tf
-      storageClassName: azurefile-csi-premium
-      accessModes:
-        - ReadOnlyMany
-      persistentVolumeReclaimPolicy: Retain
-      csi:
-        driver: file.csi.azure.com
-        readOnly: false
-        volumeHandle: updates-jenkins-io-binary  # make sure this volumeid is unique for every identical share in the cluster
-        volumeAttributes:
-          resourceGroup: updates-jenkins-io
-          shareName: updates-jenkins-io
-        nodeStageSecretRef:
-          name: updates-jenkins-io-binary
-          namespace: updates-jenkins-io
-      mountOptions:
-        - dir_mode=0755
-        - file_mode=0644
-        - uid=1000
-        - gid=1000
-        - mfsymlinks
-        - nobrl
-        - serverino
-        - cache=strict
+  repository:
+    name: updates-jenkins-io-binary
+    reuseExistingPersistentVolumeClaim: true
 
-replicaCount:
-  mirrorbits: 1 #2
-  files: 1 #2
-  rsyncd: 1
+  nodeSelector:
+    agentpool: x86medium
 
 rsyncd:
   enabled: true
-  volumes:
-    datadir:
-      persistentVolumeClaim:
-        claimName: updates-jenkins-io-binary
 
-nodeSelector:
-  agentpool: x86medium
+  configuration:
+    components:
+      - name: jenkins
+        path: /rsyncd/data/jenkins
+        comment: "Jenkins Read-Only Mirror"
+        volume:
+          persistentVolumeClaim:
+            claimName: updates-jenkins-io-binary
+
+  podSecurityContext:
+    runAsUser: 65534  # User 'nobody'
+    runAsGroup: 65534  # Group 'nogroup'
+    runAsNonRoot: true
+  containerSecurityContext:
+    readOnlyRootFilesystem: true
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+
+  resources:
+    limits:
+      cpu: 100m
+      memory: 128Mi
+    requests:
+      cpu: 50m
+      memory: 64Mi
+
+  nodeSelector:
+    agentpool: x86medium
diff --git a/updatecli/updatecli.d/charts/mirrorbits-parent.yaml b/updatecli/updatecli.d/charts/mirrorbits-parent.yaml
@@ -0,0 +1,41 @@
+name: "Bump mirrorbits-parent Helm Chart Version"
+
+scms:
+  default:
+    kind: github
+    spec:
+      user: "{{ .github.user }}"
+      email: "{{ .github.email }}"
+      owner: "{{ .github.owner }}"
+      repository: "{{ .github.repository }}"
+      token: "{{ requiredEnv .github.token }}"
+      username: "{{ .github.username }}"
+      branch: "{{ .github.branch }}"
+
+sources:
+  lastChartVersion:
+    kind: helmchart
+    name: get last chart version
+    spec:
+      url: https://jenkins-infra.github.io/helm-charts
+      name: mirrorbits-parent
+
+targets:
+  updateChartVersion:
+    name: "Update the chart version for mirrorbits-parent"
+    kind: file
+    spec:
+      file: clusters/publick8s.yaml
+      matchpattern: 'chart: jenkins-infra\/mirrorbits-parent((\r\n|\r|\n)(\s+))version: .*'
+      replacepattern: 'chart: jenkins-infra/mirrorbits-parent${1}version: {{ source "lastChartVersion" }}'
+    scmid: default
+
+actions:
+  default:
+    kind: github/pullrequest
+    scmid: default
+    title: Bump `mirrorbits-parent` helm chart version to {{ source "lastChartVersion" }}
+    spec:
+      labels:
+        - dependencies
+        - mirrorbits-parent