diff --git a/clusters/publick8s.yaml b/clusters/publick8s.yaml index 10a05d6d3..f21208452 100644 --- a/clusters/publick8s.yaml +++ b/clusters/publick8s.yaml @@ -234,11 +234,11 @@ releases: - public-nginx-ingress/public-nginx-ingress values: - "../config/ipv6-lb-service.yaml" - # - name: updates-jenkins-io - # namespace: updates-jenkins-io - # chart: jenkins-infra/mirrorbits - # version: 0.63.0 - # values: - # - "../config/updates.jenkins.io.yaml" - # secrets: - # - "../secrets/config/updates.jenkins.io/secrets.yaml" + - name: updates-jenkins-io + namespace: updates-jenkins-io + chart: jenkins-infra/mirrorbits-parent + version: 0.0.8 + values: + - "../config/updates.jenkins.io.yaml" + secrets: + - "../secrets/config/updates.jenkins.io/secrets.yaml" diff --git a/config/ldap.yaml b/config/ldap.yaml index f2d695018..c7301c012 100644 --- a/config/ldap.yaml +++ b/config/ldap.yaml @@ -10,7 +10,7 @@ service: - '20.12.27.65/32' # 107 accept inbound LDAPS request from puppet.jenkins.io - '104.209.128.236/32' # accept inbound LDAPS from trusted.ci.jenkins.io vnet (public IP for the outbound NAT gateway) - '172.176.126.194/32' # accept inbound LDAPS from private.vpn.jenkins.io - - '104.209.153.13/32' # accept inbound LDAPS from cert.ci.jenkins.io vnet (public IP for the outbound NAT gateway) + - '104.209.153.13/32' # accept inbound LDAPS from cert.ci.jenkins.io vnet (public IP for the outbound NAT gateway) - '52.252.104.110/32' # Accept inbound LDAPS from ci.jenkins.io - '34.211.101.61/32' # Accept inbound connections from Linux Foundation test machine - '44.240.22.235/32' # Accept inbound connections from Linux Foundation prod machine diff --git a/config/updates.jenkins.io.yaml b/config/updates.jenkins.io.yaml index a8ecae807..71e3ff8ca 100644 --- a/config/updates.jenkins.io.yaml +++ b/config/updates.jenkins.io.yaml @@ -1,32 +1,83 @@ -nameOverride: updates-jenkins-io - -ingress: +mirrorbits-lite: enabled: true - className: public-nginx - annotations: - "cert-manager.io/cluster-issuer": "letsencrypt-prod" - "nginx.ingress.kubernetes.io/ssl-redirect": "true" - hosts: - - host: azure.updates.jenkins.io - paths: - - path: / - serviceNameSuffix: files - - path: /.*[.](deb|hpi|war|rpm|msi|pkg|sha256|md5sum|zip|gz|pdf|json|svg|sh|jpeg|ico|png|html)$ - pathType: ImplementationSpecific - tls: - - secretName: updates-jenkins-io-tls - hosts: - - azure.updates.jenkins.io -resources: - mirrorbits: + ingress: + enabled: true + className: public-nginx + annotations: + "cert-manager.io/cluster-issuer": "letsencrypt-prod" + "nginx.ingress.kubernetes.io/ssl-redirect": "true" + hosts: + - host: azure.updates.jenkins.io + paths: + - path: / + serviceNameSuffix: files + - path: /.*[.](deb|hpi|war|rpm|msi|pkg|sha256|md5sum|zip|gz|pdf|json|svg|sh|jpeg|ico|png|html)$ + pathType: ImplementationSpecific + tls: + - secretName: updates-jenkins-io-tls + hosts: + - azure.updates.jenkins.io + + resources: limits: cpu: 500m memory: 1024Mi requests: cpu: 500m memory: 1024Mi - files: + + repository: + name: updates-jenkins-io-binary + persistentVolumeClaim: + enabled: true + spec: + accessModes: + - ReadOnlyMany + storageClassName: azurefile-csi-premium + volumeName: updates-jenkins-io-binary + resources: + requests: + storage: 2Gi # See file share size in https://github.com/jenkins-infra/azure/blob/main/updates.jenkins.io.tf + # As the storage account is independently declared and created elsewhere (jenkins-infra/azure/updates.jenkins.io.tf), + # we're adding the PV definition to rattach the PVC to the existing storage account without creating a new one + # and especially without deleting it when the cluster has to be recreated. + persistentVolume: + enabled: true + spec: + capacity: + storage: 2Gi # See file share size in https://github.com/jenkins-infra/azure/blob/main/updates.jenkins.io.tf + storageClassName: azurefile-csi-premium + accessModes: + - ReadOnlyMany + persistentVolumeReclaimPolicy: Retain + csi: + driver: file.csi.azure.com + readOnly: false + volumeHandle: updates-jenkins-io-binary # make sure this volumeid is unique for every identical share in the cluster + volumeAttributes: + resourceGroup: updates-jenkins-io + shareName: updates-jenkins-io + nodeStageSecretRef: + name: updates-jenkins-io-mirrorbits-lite-binary + namespace: updates-jenkins-io + mountOptions: + - dir_mode=0755 + - file_mode=0644 + - uid=1000 + - gid=1000 + - mfsymlinks + - nobrl + - serverino + - cache=strict + + nodeSelector: + agentpool: x86medium + +httpd: + enabled: true + + resources: limits: cpu: 2000m memory: 2048Mi @@ -34,61 +85,43 @@ resources: cpu: 2000m memory: 2048Mi -repository: - name: updates-jenkins-io-binary - persistentVolumeClaim: - enabled: true - spec: - accessModes: - - ReadOnlyMany - storageClassName: azurefile-csi-premium - volumeName: updates-jenkins-io-binary - resources: - requests: - storage: 2Gi # See file share size in https://github.com/jenkins-infra/azure/blob/main/updates.jenkins.io.tf - # As the storage account is independently declared and created elsewhere (jenkins-infra/azure/updates.jenkins.io.tf), - # we're adding the PV definition to rattach the PVC to the existing storage account without creating a new one - # and especially without deleting it when the cluster has to be recreated. - persistentVolume: - enabled: true - spec: - capacity: - storage: 2Gi # See file share size in https://github.com/jenkins-infra/azure/blob/main/updates.jenkins.io.tf - storageClassName: azurefile-csi-premium - accessModes: - - ReadOnlyMany - persistentVolumeReclaimPolicy: Retain - csi: - driver: file.csi.azure.com - readOnly: false - volumeHandle: updates-jenkins-io-binary # make sure this volumeid is unique for every identical share in the cluster - volumeAttributes: - resourceGroup: updates-jenkins-io - shareName: updates-jenkins-io - nodeStageSecretRef: - name: updates-jenkins-io-binary - namespace: updates-jenkins-io - mountOptions: - - dir_mode=0755 - - file_mode=0644 - - uid=1000 - - gid=1000 - - mfsymlinks - - nobrl - - serverino - - cache=strict + repository: + name: updates-jenkins-io-binary + reuseExistingPersistentVolumeClaim: true -replicaCount: - mirrorbits: 1 #2 - files: 1 #2 - rsyncd: 1 + nodeSelector: + agentpool: x86medium rsyncd: enabled: true - volumes: - datadir: - persistentVolumeClaim: - claimName: updates-jenkins-io-binary -nodeSelector: - agentpool: x86medium + configuration: + components: + - name: jenkins + path: /rsyncd/data/jenkins + comment: "Jenkins Read-Only Mirror" + volume: + persistentVolumeClaim: + claimName: updates-jenkins-io-binary + + podSecurityContext: + runAsUser: 65534 # User 'nobody' + runAsGroup: 65534 # Group 'nogroup' + runAsNonRoot: true + containerSecurityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 50m + memory: 64Mi + + nodeSelector: + agentpool: x86medium diff --git a/updatecli/updatecli.d/charts/mirrorbits-parent.yaml b/updatecli/updatecli.d/charts/mirrorbits-parent.yaml new file mode 100644 index 000000000..631e02598 --- /dev/null +++ b/updatecli/updatecli.d/charts/mirrorbits-parent.yaml @@ -0,0 +1,41 @@ +name: "Bump mirrorbits-parent Helm Chart Version" + +scms: + default: + kind: github + spec: + user: "{{ .github.user }}" + email: "{{ .github.email }}" + owner: "{{ .github.owner }}" + repository: "{{ .github.repository }}" + token: "{{ requiredEnv .github.token }}" + username: "{{ .github.username }}" + branch: "{{ .github.branch }}" + +sources: + lastChartVersion: + kind: helmchart + name: get last chart version + spec: + url: https://jenkins-infra.github.io/helm-charts + name: mirrorbits-parent + +targets: + updateChartVersion: + name: "Update the chart version for mirrorbits-parent" + kind: file + spec: + file: clusters/publick8s.yaml + matchpattern: 'chart: jenkins-infra\/mirrorbits-parent((\r\n|\r|\n)(\s+))version: .*' + replacepattern: 'chart: jenkins-infra/mirrorbits-parent${1}version: {{ source "lastChartVersion" }}' + scmid: default + +actions: + default: + kind: github/pullrequest + scmid: default + title: Bump `mirrorbits-parent` helm chart version to {{ source "lastChartVersion" }} + spec: + labels: + - dependencies + - mirrorbits-parent