From ead7009f5c9ecb32aa60031bddfb4f1f96898203 Mon Sep 17 00:00:00 2001 From: Dan Manners Date: Sat, 9 Sep 2023 14:51:42 -0400 Subject: [PATCH] Jenkins Updates --- manifests/workloads/argo-workflows/rbac.yaml | 92 +++++-------------- .../jenkins-oss/argoproj-application.yaml | 20 ---- .../workloads/jenkins-oss/kustomization.yaml | 3 + manifests/workloads/jenkins-oss/rbac.yaml | 21 +++-- .../workloads/jenkins-oss/statefulset.yaml | 56 ----------- manifests/workloads/jenkins-oss/values.yaml | 16 ++-- 6 files changed, 47 insertions(+), 161 deletions(-) delete mode 100644 manifests/workloads/jenkins-oss/argoproj-application.yaml delete mode 100644 manifests/workloads/jenkins-oss/statefulset.yaml diff --git a/manifests/workloads/argo-workflows/rbac.yaml b/manifests/workloads/argo-workflows/rbac.yaml index 2fd5189c..37d563a4 100644 --- a/manifests/workloads/argo-workflows/rbac.yaml +++ b/manifests/workloads/argo-workflows/rbac.yaml @@ -3,77 +3,27 @@ kind: ClusterRole metadata: name: goodmannershosting-admins rules: -- verbs: - - get - - watch - - list - apiGroups: - - '' - resources: - - configmaps - - events -- verbs: - - get - - list - - watch - - delete - apiGroups: - - '' - resources: - - pods -- verbs: - - get - - list - apiGroups: - - '' - resources: - - pods/log -- verbs: - - get - apiGroups: - - '' - resources: - - secrets - resourceNames: - - sso -- verbs: - - create - apiGroups: - - '' - resources: - - secrets -- verbs: - - get - - list - - watch - apiGroups: - - '' - resources: - - serviceaccounts -- verbs: - - get - apiGroups: - - '' - resources: - - secrets -- verbs: - - watch - - create - - patch - apiGroups: - - '' - resources: - - events -- verbs: - - create - - get - - list - - watch - - update - - patch - - delete - apiGroups: - - argoproj.io +- verbs: [get, watch, list] + apiGroups: [""] + resources: [configmaps, events] +- verbs: [get, watch, list, delete] + apiGroups: [""] + resources: [pods] +- verbs: [get, list] + apiGroups: [""] + resources: [pods/log] +- verbs: [get, create] + apiGroups: [""] + resources: [secrets] + resourceNames: [sso] +- verbs: [get, list, watch] + apiGroups: [""] + resources: [serviceaccounts] +- verbs: [create, watch, patch] + apiGroups: [""] + resources: [events] +- verbs: [create, get, list, watch, update, patch, delete] + apiGroups: [argoproj.io] resources: - cronworkflows - eventbus diff --git a/manifests/workloads/jenkins-oss/argoproj-application.yaml b/manifests/workloads/jenkins-oss/argoproj-application.yaml deleted file mode 100644 index 321e9c88..00000000 --- a/manifests/workloads/jenkins-oss/argoproj-application.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: "jenkins-oss" - namespace: argocd -spec: - project: default - source: - repoURL: "https://github.com/danmanners/homelab-kube-cluster.git" - path: manifests/workloads/jenkins-oss - targetRevision: main - destination: - server: "https://kubernetes.default.svc" - namespace: jenkins-ce - syncPolicy: - automated: - prune: true - syncOptions: - - CreateNamespace=true diff --git a/manifests/workloads/jenkins-oss/kustomization.yaml b/manifests/workloads/jenkins-oss/kustomization.yaml index 5b98fd02..3eb00a85 100644 --- a/manifests/workloads/jenkins-oss/kustomization.yaml +++ b/manifests/workloads/jenkins-oss/kustomization.yaml @@ -20,3 +20,6 @@ images: - name: jenkins-container-image:latest newName: core.harbor.homelab.danmanners.com/docker.io/jenkins/jenkins newTag: 2.414.1-lts +- name: busybox-image + newName: core.harbor.homelab.danmanners.com/docker.io/library/busybox + newTag: stable diff --git a/manifests/workloads/jenkins-oss/rbac.yaml b/manifests/workloads/jenkins-oss/rbac.yaml index 5804e7d1..12d24d5c 100644 --- a/manifests/workloads/jenkins-oss/rbac.yaml +++ b/manifests/workloads/jenkins-oss/rbac.yaml @@ -1,13 +1,20 @@ ---- apiVersion: v1 kind: ServiceAccount +# automountServiceAccountToken: true metadata: name: default --- +apiVersion: v1 +kind: Secret +type: kubernetes.io/service-account-token +metadata: + name: default.service-account-token + annotations: + kubernetes.io/service-account.name: default +--- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - namespace: default name: jenkins rules: - apiGroups: [""] @@ -21,11 +28,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: jenkins-user -subjects: - - kind: ServiceAccount - name: default - namespace: default roleRef: - kind: ClusterRole name: jenkins + kind: ClusterRole apiGroup: rbac.authorization.k8s.io +subjects: +- name: default + kind: ServiceAccount + namespace: default diff --git a/manifests/workloads/jenkins-oss/statefulset.yaml b/manifests/workloads/jenkins-oss/statefulset.yaml deleted file mode 100644 index 4232eccc..00000000 --- a/manifests/workloads/jenkins-oss/statefulset.yaml +++ /dev/null @@ -1,56 +0,0 @@ ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: jenkins-ce -spec: - selector: - matchLabels: - app: jenkins-ce - serviceName: jenkins-ce - replicas: 1 - template: - metadata: - labels: - app: jenkins-ce - spec: - terminationGracePeriodSeconds: 60 - initContainers: - - name: init-jenkins - image: busybox - command: ['sh', '-c', 'chown -R 1000:1000 /var/jenkins_home'] - volumeMounts: - - name: jenkins-volume - mountPath: /var/jenkins_home - subPath: jenkins_home - nodeSelector: - kubernetes.io/arch: amd64 - containers: - - name: jenkins-ce - image: jenkins-image - ports: - - containerPort: 8080 - name: web - - containerPort: 50000 - name: jnlp-agents - volumeMounts: - - name: jenkins-volume - mountPath: /var/jenkins_home - subPath: jenkins_home - resources: - limits: - cpu: "2" - requests: - cpu: "1" - securityContext: - runAsUser: 1000 - runAsGroup: 1000 - volumeClaimTemplates: - - metadata: - name: jenkins-volume - spec: - accessModes: [ "ReadWriteMany" ] - storageClassName: "hdd" - resources: - requests: - storage: 16Gi diff --git a/manifests/workloads/jenkins-oss/values.yaml b/manifests/workloads/jenkins-oss/values.yaml index 41690bab..f7821b8e 100644 --- a/manifests/workloads/jenkins-oss/values.yaml +++ b/manifests/workloads/jenkins-oss/values.yaml @@ -6,10 +6,8 @@ image: tag: latest pullPolicy: IfNotPresent -nodeSelector: - kubernetes.io/arch: amd64 - podSecurityContext: + fsGroup: 1000 runAsUser: 1000 runAsGroup: 1000 @@ -19,13 +17,19 @@ termination: resources: limits: cpu: "2" + memory: "4Gi" requests: cpu: "1" + memory: "2Gi" initContainers: - init-jenkins: - image: docker.io/library/busybox:stable + init: + image: busybox-image command: ["sh", "-c", "ls -halt /var/jenkins_home && chown -R 1000:1000 /var/jenkins_home"] + securityContext: + runAsUser: 0 + allowPrivilegeEscalation: true + volumeMounts: - name: jenkins-home mountPath: /var/jenkins_home @@ -60,7 +64,6 @@ ingress: paths: - path: / pathType: Prefix - service: persistence: jenkins-home: @@ -68,5 +71,4 @@ persistence: storageClass: ceph-rbd accessMode: ReadWriteOnce mountPath: /var/jenkins_home - # subPath: jenkins-volume size: 20Gi