commit 9434645ce5c3c242ad9246723af1f01a78864a61 Author: jenkins-x-bot Date: Wed Apr 15 12:37:41 2020 +0200 initial config based of jenkins-x/jenkins-x-boot-config with ref v1.0.82 diff --git a/.gitignore b/.gitignore new file mode 100755 index 0000000..f4d575e --- /dev/null +++ b/.gitignore @@ -0,0 +1,8 @@ +secrets.yaml +mysecrets.yaml +charts/ +requirements.lock +.DS_Store +.idea +env/cluster/ +env/parameters.schema.json diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..50cf464 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,7 @@ +repos: +- repo: git@github.com:Yelp/detect-secrets + rev: v0.12.4 + hooks: + - id: detect-secrets + args: ['--baseline', '.secrets.baseline'] + exclude: .*/tests/.* \ No newline at end of file diff --git a/.secrets.baseline b/.secrets.baseline new file mode 100644 index 0000000..f37487d --- /dev/null +++ b/.secrets.baseline @@ -0,0 +1,89 @@ +{ + "exclude": { + "files": null, + "lines": null + }, + "generated_at": "2019-09-11T09:31:17Z", + "plugins_used": [ + { + "name": "AWSKeyDetector" + }, + { + "name": "ArtifactoryDetector" + }, + { + "base64_limit": 4.5, + "name": "Base64HighEntropyString" + }, + { + "name": "BasicAuthDetector" + }, + { + "hex_limit": 3, + "name": "HexHighEntropyString" + }, + { + "name": "KeywordDetector" + }, + { + "name": "PrivateKeyDetector" + }, + { + "name": "SlackDetector" + }, + { + "name": "StripeDetector" + } + ], + "results": { + "bdd/bdd.sh": [ + { + "hashed_secret": "8ed71d19964ae8169396605379dc4f65ff292fe2", + "is_secret": false, + "line_number": 40, + "type": "Secret Keyword" + } + ], + "env/jenkins-x-platform/values.tmpl.yaml": [ + { + "hashed_secret": "d2e2ab0f407e4ee3cf2ab87d61c31b25a74085e5", + "is_secret": false, + "line_number": 20, + "type": "Secret Keyword" + } + ], + "env/jxboot-resources/values.tmpl.yaml": [ + { + "hashed_secret": "d2e2ab0f407e4ee3cf2ab87d61c31b25a74085e5", + "is_secret": false, + "line_number": 143, + "type": "Secret Keyword" + } + ], + "env/tekton/values.tmpl.yaml": [ + { + "hashed_secret": "d2e2ab0f407e4ee3cf2ab87d61c31b25a74085e5", + "is_secret": false, + "line_number": 21, + "type": "Secret Keyword" + } + ], + "kubeProviders/iks/README.md": [ + { + "hashed_secret": "aa5c16139fb7160196bad6d4a1ae97b677ff0d81", + "is_secret": false, + "line_number": 198, + "type": "Secret Keyword" + } + ], + "systems/external-dns/values.tmpl.yaml": [ + { + "hashed_secret": "8aa3771c4ae26feb2df06246de60d7620aad7bb7", + "is_secret": false, + "line_number": 7, + "type": "Secret Keyword" + } + ] + }, + "version": "0.12.4" +} diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..1925c21 --- /dev/null +++ b/Makefile @@ -0,0 +1,20 @@ +GO := GO111MODULE=off go + +install-fmt-deps: + $(GO) get github.com/abayer/fmt-yml-for-k8s + +fmt: install-fmt-deps + ${GOPATH}/bin/fmt-yml-for-k8s --file jenkins-x.yml --output-dir . + +verify-fmt: install-fmt-deps fmt + $(eval CHANGED = $(shell git ls-files --modified --exclude-standard)) + @if [ "$(CHANGED)" == "" ]; \ + then \ + echo "jenkins-x.yml properly formatted"; \ + else \ + echo "jenkins-x.yml is not properly formatted"; \ + echo "$(CHANGED)"; \ + git diff; \ + exit 1; \ + fi + diff --git a/OWNERS b/OWNERS new file mode 100644 index 0000000..4c256b2 --- /dev/null +++ b/OWNERS @@ -0,0 +1,26 @@ +approvers: +- rawlingsj +- jstrachan +- ccojocar +- garethjevans +- pmuir +- wbrefvem +- warrenbailey +- cagiti +- abayer +- dgozalo +- daveconde +- hferentschik +reviewers: +- rawlingsj +- jstrachan +- ccojocar +- garethjevans +- pmuir +- wbrefvem +- warrenbailey +- cagiti +- abayer +- dgozalo +- daveconde +- hferentschik diff --git a/README.md b/README.md new file mode 100644 index 0000000..63af63b --- /dev/null +++ b/README.md @@ -0,0 +1,96 @@ + +## Jenkins X Boot Configuration + +This repository contains the source code for [Jenkins X Boot configuration](https://jenkins-x.io/docs/getting-started/setup/boot/) so that you can setup, upgrade or configure your Jenkins X installation via GitOps. + +## How to install... + +### Creating a kubernetes cluster + +* either use Terraform to spin up a GKE cluster with a `jx` namespace and any necessary cloud resources (e.g. on GCP we need a Kaniko Service Account and Secret) +* create an empty GKE cluster by hand e.g. via `jx create cluster gke --skip-installation` or using the [GCP Console](https://console.cloud.google.com/) + +### Run the new Jenkins X Bootstrap Pipeline + +Create a fork of this git repository on github. We suggest renaming it to match the pattern `environment--dev`. To rename your repository go to the repository settings in github. + +Clone your newly forked git repository: + +``` +git clone https://github.com//environment--dev && cd environment--dev +``` + +> It's important that you cd into your newly checked out git repo, otherwise `jx boot` will use the upstream Jenkins X boot +configuration. + +Now, in the checkout, run: + +``` +jx boot +``` + +If you are not in a clone of a boot git repository then `jx boot` will clone this repository and `cd` into the clone. + +The bootstrap process runs the Jenkins X Pipeline in interpret mode as there's nothing running in your Kubernetes cluster yet and so there's no server side tekton controller until after we bootstrap. + +The bootstrap process will also ask you for various important `parameters` which are used to populate a bunch of `Secrets` stored in either Vault or the local file system (well away from your git clone). + +The pipeline will then setup the ingress controller, then cert manager, then install the actual development environment. + +Apart from the secrets populated to Vault / local file system everything else is stored inside this git repository as Apps and helm charts. + + +### How it works + +We have improved the support for value + secret composition via this [issue](https://github.com/jenkins-x/jx/issues/4328). + + +### Parameters file + +We define a [env/parameters.yaml](https://github.com/jenkins-x/jenkins-x-boot-config/blob/master/env/parameters.yaml) file which defines all the parameters either checked in or loaded from Vault or a local file system secrets location. + +#### Injecting secrets into the parameters + +If you look at the current [env/parameters.yaml](https://github.com/jenkins-x/jenkins-x-boot-config/blob/master/env/parameters.yaml) file you will see some values inlined and others use URIs of the form `local:my-cluster-folder/nameofSecret/key`. This currently supports 2 schemes: + +* `vault:` to load from a path + key from Vault +* `local:` to load from a key in a YAML file at `~/.jx/localSecrets/$path.yml` + +This means we can populate all the Parameters we need on startup then refer to them from `values.yaml` to populate the tree of values to then inject those into Vault. + + +#### Populating the `parameters.yaml` file + +We can then use the new step to populate the `parameters.yaml` file via this command in the `env` folder: + +``` +jx step create values --name parameters +``` + +This uses the [parameters.schema.json](https://github.com/jenkins-x/jenkins-x-boot-config/blob/master/env/parameters.schema.json) file which powers the UI. + +So if you wanted to perform your own install from this git repo, just fork it, remove `env/parameters.yaml` and run the bootstrap command! + +### Improvements to values.yaml + +#### Support a tree of values.yaml files + +Rather than a huge huge deeply nested values.yaml file we can have a tree of files for each App only include the App specific configuration in each folder. e.g. + +``` +env/ + values.yaml # top level configuration + prow/ + values.yaml # prow specific config + tekton/ + vales.yaml # tekton specific config +``` + + +#### values.yaml templates + +When using `jx step helm apply` we now allow `values.yaml` files to use go/helm templates just like `templates/foo.yaml` files support inside helm charts so that we can generate value/secret strings which can use templating to compose things from smaller secret values. e.g. creating a maven `settings.xml` file or docker `config.json` which includes many user/passwords for different registries. + +We can then check in the `values.yaml` file which does all of this composition and reference the actual secret values via URLs (or template functions) to access vault or local vault files + +To do this we use expressions like: `{{ .Parameter.pipelineUser.token }}` somewhere in the `values.yaml` values file. So this is like injecting values into the helm templates; but it happens up front to help generate the `values.yaml` files. diff --git a/bdd/bdd.sh b/bdd/bdd.sh new file mode 100755 index 0000000..46104c5 --- /dev/null +++ b/bdd/bdd.sh @@ -0,0 +1,89 @@ +#!/usr/bin/env bash +set -euo pipefail +set -x + +if [ $# -ne 2 ]; then + echo "Please provide the source and destination paths for configuration" + exit -1 +fi +SRC_PATH=$1 +DST_PATH=$2 + +export GH_USERNAME="jenkins-x-bot-test" +export GH_EMAIL="jenkins-x@googlegroups.com" +export GH_OWNER="jenkins-x-bot-test" + +# fix broken `BUILD_NUMBER` env var +export BUILD_NUMBER="$BUILD_ID" + +JX_HOME="/tmp/jxhome" +KUBECONFIG="/tmp/jxhome/config" + +# lets avoid the git/credentials causing confusion during the test +export XDG_CONFIG_HOME=$JX_HOME + +mkdir -p $JX_HOME/git + +jx --version + +# replace the credentials file with a single user entry +echo "https://$GH_USERNAME:$GH_ACCESS_TOKEN@github.com" > $JX_HOME/git/credentials + +# setup GCP service account +gcloud auth activate-service-account --key-file $GKE_SA + +# setup git +git config --global --add user.name JenkinsXBot +git config --global --add user.email jenkins-x@googlegroups.com + +echo "running the BDD tests with JX_HOME = $JX_HOME" + +# setup jx boot parameters +export JX_VALUE_ADMINUSER_PASSWORD="$JENKINS_PASSWORD" +export JX_VALUE_PIPELINEUSER_USERNAME="$GH_USERNAME" +export JX_VALUE_PIPELINEUSER_EMAIL="$GH_EMAIL" +export JX_VALUE_PIPELINEUSER_TOKEN="$GH_ACCESS_TOKEN" +export JX_VALUE_PROW_HMACTOKEN="$GH_ACCESS_TOKEN" + +# TODO temporary hack until the batch mode in jx is fixed... +export JX_BATCH_MODE="true" + +# prepare the BDD configuration +mkdir -p $DST_PATH +cp -r `ls -A | grep -v "${DST_PATH}"` $DST_PATH +cp $SRC_PATH/jx-requirements.yml $DST_PATH +cp $SRC_PATH/parameters.yaml $DST_PATH/env +cd $DST_PATH + +# Rotate the domain to avoid cert-manager API rate limit +if [[ "${DOMAIN_ROTATION}" == "true" ]]; then + SHARD=$(date +"%l" | xargs) + DOMAIN="${DOMAIN_PREFIX}${SHARD}${DOMAIN_SUFFIX}" + if [[ -z "${DOMAIN}" ]]; then + echo "Domain rotation enabled. Please set DOMAIN_PREFIX and DOMAIN_SUFFIX environment variables" + exit -1 + fi + echo "Using domain: ${DOMAIN}" + sed -i "/^ *ingress:/,/^ *[^:]*:/s/domain: .*/domain: ${DOMAIN}/" jx-requirements.yml +fi +echo "Using jx-requirements.yml" +cat jx-requirements.yml + +# TODO hack until we fix boot to do this too! +helm init --client-only +helm repo add jenkins-x https://storage.googleapis.com/chartmuseum.jenkins-x.io + +jx step bdd \ + --use-revision \ + --versions-repo https://github.com/jenkins-x/jenkins-x-versions.git \ + --config $SRC_PATH/cluster.yaml \ + --gopath /tmp \ + --git-provider=github \ + --git-username $GH_USERNAME \ + --git-owner $GH_OWNER \ + --git-api-token $GH_ACCESS_TOKEN \ + --default-admin-password $JENKINS_PASSWORD \ + --no-delete-app \ + --no-delete-repo \ + --tests install \ + --tests test-create-spring diff --git a/bdd/boot-local/README.md b/bdd/boot-local/README.md new file mode 100644 index 0000000..cd739a1 --- /dev/null +++ b/bdd/boot-local/README.md @@ -0,0 +1 @@ +## BDD test using JX Boot with Local secrets \ No newline at end of file diff --git a/bdd/boot-local/cluster.yaml b/bdd/boot-local/cluster.yaml new file mode 100644 index 0000000..95a5e76 --- /dev/null +++ b/bdd/boot-local/cluster.yaml @@ -0,0 +1,18 @@ +clusters: + - name: boot-local + args: + - create + - cluster + - gke + - --project-id=jenkins-x-bdd3 + - -m=n1-standard-2 + - --min-num-nodes=3 + - --max-num-nodes=5 + - -z=europe-west1-c + - --skip-login + - --skip-installation + commands: + - command: jx + args: + - boot + - -b diff --git a/bdd/boot-local/jx-requirements.yml b/bdd/boot-local/jx-requirements.yml new file mode 100644 index 0000000..28e9b07 --- /dev/null +++ b/bdd/boot-local/jx-requirements.yml @@ -0,0 +1,39 @@ +cluster: + clusterName: bdd-boot-local + environmentGitOwner: jenkins-x-bot-test + project: jenkins-x-bdd3 + provider: gke + zone: europe-west1-c +environments: + - key: dev + owner: "" + repository: "" + - key: staging + owner: "" + repository: "" + - key: production + owner: "" + repository: "" +ingress: + domain: "" + externalDNS: false + tls: + email: "" + enabled: false + production: false +kaniko: true +secretStorage: local +storage: + logs: + enabled: false + url: "" + reports: + enabled: false + url: "" + repository: + enabled: false + url: "" +versionStream: + ref: "master" + url: https://github.com/jenkins-x/jenkins-x-versions.git +webhook: prow diff --git a/bdd/boot-local/parameters.yaml b/bdd/boot-local/parameters.yaml new file mode 100644 index 0000000..d928458 --- /dev/null +++ b/bdd/boot-local/parameters.yaml @@ -0,0 +1,10 @@ +adminUser: + username: admin +enableDocker: false +gitProvider: github +gpg: {} +pipelineUser: + github: + host: github.com + username: jenkins-x-bot-test + email: jenkins-x@googlegroups.com diff --git a/bdd/boot-vault/README.md b/bdd/boot-vault/README.md new file mode 100644 index 0000000..90f3b6a --- /dev/null +++ b/bdd/boot-vault/README.md @@ -0,0 +1 @@ +## BDD test using JX Boot with Vault secrets diff --git a/bdd/boot-vault/cluster.yaml b/bdd/boot-vault/cluster.yaml new file mode 100644 index 0000000..24fe54b --- /dev/null +++ b/bdd/boot-vault/cluster.yaml @@ -0,0 +1,18 @@ +clusters: + - name: boot-vault + args: + - create + - cluster + - gke + - --project-id=jenkins-x-bdd3 + - -m=n1-standard-2 + - --min-num-nodes=3 + - --max-num-nodes=5 + - -z=europe-west1-c + - --skip-login + - --skip-installation + commands: + - command: jx + args: + - boot + - -b diff --git a/bdd/boot-vault/jx-requirements.yml b/bdd/boot-vault/jx-requirements.yml new file mode 100644 index 0000000..cb1921f --- /dev/null +++ b/bdd/boot-vault/jx-requirements.yml @@ -0,0 +1,42 @@ +cluster: + clusterName: bdd-boot-vault + environmentGitOwner: jenkins-x-bot-test + project: jenkins-x-bdd3 + provider: gke + zone: europe-west1-c +environments: + - key: dev + owner: "" + repository: "" + - key: staging + owner: "" + repository: "" + - key: production + owner: "" + repository: "" +ingress: + domain: "" + externalDNS: false + tls: + email: "" + enabled: false + production: false +kaniko: true +secretStorage: vault +repository: nexus +storage: + logs: + enabled: false + url: "" + reports: + enabled: false + url: "" + repository: + enabled: false + url: "" +versionStream: + ref: "master" + url: https://github.com/jenkins-x/jenkins-x-versions.git +vault: + disableURLDiscovery: true +webhook: prow diff --git a/bdd/boot-vault/parameters.yaml b/bdd/boot-vault/parameters.yaml new file mode 100644 index 0000000..d928458 --- /dev/null +++ b/bdd/boot-vault/parameters.yaml @@ -0,0 +1,10 @@ +adminUser: + username: admin +enableDocker: false +gitProvider: github +gpg: {} +pipelineUser: + github: + host: github.com + username: jenkins-x-bot-test + email: jenkins-x@googlegroups.com diff --git a/clearcluster.sh b/clearcluster.sh new file mode 100755 index 0000000..e720a37 --- /dev/null +++ b/clearcluster.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash + +echo "removing the cluster specific files" +rm -f env/parameters.yaml +rm -f env/cluster/values.yaml +rm -rf ~/.jx/localSecrets \ No newline at end of file diff --git a/env/Chart.yaml b/env/Chart.yaml new file mode 100644 index 0000000..df5cd8a --- /dev/null +++ b/env/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +description: GitOps Environment for this Environment +icon: https://www.cloudbees.com/sites/default/files/Jenkins_8.png +maintainers: +- name: Team +name: env +version: "1" diff --git a/env/Makefile b/env/Makefile new file mode 100644 index 0000000..52182dc --- /dev/null +++ b/env/Makefile @@ -0,0 +1,13 @@ +init: + helm init --client-only + helm repo add jenkins-x https://storage.googleapis.com/chartmuseum.jenkins-x.io + helm repo add bitnami https://charts.bitnami.com/bitnami + helm repo add stable https://kubernetes-charts.storage.googleapis.com + +build: clean init + jx step helm build --boot --provider-values-dir=../kubeProviders + helm lint . + +clean: + rm -rf charts + rm -rf requirements.lock diff --git a/env/bucketrepo/values.tmpl.yaml b/env/bucketrepo/values.tmpl.yaml new file mode 100644 index 0000000..871577a --- /dev/null +++ b/env/bucketrepo/values.tmpl.yaml @@ -0,0 +1,15 @@ +{{- if and (hasKey .Requirements "repository") (eq .Requirements.repository "bucketrepo") }} +enabled: true +{{- else }} +enabled: false +{{- end }} + +config: + storage: +{{- if .Requirements.storage.repository.url }} + enabled: true +{{- end }} + bucketUrl: "{{ .Requirements.storage.repository.url }}" + auth: + username: "{{ .Parameters.adminUser.username }}" + password: "{{ .Parameters.adminUser.password }}" diff --git a/env/chartmuseum/values.tmpl.yaml b/env/chartmuseum/values.tmpl.yaml new file mode 100644 index 0000000..f1c383a --- /dev/null +++ b/env/chartmuseum/values.tmpl.yaml @@ -0,0 +1,6 @@ +{{- if and (hasKey .Requirements "repository") (eq .Requirements.repository "bucketrepo") }} +enabled: false +{{- else }} +enabled: true +{{- end }} + diff --git a/env/controllerbuild/values.yaml b/env/controllerbuild/values.yaml new file mode 100644 index 0000000..d4ca941 --- /dev/null +++ b/env/controllerbuild/values.yaml @@ -0,0 +1 @@ +enabled: true diff --git a/env/controllerteam/values.yaml b/env/controllerteam/values.yaml new file mode 100644 index 0000000..bc11441 --- /dev/null +++ b/env/controllerteam/values.yaml @@ -0,0 +1 @@ +enabled: false diff --git a/env/controllerworkflow/values.yaml b/env/controllerworkflow/values.yaml new file mode 100644 index 0000000..bc11441 --- /dev/null +++ b/env/controllerworkflow/values.yaml @@ -0,0 +1 @@ +enabled: false diff --git a/env/docker-registry/README.MD b/env/docker-registry/README.MD new file mode 100644 index 0000000..49c45fe --- /dev/null +++ b/env/docker-registry/README.MD @@ -0,0 +1,2 @@ +# docker-registry + diff --git a/env/docker-registry/values.tmpl.yaml b/env/docker-registry/values.tmpl.yaml new file mode 100644 index 0000000..b7bbfc4 --- /dev/null +++ b/env/docker-registry/values.tmpl.yaml @@ -0,0 +1,5 @@ +{{- if eq .Requirements.webhook "jenkins" }} +enabled: true +{{- else }} +enabled: false +{{- end }} diff --git a/env/jenkins-x-platform/README.MD b/env/jenkins-x-platform/README.MD new file mode 100644 index 0000000..eb01f42 --- /dev/null +++ b/env/jenkins-x-platform/README.MD @@ -0,0 +1,7 @@ +# jenkins-x-platform + +|App Metadata|| +|---|---| +| **Version** | 0.0.3877 | +| **Description** | Jenkins X next gen cloud CI / CD platform for Kubernetes | +| **Chart Repository** | http://chartmuseum.jenkins-x.io | diff --git a/env/jenkins-x-platform/templates/jenkins-x-platform-app.yaml b/env/jenkins-x-platform/templates/jenkins-x-platform-app.yaml new file mode 100644 index 0000000..5c424fc --- /dev/null +++ b/env/jenkins-x-platform/templates/jenkins-x-platform-app.yaml @@ -0,0 +1,12 @@ +apiVersion: jenkins.io/v1 +kind: App +metadata: + annotations: + jenkins.io/chart-description: Jenkins X next gen cloud CI / CD platform for Kubernetes + jenkins.io/chart-repository: http://chartmuseum.jenkins-x.io + creationTimestamp: null + labels: + jenkins.io/app-name: jenkins-x-platform + jenkins.io/app-version: 0.0.3877 + name: jenkins-x-platform +spec: {} diff --git a/env/jenkins-x-platform/values.tmpl.yaml b/env/jenkins-x-platform/values.tmpl.yaml new file mode 100644 index 0000000..7b74e55 --- /dev/null +++ b/env/jenkins-x-platform/values.tmpl.yaml @@ -0,0 +1,197 @@ +{{- if hasKey .Requirements.cluster "registry" }} +dockerRegistry: "{{ .Requirements.cluster.registry }}" +{{- end }} + + +expose: + enabled: false + +JXBasicAuth: "{{ .Parameters.adminUser.username }}:{SHA}{{ .Parameters.adminUser.password | hashPassword }}" + +cleanup: + enabled: false + +chartmuseum: +{{- if and (hasKey .Requirements "repository") (eq .Requirements.repository "bucketrepo") }} + enabled: false +{{- else }} + env: + secret: + BASIC_AUTH_USER: "{{ .Parameters.adminUser.username }}" + BASIC_AUTH_PASS: "{{ .Parameters.adminUser.password }}" +{{- end }} + +nexus: + defaultAdminPassword: "{{ .Parameters.adminUser.password }}" +{{- if hasKey .Requirements "repository"}} +{{- if or (eq .Requirements.repository "nexus") (eq .Requirements.repository "") }} + enabled: true +{{- else }} + enabled: false +{{- end }} +{{- else }} + enabled: false +{{- end }} + +jenkins: + Master: + AdminPassword: "{{ .Parameters.adminUser.password }}" + +PipelineSecrets: + GitCreds: https://{{ .Parameters.pipelineUser.username }}:{{ .Parameters.pipelineUser.token }}@{{ trimPrefix "https://" .Requirements.cluster.gitServer | default "https://github.com" | }} + GithubToken: "{{ .Parameters.pipelineUser.token }}" + MavenSettingsXML: |- + + /home/jenkins/.mvnrepository + +{{- if and (hasKey .Requirements "repository") (eq .Requirements.repository "bucketrepo") }} + + + bucketrepo + bucketrepo mirror + * + http://bucketrepo/bucketrepo/ + + +{{- else if and (hasKey .Requirements "repository") (eq .Requirements.repository "none") }} + + + central + US Central + https://repo.maven.apache.org/maven2 + central + + + UK + UK Central + https://uk.maven.org/maven2 + central + + +{{- else }} + + + nexus + nexus mirror + external:* + http://nexus/repository/maven-group/ + + +{{- end }} + + + false + + + + local-nexus + {{ .Parameters.adminUser.username }} + {{ .Parameters.adminUser.password }} + + + nexus + {{ .Parameters.adminUser.username }} + {{ .Parameters.adminUser.password }} + + + docker.io + + + + + + nexus + +{{- if and (hasKey .Requirements "repository") (eq .Requirements.repository "bucketrepo") }} + local-nexus::default::http://bucketrepo/bucketrepo/deploy/maven-snapshots/ + local-nexus::default::http://bucketrepo/bucketrepo/deploy/maven-releases/ + local-nexus::default::http://bucketrepo/bucketrepo/deploy/maven-snapshots/ +{{- else if and (hasKey .Requirements "repository") (eq .Requirements.repository "none") }} +{{- else }} + local-nexus::default::http://nexus/repository/maven-snapshots/ + local-nexus::default::http://nexus/repository/maven-releases/ + local-nexus::default::http://nexus/repository/maven-snapshots/ +{{- end }} + + + + + central + http://central + true + true + + + + + central + http://central + true + true + + + + + repo.jenkins-ci.org + + repo.jenkins-ci.org::default::https://repo.jenkins-ci.org/releases/ + repo.jenkins-ci.org::default::https://repo.jenkins-ci.org/releases/ + repo.jenkins-ci.org::default::https://repo.jenkins-ci.org/snapshots/ + + + + + maven.jenkins-ci.org + + maven.jenkins-ci.org::default::https://maven.jenkins-ci.org/releases/ + maven.jenkins-ci.org::default::https://maven.jenkins-ci.org/releases/ + maven.jenkins-ci.org::default::https://maven.jenkins-ci.org/snapshots/ + + + + + release + + gpg + + + + + + + + nexus + + + SSHConfig: |- + Host github.com + User git + IdentityFile /root/.ssh-git/ssh-key + StrictHostKeyChecking no + +{{- if eq .Requirements.webhook "lighthouse" }} +controllerbuild: + enabled: true + args: + - "controller" + - "build" + - "--git-reporting" + - "--batch-mode" + - "--git-credentials" + - "--verbose" +{{- end }} + +gcactivities: + args: + - "gc" + - "activities" + - "--batch-mode" + - "--pr-history-limit=30" + cronjob: + enabled: true + schedule: "0/30 * * * *" + +gcpods: + cronjob: + enabled: true + schedule: "0/30 * * * *" diff --git a/env/jenkins/values.tmpl.yaml b/env/jenkins/values.tmpl.yaml new file mode 100644 index 0000000..b7bbfc4 --- /dev/null +++ b/env/jenkins/values.tmpl.yaml @@ -0,0 +1,5 @@ +{{- if eq .Requirements.webhook "jenkins" }} +enabled: true +{{- else }} +enabled: false +{{- end }} diff --git a/env/jxboot-resources/README.MD b/env/jxboot-resources/README.MD new file mode 100644 index 0000000..bb74041 --- /dev/null +++ b/env/jxboot-resources/README.MD @@ -0,0 +1,6 @@ +# jxboot-resources + +|App Metadata|| +|---|---| +| **Version** | 0.0.1 | +| **Chart Repository** | http://chartmuseum.jenkins-x.io | diff --git a/env/jxboot-resources/values.tmpl.yaml b/env/jxboot-resources/values.tmpl.yaml new file mode 100644 index 0000000..53a91f3 --- /dev/null +++ b/env/jxboot-resources/values.tmpl.yaml @@ -0,0 +1,216 @@ +cluster: + domain: {{ .Requirements.ingress.domain }} +{{- if hasKey .Requirements.ingress "exposer" }} + exposer: {{ .Requirements.ingress.exposer }} +{{- else if eq .Requirements.cluster.provider "openshift" }} + exposer: Route +{{- else if eq .Requirements.cluster.provider "minishift" }} + exposer: Route +{{- else }} + exposer: Ingress +{{- end }} + namespace: {{ .Requirements.cluster.namespace | default "jx" }} + namespaceSubDomain: {{ .Requirements.ingress.namespaceSubDomain | default ".jx." }} +{{- if hasKey .Requirements.cluster "project" }} + projectID: {{ .Requirements.cluster.project }} +{{- else }} + projectID: "" +{{- end }} +{{- if hasKey .Requirements.cluster "zone" }} + zone: {{ .Requirements.cluster.zone }} +{{- else }} + zone: "" +{{- end }} + name: "" +{{- if hasKey .Requirements.cluster "provider" }} + provider: {{ .Requirements.cluster.provider }} +{{- end }} + serverUrl: "" +{{- if .Requirements.ingress.tls.enabled }} + tls: true +{{- else }} + tls: false +{{- end }} + +gitops: + versionStreamUrl: {{ .Requirements.versionStream.url }} + versionStreamRef: {{ .Requirements.versionStream.ref }} + + gitKind: {{ .Requirements.cluster.gitKind | default "github" }} + gitName: {{ .Requirements.cluster.gitName | default "github" }} +{{- if hasKey .Requirements.cluster "gitPublic" }} + gitPublic: {{ .Requirements.cluster.gitPublic }} +{{- end }} + server: {{ .Requirements.cluster.gitServer | default "https://github.com" }} + owner: {{ .Requirements.cluster.environmentGitOwner }} + webhook: {{ .Requirements.webhook | default "prow" | quote }} +{{- if eq .Requirements.cluster.gitKind "bitbucketserver" }} + gitUrlPathPrefix: "/scm" +{{- else }} + gitUrlPathPrefix: "" +{{- end }} + + dev: + server: "" +{{- if .Requirements.gitops }} + repo: "{{ .Environments.dev.repository }}" + owner: "{{ .Environments.dev.owner }}" + envOrganisation: "{{ .Requirements.cluster.environmentGitOwner }}" +{{- else }} + repo: "" + owner: "" + envOrganisation: "" +{{- end }} +{{- if eq .Requirements.cluster.provider "gke" }} + dockerRegistryOrg: "{{ .Requirements.cluster.project }}" +{{- else }} + dockerRegistryOrg: "" +{{- end }} + + + staging: + repo: "{{ .Environments.staging.repository }}" + owner: "{{ .Environments.staging.owner | default .Requirements.cluster.environmentGitOwner }}" + server: "" + namespace: {{ .Requirements.cluster.namespace | default "jx" }}-staging +{{- if hasKey .Environments.staging "remoteCluster" }} + remote: {{ .Environments.staging.remoteCluster | default "false" }} +{{- end }} + + production: + repo: "{{ .Environments.production.repository }}" + owner: "{{ .Environments.production.owner | default .Requirements.cluster.environmentGitOwner }}" + server: "" + namespace: {{ .Requirements.cluster.namespace | default "jx" }}-production +{{- if hasKey .Environments.production "remoteCluster" }} + remote: {{ .Environments.production.remoteCluster | default "false" }} +{{- end }} + +storage: + logs: + url: "{{ .Requirements.storage.logs.url }}" + reports: + url: "{{ .Requirements.storage.reports.url }}" + repository: + url: "{{ .Requirements.storage.repository.url }}" + +expose: + enabled: false + +cleanup: + enabled: false + +controllerbuild: + enabled: true +controllerteam: + enabled: false +controllerworkflow: + enabled: false +jenkins: + enabled: false +jenkins-x-platform: + chartmuseum: + enabled: true + env: + open: + AUTH_ANONYMOUS_GET: true + DISABLE_API: false +# STORAGE: google +# STORAGE_GOOGLE_BUCKET: chartmuseum.jenkins-x.io +# STORAGE_GOOGLE_PREFIX: charts +# gcp: +# secret: +# enabled: true +# key: gcs-chartmuseum.key.json +# name: gcs-jenkinsx-chartmuseum + image: + tag: v0.7.1 + controllerbuild: + enabled: true + jenkins: + Agent: + PodTemplates: + Go: + Containers: + Go: + Image: jenkinsxio/builder-go:latest + Maven: + Containers: + Maven: + Image: jenkinsxio/builder-maven:latest + volumes: + - mountPath: /root/.m2/ + secretName: jenkins-maven-settings + type: Secret + - mountPath: /home/jenkins/.docker + secretName: jenkins-docker-cfg + type: Secret + Nodejs: + Containers: + Nodejs: + Image: jenkinsxio/builder-nodejs:latest + monocular: + api: + livenessProbe: + initialDelaySeconds: 1000 + nexus: + persistence: + size: 100Gi + postinstalljob: + enabled: "true" + +tekton: + webhook: + enabled: false + +JenkinsXGitHub: + username: "{{ .Parameters.pipelineUser.username }}" + email: "{{ .Parameters.pipelineUser.email }}" + password: "{{ .Parameters.pipelineUser.token }}" + +{{- if .Requirements.ingress.tls }} +certmanager: + production: "{{ .Requirements.ingress.tls.production }}" +{{- if .Requirements.ingress.tls.enabled }} + email: "{{ .Requirements.ingress.tls.email }}" +{{- else }} + enabled: false +{{- end }} +{{- end }} + +lighthouse: +{{- if eq .Requirements.webhook "lighthouse" }} + enabled: true +{{- else }} + enabled: false +{{- end }} + +nexus: +{{- if eq .Requirements.repository "nexus" }} + enabled: true +{{- else }} + enabled: false +{{- end }} + +prow: +{{- if eq .Requirements.webhook "prow" }} + enabled: true +{{- else }} + enabled: false +{{- end }} + +vault: +{{- if eq .Requirements.secretStorage "vault" }} + enabled: true +{{- else }} + enabled: false +{{- end }} + +{{- if .Requirements.autoUpdate }} +autoUpdate: + schedule: {{ .Requirements.autoUpdate.schedule | quote }} + enabled: {{ .Requirements.autoUpdate.enabled }} +{{- end }} + +versions: + builders: {{ versionStream "docker" "gcr.io/jenkinsxio/builder-go" }} diff --git a/env/lighthouse/README.MD b/env/lighthouse/README.MD new file mode 100644 index 0000000..e030e2e --- /dev/null +++ b/env/lighthouse/README.MD @@ -0,0 +1,6 @@ +# lighthouse + +|App Metadata|| +|---|---| +| **Version** | 0.0.39 | +| **Chart Repository** | http://chartmuseum.jenkins-x.io | diff --git a/env/lighthouse/values.tmpl.yaml b/env/lighthouse/values.tmpl.yaml new file mode 100644 index 0000000..aa2a56d --- /dev/null +++ b/env/lighthouse/values.tmpl.yaml @@ -0,0 +1,33 @@ +{{- if eq .Requirements.webhook "lighthouse" }} +enabled: true +{{- else }} +enabled: false +{{- end }} + +hmacToken: "{{ .Parameters.prow.hmacToken }}" + +git: + kind: {{ .Requirements.cluster.gitKind | default "github" }} + name: {{ .Requirements.cluster.gitName | default "github" }} + server: {{ .Requirements.cluster.gitServer | default "https://github.com" }} + +service: + name: hook + +replicaCount: 2 + +image: + repository: gcr.io/jenkinsxio/lighthouse + +vault: +{{- if eq .Requirements.secretStorage "vault" }} + enabled: true +{{- else }} + enabled: false +{{- end }} + +clusterName: {{ .Requirements.cluster.clusterName }} + +user: "{{ .Parameters.pipelineUser.username }}" + +oauthToken: "{{ .Parameters.pipelineUser.token }}" diff --git a/env/nexus/values.tmpl.yaml b/env/nexus/values.tmpl.yaml new file mode 100644 index 0000000..a89918b --- /dev/null +++ b/env/nexus/values.tmpl.yaml @@ -0,0 +1,5 @@ +{{- if or (eq .Requirements.repository "nexus") (eq .Requirements.repository "") }} +enabled: true +{{- else }} +enabled: false +{{- end }} diff --git a/env/parameters.tmpl.schema.json b/env/parameters.tmpl.schema.json new file mode 100644 index 0000000..d90abe6 --- /dev/null +++ b/env/parameters.tmpl.schema.json @@ -0,0 +1,155 @@ + +{ + "$id": "https:/jenkins-x.io/tests/descriptionAndTitle.schema.json", + "$schema": "http://json-schema.org/draft-07/schema#", + "description": "install values.yaml", + "type": "object", + "properties": { + "adminUser": { + "type": "object", + "required": [ + "username", + "password" + ], + "properties": { + "username": { + "type": "string", + "title": "Jenkins X Admin Username", + "description": "The Admin Username will be used by all services installed by Jenkins X", + "default": "admin" + }, + "password": { + "type": "string", + "format": "password", + "title": "Jenkins X Admin Password", + "description": "The Admin Password will be used by all services installed by Jenkins X" + } + } + }, + "pipelineUser": { + "type": "object", + "required": [ + "username", + "email", + "token" + ], + "properties": { + "username": { + "type": "string", + "title": "Pipeline bot Git username", + "description": "The Git user that will perform git operations inside a pipeline. It should be a user within the Git organisation/owner where environment repositories will live. This is normally a bot." + }, + "email": { + "type": "string", + "title": "Pipeline bot Git email address", + "description": "The email address of the Git user that will perform git operations inside a pipeline." + }, +{{- if eq .GitKind "github" }} + "token": { + "type": "string", + "format": "token", + "title": "Pipeline bot Git token", + "description": "A token for the Git user that will perform git operations inside a pipeline. This includes environment repository creation, and so this token should have full repository permissions. To create a token go to {{ .GitServer }}/settings/tokens/new?scopes=repo,read:user,read:org,user:email,write:repo_hook,delete_repo then enter a name, click Generate token, and copy and paste the token into this prompt.", + "minLength": 40, + "maxLength": 40, + "pattern": "^[0-9a-f]{40}$" + } +{{- else if eq .GitKind "bitbucketserver" }} + "token": { + "type": "string", + "format": "token", + "title": "Pipeline bot Git token", + "description": "A token for the Git user that will perform git operations inside a pipeline. This includes environment repository creation, and so this token should have full repository permissions. To create a token go to {{ .GitServer }}/plugins/servlet/access-tokens/manage then enter a name, click Generate token, and copy and paste the token into this prompt.", + "minLength": 8, + "maxLength": 50 + } +{{- else if eq .GitKind "gitlab" }} + "token": { + "type": "string", + "format": "token", + "title": "Pipeline bot Git token", + "description": "A token for the Git user that will perform git operations inside a pipeline. This includes environment repository creation, and so this token should have full repository permissions. To create a token go to {{ .GitServer }}/profile/personal_access_tokens then enter a name, click Generate token, and copy and paste the token into this prompt.", + "minLength": 8, + "maxLength": 50 + } +{{- else }} + "token": { + "type": "string", + "format": "token", + "title": "Pipeline bot Git token", + "description": "A token for the Git user that will perform git operations inside a pipeline. This includes environment repository creation, and so this token should have full repository permissions. To create a token go to {{ .GitServer }}/settings/tokens/new?scopes=repo,read:user,read:org,user:email,write:repo_hook,delete_repo then enter a name, click Generate token, and copy and paste the token into this prompt.", + "minLength": 8, + "maxLength": 50 + } +{{- end }} + } + }, + "prow": { + "type": "object", + "properties": { + "hmacToken": { + "type": "string", + "format": "token", + "title": "HMAC token, used to validate incoming webhooks. Press enter to use the generated token", + "description": "The HMAC token is used by the Git Provider to create a hash signature for each webhook, and by Jenkins X to validate that the signature is from a trusted source. It's normally best to have Jenkins X generate a token for you if you don't already have one. You'll need to save it and use it with all the webhooks configured in your git provider for Jenkins X. For more detail see: https://en.wikipedia.org/wiki/HMAC", + "default": "" + } + } + }, + "enableDocker": { + "type": "boolean", + "title": "Do you want to configure an external Docker Registry?", + "description": "By default Jenkins X will use the docker registry from the cloud provider. If you want to configure an external docker registry such as Docker Hub or your own existing public docker registry enter Y" + } + }, + "allOf": [ + { + "if": { + "properties": { + "enableDocker": { + "const": true, + "type": "boolean" + } + } + }, + "then": { + "properties": { + "docker": { + "type": "object", + "required": [ + "url", + "username", + "password", + "email" + ], + "properties": { + "url": { + "type": "string", + "title": "Docker Registry Url", + "default": "https://index.docker.io/v1/", + "description": "The URL of the external docker registry", + "format": "uri" + }, + "username": { + "type": "string", + "title": "Docker Registry username", + "description": "The username used to access the external docker registry" + }, + "password": { + "type": "string", + "format": "password", + "title": "Docker Registry password", + "description": "The password used to access the external docker registry" + }, + "email": { + "type": "string", + "title": "Docker Registry email", + "description": "The email used to configure the external docker registry" + } + } + } + } + } + } + ] +} diff --git a/env/prow/README.MD b/env/prow/README.MD new file mode 100644 index 0000000..964cb57 --- /dev/null +++ b/env/prow/README.MD @@ -0,0 +1,6 @@ +# prow + +|App Metadata|| +|---|---| +| **Version** | 0.0.465 | +| **Chart Repository** | http://chartmuseum.jenkins-x.io | diff --git a/env/prow/values.tmpl.yaml b/env/prow/values.tmpl.yaml new file mode 100644 index 0000000..e5602ed --- /dev/null +++ b/env/prow/values.tmpl.yaml @@ -0,0 +1,37 @@ +{{- if eq .Requirements.webhook "prow" }} +enabled: true +{{- else }} +enabled: false +{{- end }} + +hmacToken: "{{ .Parameters.prow.hmacToken }}" +oauthToken: "{{ .Parameters.pipelineUser.token }}" +user: "{{ .Parameters.pipelineUser.username }}" + +buildnum: + enabled: false +pipelinerunner: + enabled: "true" + args: + - controller + - pipelinerunner +tillerNamespace: "" + +sinker: + enabled: false + replicaCount: 0 + +build: + enabled: false + +plank: + enabled: false + +vault: +{{- if eq .Requirements.secretStorage "vault" }} + enabled: true +{{- else }} + enabled: false +{{- end }} + +clusterName: {{ .Requirements.cluster.clusterName }} diff --git a/env/requirements.yaml b/env/requirements.yaml new file mode 100644 index 0000000..2805055 --- /dev/null +++ b/env/requirements.yaml @@ -0,0 +1,23 @@ +dependencies: +- name: jxboot-resources + repository: http://chartmuseum.jenkins-x.io +- alias: tekton + name: tekton + repository: http://chartmuseum.jenkins-x.io +- alias: prow + condition: prow.enabled + name: prow + repository: http://chartmuseum.jenkins-x.io +- alias: lighthouse + condition: lighthouse.enabled + name: lighthouse + repository: http://chartmuseum.jenkins-x.io +- alias: bucketrepo + condition: bucketrepo.enabled + name: bucketrepo + repository: http://chartmuseum.jenkins-x.io +- name: jenkins-x-platform + repository: http://chartmuseum.jenkins-x.io +#- condition: chartmuseum.enabled +# name: chartmuseum +# repository: http://chartmuseum.jenkins-x.io diff --git a/env/tekton/README.MD b/env/tekton/README.MD new file mode 100644 index 0000000..b167f22 --- /dev/null +++ b/env/tekton/README.MD @@ -0,0 +1,6 @@ +# tekton + +|App Metadata|| +|---|---| +| **Version** | 0.0.32 | +| **Chart Repository** | http://chartmuseum.jenkins-x.io | diff --git a/env/tekton/values.tmpl.yaml b/env/tekton/values.tmpl.yaml new file mode 100644 index 0000000..1ef191a --- /dev/null +++ b/env/tekton/values.tmpl.yaml @@ -0,0 +1,24 @@ +{{- if eq .Requirements.webhook "prow" }} +enabled: true +{{- else if eq .Requirements.webhook "lighthouse" }} +enabled: true +{{- else }} +enabled: false +{{- end }} + +webhook: + enabled: false + +auth: + git: + username: "{{ .Parameters.pipelineUser.username }}" + password: "{{ .Parameters.pipelineUser.token }}" + url: {{ .Requirements.cluster.gitServer | default "https://github.com" }} +{{- if hasKey .Parameters "docker" }} + docker: + username: "{{ .Parameters.docker.username }}" + password: "{{ .Parameters.docker.password }}" + url: "{{ .Parameters.docker.url }}" +{{- end }} + +tillerNamespace: "" diff --git a/env/templates/.gitignore b/env/templates/.gitignore new file mode 100644 index 0000000..68325fa --- /dev/null +++ b/env/templates/.gitignore @@ -0,0 +1 @@ +# dummy \ No newline at end of file diff --git a/env/values.tmpl.yaml b/env/values.tmpl.yaml new file mode 100644 index 0000000..e41185b --- /dev/null +++ b/env/values.tmpl.yaml @@ -0,0 +1,13 @@ +tekton: +{{- if eq .Requirements.webhook "prow" }} + enabled: true +{{- else if eq .Requirements.webhook "lighthouse" }} + enabled: true +{{- else }} + enabled: false +{{- end }} + +# Use cert-manager 0.11 CRDs/APIs with Dex +dex: + certs: + newApi: true diff --git a/jenkins-x-bdd-local.yml b/jenkins-x-bdd-local.yml new file mode 100644 index 0000000..a116b20 --- /dev/null +++ b/jenkins-x-bdd-local.yml @@ -0,0 +1,53 @@ +buildPack: none +pipelineConfig: + pipelines: + pullRequest: + pipeline: + options: + containerOptions: + resources: + limits: + cpu: 4 + memory: 6144Mi + requests: + cpu: 1 + memory: 2048Mi + environment: + - name: GOPROXY + value: http://jenkins-x-athens-proxy:80 + - name: GKE_SA + value: /secrets/bdd/sa.json + - name: DOMAIN_ROTATION + value: "false" + - name: GH_ACCESS_TOKEN + valueFrom: + secretKeyRef: + name: jenkins-x-bot-test-github + key: password + - name: JENKINS_PASSWORD + valueFrom: + secretKeyRef: + name: test-jenkins-user + key: password + agent: + image: gcr.io/jenkinsxio/builder-go-maven + stages: + - name: ci + options: + volumes: + - name: sa + secret: + secretName: bdd-secret + items: + - key: bdd-credentials.json + path: bdd/sa.json + containerOptions: + volumeMounts: + - mountPath: /secrets + name: sa + steps: + - name: verify-fmt + command: make verify-fmt + - name: run-bdd + command: bdd/bdd.sh + args: ['bdd/boot-local', 'bdd-config'] diff --git a/jenkins-x-bdd-vault.yml b/jenkins-x-bdd-vault.yml new file mode 100644 index 0000000..ab329bc --- /dev/null +++ b/jenkins-x-bdd-vault.yml @@ -0,0 +1,52 @@ +pipelineConfig: + pipelines: + pullRequest: + pipeline: + options: + containerOptions: + resources: + limits: + cpu: 4 + memory: 6144Mi + requests: + cpu: 1 + memory: 2048Mi + environment: + - name: GOPROXY + value: http://jenkins-x-athens-proxy:80 + - name: GKE_SA + value: /secrets/bdd/sa.json + - name: DOMAIN_ROTATION + value: "false" + - name: GH_ACCESS_TOKEN + valueFrom: + secretKeyRef: + name: jenkins-x-bot-test-github + key: password + - name: JENKINS_PASSWORD + valueFrom: + secretKeyRef: + name: test-jenkins-user + key: password + agent: + image: gcr.io/jenkinsxio/builder-go-maven + stages: + - name: ci + options: + volumes: + - name: sa + secret: + secretName: bdd-secret + items: + - key: bdd-credentials.json + path: bdd/sa.json + containerOptions: + volumeMounts: + - mountPath: /secrets + name: sa + steps: + - name: verify-fmt + command: make verify-fmt + - name: run-bdd + command: bdd/bdd.sh + args: ['bdd/boot-vault', 'bdd-config'] diff --git a/jenkins-x-release.yml b/jenkins-x-release.yml new file mode 100644 index 0000000..48a4ed6 --- /dev/null +++ b/jenkins-x-release.yml @@ -0,0 +1,20 @@ +buildPack: none +pipelineConfig: + pipelines: + release: + pipeline: + agent: + image: gcr.io/jenkinsxio/builder-jx + stages: + - name: release + steps: + - name: changelog + command: jx + args: + - step + - changelog + - --verbose + - --version + - ${VERSION} + - --rev + - ${PULL_BASE_SHA} diff --git a/jenkins-x.yml b/jenkins-x.yml new file mode 100644 index 0000000..2abd56b --- /dev/null +++ b/jenkins-x.yml @@ -0,0 +1,278 @@ +buildPack: none +pipelineConfig: + pipelines: + pullRequest: + pipeline: + agent: + image: gcr.io/jenkinsxio/builder-go + stages: + - name: pr-checks + options: + containerOptions: + volumeMounts: + - mountPath: /builder/home/.jx/localSecrets/currentCluster + name: local-secrets + readOnly: true + volumes: + - name: local-secrets + secret: + optional: true + secretName: local-param-secrets + steps: + - args: + - step + - verify + - values + - --values-file=parameters.yaml + - --schema-file=parameters.tmpl.schema.json + command: jx + dir: /workspace/source/env + name: verify-parameters + - args: + - build + command: make + dir: /workspace/source/env + name: lint-env-helm + release: + pipeline: + agent: + image: gcr.io/jenkinsxio/builder-go + environment: + - name: DEPLOY_NAMESPACE + value: jx + stages: + - name: release + options: + containerOptions: + volumeMounts: + - mountPath: /builder/home/.jx/localSecrets/currentCluster + name: local-secrets + readOnly: true + volumes: + - name: local-secrets + secret: + optional: true + secretName: local-param-secrets + steps: + - args: + - step + - git + - validate + command: jx + dir: /workspace/source/env + name: validate-git + - args: + - step + - verify + - preinstall + - --provider-values-dir="kubeProviders" + command: jx + dir: /workspace/source + name: verify-preinstall + - args: + - upgrade + - crd + command: jx + name: install-jx-crds + - args: + - step + - helm + - apply + - --boot + - --remote + - --no-vault + - --name + - velero + command: jx + dir: /workspace/source/systems/velero + env: + - name: DEPLOY_NAMESPACE + value: velero + name: install-velero + - args: + - step + - helm + - apply + - --boot + - --remote + - --no-vault + - --name + - velero-backups + command: jx + dir: /workspace/source/systems/velero-backups + env: + - name: DEPLOY_NAMESPACE + value: velero + name: install-velero-backups + - args: + - step + - helm + - apply + - --boot + - --remote + - --no-vault + - --name + - jxing + command: jx + dir: /workspace/source/systems/jxing + env: + - name: DEPLOY_NAMESPACE + value: kube-system + name: install-nginx-controller + - args: + - step + - create + - install + - values + - -b + command: jx + dir: /workspace/source/env + name: create-install-values + - args: + - step + - helm + - apply + - --boot + - --remote + - --no-vault + - --name + - exdns + command: jx + dir: /workspace/source/systems/external-dns + name: install-external-dns + - args: + - apply + - --wait + - --validate=false + - -f + - https://raw.githubusercontent.com/jetstack/cert-manager/release-0.11/deploy/manifests/00-crds.yaml + command: kubectl + dir: /workspace/source + env: + - name: DEPLOY_NAMESPACE + value: cert-manager + name: install-cert-manager-crds + - args: + - step + - helm + - apply + - --boot + - --remote + - --no-vault + - --name + - cm + command: jx + dir: /workspace/source/systems/cm + env: + - name: DEPLOY_NAMESPACE + value: cert-manager + name: install-cert-manager + - args: + - step + - helm + - apply + - --boot + - --remote + - --no-vault + - --name + - acme + command: jx + dir: /workspace/source/systems/acme + name: install-acme-issuer-and-certificate + - args: + - step + - boot + - vault + - --provider-values-dir + - ../../kubeProviders + command: jx + dir: /workspace/source/systems/vault + name: install-vault + - args: + - step + - create + - values + - --name + - parameters + command: jx + dir: /workspace/source/env + name: create-helm-values + - args: + - step + - create + - templated + - --parameters-file=../../env/parameters.yaml + - --requirements-dir=../../ + - --template-file=jx-auth-configmap.tmpl.yaml + - --config-file=templates/jx-auth-configmap.yaml + command: jx + dir: /workspace/source/systems/jx-auth + name: create-jx-auth-config + - args: + - step + - helm + - apply + - --boot + - --remote + - --no-vault + - --name + - jx-auth + command: jx + dir: /workspace/source/systems/jx-auth + name: install-jx-auth-config + - args: + - step + - helm + - apply + - --boot + - --remote + - --name + - jenkins-x + - --provider-values-dir + - ../kubeProviders + command: jx + dir: /workspace/source/env + name: install-jenkins-x + - args: + - step + - verify + - env + command: jx + dir: /workspace/source + name: verify-jenkins-x-environment + - args: + - step + - helm + - apply + - --boot + - --name + - repos + command: jx + dir: /workspace/source/repositories + name: install-repositories + - args: + - step + - scheduler + - config + - apply + - --direct=true + command: jx + dir: /workspace/source/prowConfig + name: install-pipelines + - args: + - update + - webhooks + - --verbose + - --warn-on-fail + command: jx + dir: /workspace/source/repositories + name: update-webhooks + - args: + - step + - verify + - install + - --pod-wait-time + - 30m + command: jx + dir: /workspace/source/env + name: verify-installation diff --git a/jx-requirements.yml b/jx-requirements.yml new file mode 100644 index 0000000..63f9813 --- /dev/null +++ b/jx-requirements.yml @@ -0,0 +1,35 @@ +cluster: + clusterName: "" + environmentGitOwner: "" + environmentGitPublic: false + project: "" + provider: gke + zone: "" +gitops: true +environments: +- key: dev +- key: staging +- key: production +ingress: + domain: "" + externalDNS: false + tls: + email: "" + enabled: false + production: false +kaniko: true +secretStorage: local +storage: + logs: + enabled: false + url: "" + reports: + enabled: false + url: "" + repository: + enabled: false + url: "" +versionStream: + ref: "master" + url: https://github.com/jenkins-x/jenkins-x-versions.git +webhook: prow diff --git a/kubeProviders/README.md b/kubeProviders/README.md new file mode 100644 index 0000000..7995ff5 --- /dev/null +++ b/kubeProviders/README.md @@ -0,0 +1,4 @@ +## Provider Specific Configurations + +To try maximise reuse of Jenkins X Boot configurations across cloud providers we try to put all the cloud specific configurations in this directory. + diff --git a/kubeProviders/aks/README.md b/kubeProviders/aks/README.md new file mode 100644 index 0000000..db9f72c --- /dev/null +++ b/kubeProviders/aks/README.md @@ -0,0 +1 @@ +# Jenkins X Boot configuration for Azure Container Engine \ No newline at end of file diff --git a/kubeProviders/aks/values.tmpl.yaml b/kubeProviders/aks/values.tmpl.yaml new file mode 100644 index 0000000..a9f3520 --- /dev/null +++ b/kubeProviders/aks/values.tmpl.yaml @@ -0,0 +1,12 @@ +# Override configuration from https://github.com/jenkins-x/jenkins-x-platform/blob/master/jenkins-x-platform/values.yaml +jenkins-x-platform: + PipelineSecrets: + + # lets enable ACR docker builds + DockerConfig: |- + { + "credsStore": "acr-linux" + } + +docker-registry: + enabled: false diff --git a/kubeProviders/alibaba/README.md b/kubeProviders/alibaba/README.md new file mode 100644 index 0000000..548f59b --- /dev/null +++ b/kubeProviders/alibaba/README.md @@ -0,0 +1 @@ +# Jenkins X Boot configuration for Alibaba Container Service \ No newline at end of file diff --git a/kubeProviders/alibaba/values.tmpl.yaml b/kubeProviders/alibaba/values.tmpl.yaml new file mode 100644 index 0000000..9fed21e --- /dev/null +++ b/kubeProviders/alibaba/values.tmpl.yaml @@ -0,0 +1,17 @@ +# Override configuration from https://github.com/jenkins-x/jenkins-x-platform/blob/master/jenkins-x-platform/values.yaml +chartmuseum: + persistence: + size: 20Gi +jenkins: + Persistence: + Size: 20Gi +monocular: + mongodb: + persistence: + size: 20Gi +nexus: + persistence: + size: 20Gi +tekton: + pvc: + size: 20Gi diff --git a/kubeProviders/aws/README.md b/kubeProviders/aws/README.md new file mode 100644 index 0000000..3fc9cc4 --- /dev/null +++ b/kubeProviders/aws/README.md @@ -0,0 +1 @@ +# Jenkins X Boot configuration for generic Kubernetes \ No newline at end of file diff --git a/kubeProviders/aws/values.tmpl.yaml b/kubeProviders/aws/values.tmpl.yaml new file mode 100644 index 0000000..03bdcf3 --- /dev/null +++ b/kubeProviders/aws/values.tmpl.yaml @@ -0,0 +1,12 @@ +# Override configuration from https://github.com/jenkins-x/jenkins-x-platform/blob/master/jenkins-x-platform/values.yaml +jenkins-x-platform: + PipelineSecrets: + + # lets enable ECR docker builds + DockerConfig: |- + { + "credsStore": "ecr-login" + } + +docker-registry: + enabled: false diff --git a/kubeProviders/eks/README.md b/kubeProviders/eks/README.md new file mode 100644 index 0000000..8e8b707 --- /dev/null +++ b/kubeProviders/eks/README.md @@ -0,0 +1 @@ +# Jenkins X Boot configuration for EKS \ No newline at end of file diff --git a/kubeProviders/eks/templates/irsa.tmpl.yaml b/kubeProviders/eks/templates/irsa.tmpl.yaml new file mode 100644 index 0000000..43cb9bd --- /dev/null +++ b/kubeProviders/eks/templates/irsa.tmpl.yaml @@ -0,0 +1,53 @@ +apiVersion: eksctl.io/v1alpha5 +kind: ClusterConfig + +metadata: + name: {{ .Requirements.cluster.clusterName }} + region: {{ .Requirements.cluster.region }} + +iam: + withOIDC: true + serviceAccounts: +{{- if .IAM.TektonBotPolicy }} + - metadata: + name: tekton-bot + namespace: jx + labels: {aws-usage: "jenkins-x"} + attachPolicyARNs: + - {{.IAM.TektonBotPolicy | quote}} +{{- end }} +{{- if .IAM.ExternalDNSPolicy }} + - metadata: + name: exdns-external-dns + namespace: jx + labels: {aws-usage: "jenkins-x"} + attachPolicyARNs: + - {{.IAM.ExternalDNSPolicy | quote}} +{{- end }} +{{- if .IAM.CertManagerPolicy }} + - metadata: + name: cm-cert-manager + namespace: cert-manager + labels: {aws-usage: "jenkins-x"} + attachPolicyARNs: + - {{.IAM.CertManagerPolicy | quote}} + - metadata: + name: cm-cainjector + namespace: cert-manager + labels: {aws-usage: "jenkins-x"} + attachPolicyARNs: + - {{.IAM.CertManagerPolicy | quote}} +{{- end }} + - metadata: + name: jenkins-x-controllerbuild + namespace: jx + labels: {aws-usage: "jenkins-x"} + attachPolicyARNs: + - "arn:aws:iam::aws:policy/AmazonS3FullAccess" + - metadata: + name: jxui + namespace: jx + labels: {aws-usage: "jenkins-x"} + attachPolicyARNs: + - "arn:aws:iam::aws:policy/AmazonS3FullAccess" + diff --git a/kubeProviders/eks/templates/jenkinsx-policies.yml b/kubeProviders/eks/templates/jenkinsx-policies.yml new file mode 100644 index 0000000..d8d8ac0 --- /dev/null +++ b/kubeProviders/eks/templates/jenkinsx-policies.yml @@ -0,0 +1,81 @@ +Description: 'Template to generate the necessary IAM Policies for Jenkins-X EKS support ' +Resources: + CFNJenkinsXPolicies: + Type: AWS::IAM::ManagedPolicy + Properties: + ManagedPolicyName: !Join [ "-", [ CFNTektonBotPolicy, Ref: PoliciesSuffixParameter] ] + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - cloudformation:ListStacks + - cloudformation:DescribeStacks + - cloudformation:CreateStack + - cloudformation:DeleteStack + - eks:* + - s3:* + - iam:DetachRolePolicy + - iam:GetPolicy + - iam:CreatePolicy + - iam:DeleteRole + - iam:GetOpenIDConnectProvider + Resource: "*" + CFNExternalDNSPolicies: + Type: AWS::IAM::ManagedPolicy + Properties: + ManagedPolicyName: !Join [ "-", [ CFNExternalDNSPolicy, Ref: PoliciesSuffixParameter] ] + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - route53:ChangeResourceRecordSets + Resource: "arn:aws:route53:::hostedzone/*" + - Effect: Allow + Action: + - route53:ListHostedZones + - route53:ListResourceRecordSets + Resource: "*" + CFNCertManagerPolicies: + Type: AWS::IAM::ManagedPolicy + Properties: + ManagedPolicyName: !Join [ "-", [ CFNCertManagerPolicy, Ref: PoliciesSuffixParameter] ] + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - route53:GetChange + Resource: "arn:aws:route53:::change/*" + - Effect: Allow + Action: + - route53:ChangeResourceRecordSets + Resource: "arn:aws:route53:::hostedzone/*" + - Effect: Allow + Action: + - route53:ListHostedZonesByName + Resource: "*" +Parameters: + PoliciesSuffixParameter: + Type: String + Description: A suffix so we can create different policies on each execution +Outputs: + CFNTektonBotPolicy: + Value: + Ref: CFNJenkinsXPolicies + Description: The ARN of the created policy + Export: + Name: !Join [ "-", [ TektonBotPolicy, Ref: PoliciesSuffixParameter] ] + CFNExternalDNSPolicy: + Value: + Ref: CFNExternalDNSPolicies + Description: The ARN of the created policy + Export: + Name: !Join [ "-", [ ExternalDNSPolicy, Ref: PoliciesSuffixParameter] ] + CFNCertManagerPolicy: + Value: + Ref: CFNCertManagerPolicies + Description: The ARN of the created policy + Export: + Name: !Join [ "-", [ CertManagerPolicy, Ref: PoliciesSuffixParameter] ] diff --git a/kubeProviders/eks/templates/vault_cf_tmpl.yml b/kubeProviders/eks/templates/vault_cf_tmpl.yml new file mode 100644 index 0000000..ab32555 --- /dev/null +++ b/kubeProviders/eks/templates/vault_cf_tmpl.yml @@ -0,0 +1,133 @@ +Resources: + AWSDynamoDBTable: + Properties: + AttributeDefinitions: + - AttributeName: Path + AttributeType: S + - AttributeName: Key + AttributeType: S + KeySchema: + - AttributeName: Path + KeyType: HASH + - AttributeName: Key + KeyType: RANGE + ProvisionedThroughput: + ReadCapacityUnits: 2 + WriteCapacityUnits: 2 + TableName: !Join [ "_", [ Ref: DynamoDBTableName, Ref: ResourcesSuffixParameter ] ] + Tags: + - Key: Name + Value: vault-dynamo-db-table + Type: AWS::DynamoDB::Table + AWSKMSKey: + Properties: + Description: KMS Key for bank vault unseal + KeyPolicy: + Statement: + - Action: kms:* + Effect: Allow + Principal: + AWS: + - Fn::Sub: arn:aws:iam::${AWS::AccountId}:root + - Fn::Sub: arn:aws:iam::${AWS::AccountId}:user/${IAMUser} + Resource: "*" + Sid: Enable IAM User Permissions + Version: '2012-10-17' + Type: AWS::KMS::Key + AWSS3Bucket: + Properties: + AccessControl: Private + BucketName: !Join [ "-", [ Ref: S3BucketName, Ref: ResourcesSuffixParameter ] ] + VersioningConfiguration: + Status: Suspended + Type: AWS::S3::Bucket + AWSIAMPolicy: + DependsOn: + - AWSDynamoDBTable + - AWSS3Bucket + - AWSKMSKey + Properties: + PolicyDocument: + Statement: + - Action: + - dynamodb:DescribeLimits + - dynamodb:DescribeTimeToLive + - dynamodb:ListTagsOfResource + - dynamodb:DescribeReservedCapacityOfferings + - dynamodb:DescribeReservedCapacity + - dynamodb:ListTables + - dynamodb:BatchGetItem + - dynamodb:BatchWriteItem + - dynamodb:CreateTable + - dynamodb:DeleteItem + - dynamodb:GetItem + - dynamodb:GetRecords + - dynamodb:PutItem + - dynamodb:Query + - dynamodb:UpdateItem + - dynamodb:Scan + - dynamodb:DescribeTable + Effect: Allow + Resource: + Fn::Sub: "${AWSDynamoDBTable.Arn}" + Sid: DynamoDB + - Action: + - s3:PutObject + - s3:GetObject + Effect: Allow + Resource: + Fn::Sub: "${AWSS3Bucket.Arn}/*" + Sid: S3 + - Action: + - s3:ListBucket + Effect: Allow + Resource: + Fn::Sub: "${AWSS3Bucket.Arn}" + Sid: S3List + - Action: + - kms:Encrypt + - kms:Decrypt + Effect: Allow + Resource: + Fn::Sub: "${AWSKMSKey.Arn}" + Sid: KMS + Version: '2012-10-17' + ManagedPolicyName: !Sub + - "vault_${AWS::StackName}-${AWS::Region}-${Suffix}" + - { Suffix: !Ref ResourcesSuffixParameter } + Users: + - !Ref IAMUser + Type: AWS::IAM::ManagedPolicy +Parameters: + ResourcesSuffixParameter: + Type: String + Description: A suffix so we can create different resources on each execution + S3BucketName: + Type: String + Description: The name of the S3 bucket to use for Vault + DynamoDBTableName: + Type: String + Description: The name of the DynamoDB table to use for VAult + IAMUser: + Type: String + Description: The name of the IAM user to use for Vault +Outputs: + AWSS3Bucket: + Value: + Ref: AWSS3Bucket + Description: The ARN of the created bucket + Export: + Name: !Sub "${AWS::StackName}-AWSS3Bucket" + AWSKMSKey: + Value: + Ref: AWSKMSKey + Description: The ARN of the created KMS Key + Export: + Name: !Sub "${AWS::StackName}-AWSKMSKey" + AWSDynamoDBTable: + Value: + Ref: AWSDynamoDBTable + Description: The ARN of the created DynamoDB table + Export: + Name: !Sub "${AWS::StackName}-AWSDynamoDBTable" + diff --git a/kubeProviders/eks/values.tmpl.yaml b/kubeProviders/eks/values.tmpl.yaml new file mode 100644 index 0000000..3194a1d --- /dev/null +++ b/kubeProviders/eks/values.tmpl.yaml @@ -0,0 +1,18 @@ +# Override configuration from https://github.com/jenkins-x/jenkins-x-platform/blob/master/jenkins-x-platform/values.yaml +jenkins-x-platform: + PipelineSecrets: + + # lets enable ECR docker builds + DockerConfig: |- + { +{{- if .Requirements.cluster.registry }} + "credHelpers": { + "{{ .Requirements.cluster.registry }}": "ecr-login" + } +{{- else }} + "credsStore": "ecr-login" +{{- end }} + } + +docker-registry: + enabled: false diff --git a/kubeProviders/gke/README.md b/kubeProviders/gke/README.md new file mode 100644 index 0000000..9106cac --- /dev/null +++ b/kubeProviders/gke/README.md @@ -0,0 +1 @@ +# Jenkins X Boot configuration for Google Container Engine \ No newline at end of file diff --git a/kubeProviders/gke/values.tmpl.yaml b/kubeProviders/gke/values.tmpl.yaml new file mode 100644 index 0000000..3165084 --- /dev/null +++ b/kubeProviders/gke/values.tmpl.yaml @@ -0,0 +1,24 @@ +# Override configuration from https://github.com/jenkins-x/jenkins-x-platform/blob/master/jenkins-x-platform/values.yaml + +jenkins-x-platform: + PipelineSecrets: + + # lets enable GCR docker builds + DockerConfig: |- + { + "credHelpers": { + "gcr.io": "gcr", + "us.gcr.io": "gcr", + "eu.gcr.io": "gcr", + "asia.gcr.io": "gcr", + "staging-k8s.gcr.io": "gcr" + } + } + +docker-registry: +{{- if eq .Requirements.webhook "jenkins" }} + enabled: true +{{- else }} + enabled: false +{{- end }} + diff --git a/kubeProviders/icp/README.md b/kubeProviders/icp/README.md new file mode 100644 index 0000000..bcb61c9 --- /dev/null +++ b/kubeProviders/icp/README.md @@ -0,0 +1 @@ +# Jenkins X Boot configuration for IBM Cloud Private diff --git a/kubeProviders/icp/values.tmpl.yaml b/kubeProviders/icp/values.tmpl.yaml new file mode 100644 index 0000000..4453c91 --- /dev/null +++ b/kubeProviders/icp/values.tmpl.yaml @@ -0,0 +1,24 @@ +# Override configuration from https://github.com/jenkins-x/jenkins-x-platform/blob/master/jenkins-x-platform/values.yaml +monocular: + mongodb: + persistence: + enabled: false + +# We'll be using the IBM Cloud Private registry +docker-registry: + enabled: false + +jenkins: + Servers: + # global node properties + Global: + EnvVars: + # Override this if your cluster name is not mycluster.icp (the default for IBM Cloud Private) with --docker-registry + DOCKER_REGISTRY: mycluster.icp:8500/jx + Master: + ServiceAnnotations: + fabric8.io/ingress.annotations: "kubernetes.io/ingress.class: nginx\nnginx.ingress.kubernetes.io/proxy-body-size: 500m\nkubernetes.io/tls-acme: true\ncertmanager.k8s.io/cluster-issuer: icp-ca-issuer" + Readiness: + InitialDelaySeconds: 10 + Liveness: + InitialDelaySeconds: 10 diff --git a/kubeProviders/iks/README.md b/kubeProviders/iks/README.md new file mode 100644 index 0000000..f6fa3b9 --- /dev/null +++ b/kubeProviders/iks/README.md @@ -0,0 +1,226 @@ +# Jenkins X Boot configuration for IBM Cloud + +CAUTION: Current `iks` clusters need `kaniko` if you want to use them for building Docker images in the course of your CI pipeline (which is an essential step to get your applications into your JX k8s cluster). This is not yet implemented, cf. https://github.com/jenkins-x/jx/issues/3971. + +## Prerequisites + +* Make yourself familiar with the general Jenkins-X (JX) setup: https://jenkins-x.io/documentation/ +* You need a GitHub account: https://github.com (Checkout the appendix of this document, if you would like to use IBM Cloud Git instead) +* Before setting up (JX) on IBM cloud with Kubernetes (IKS) you need an IBM account. +You can apply for a free trial for one year here: https://www.ibm.com/partners/start/cloud-container-service/ + +NOTE: A _free_ IBM cloud account does not include all necessary permissions and resources to run k8s and JX. + +## Initial cloud setup + +### Automatic initial setup + +Run the following shell script, it should setup the local cloud tools (`ibmcloud`) on your machine. + + # An IKS 1.10 cluster must be used, 1.11 was broken with jenkins-x at the time of writing + curl -sL https://ibm.biz/idt-installer | bash + +### Manual initial setup + +If the automatic setup fails, you may perform a manual setup, as described here: https://console.bluemix.net/docs/cli/index.html#overview + +And install some additional plugins + + ibmcloud plugin install container-service + ibmcloud plugin install container-registry + +and some tools used by JX + +* install latest helm -> https://docs.helm.sh/using_helm/#installing-helm +* install kubectl 1.10 -> https://kubernetes.io/docs/tasks/tools/install-kubectl/#install-kubectl-binary-using-curl +* install jx -> https://jenkins-x.io/getting-started/install/ + +Then login to the IBM cloud + + ibmcloud login -a https://api.us-east.bluemix.net (--sso / --apikey as appropriate) + +## Create/Install k8s/JX + +NOTE: Check out the open issues section at the end of the document (before the Appendix section) for some known limitations! + +### Create IKS cluster and JX automatically + +One of the large strengths of JX is, that it can even set up a k8s cluster automatically during the install process. + +Just call: + +```bash +jx create cluster iks \ + -n jx-wdc04 \ + -r us-east \ + -z wdc04 \ + -m b2c.4x16 \ + --workers=3 \ + --kube-version=1.11.9 \ + \ + --namespace='jx' +``` + +and answer some remaining questions, e.g., for your Git/GitHub user. + +NOTE: If you run into problems or want to customize parts of the setup, follow the instructions in the next section. + +### Set up IKS and JX manually + +#### Set up IKS cluster manually + +* Find a region: `ibmcloud ks regions` +* Set the region (eg. us-east, cf. [issue 2984](https://github.com/jenkins-x/jx/issues/2984)): `ibmcloud ks region-set us-east` +* Find a zone (eg. wdc07): `ibmcloud ks zones` +* Find machine types (should use `b2c.4x16 minimum`): `ibmcloud ks machine-types --zone wdc07` +* Find the k8s 1.11.x version: `ibmcloud ks kube-versions` +* Find the Public and private vlans (if none exist, they will be created): `ibmcloud ks vlans --zone wdc07` +* Create VLANs, if vlans exist in the zone, they will need to be specified here otherwise they will be created. +* If you want to use let's encrypt, make sure to specify a cluster name so that `docker-registry.jx...containers.appdomain.cloud` is less than 64 characters (will be checked automatically during install), eg., `docker-registry.jx.jx-wdc07.us-east.container.appdomain.cloud < 64 chars` (Smallest possible is best). +* Set up the cluster (some parameters depend on your settings before or what resource types are available in the chosen region, zone etc.): + +```bash + ibmcloud ks cluster-create \ + --name jx-wdc07 \ + --kube-version 1.11.9 \ + --zone wdc07 \ + --machine-type b2c.4x16 \ + --workers 3 \ + --private-vlan 2323675 \ + --public-vlan 2323691 +``` + +* Check until state is "normal" (takes about 25 minutes): `ibmcloud ks cluster-get --cluster jx-wdc07` +* Import cluster parameters to your shell environment: `eval $(ibmcloud ks cluster-config --export --cluster jx-wdc07)` + +#### Setup Helm / Tiller + +CAUTION: This gives Tiller all privileges, do not use it for production environments! + +```bash + kubectl create serviceaccount --namespace kube-system tiller + kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller + # kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}' + helm init --service-account tiller --upgrade +``` + +#### Setup block storage drivers (Optional) + +* Install block storage drives with helm + +```bash + # helm init # Unless you already have initialized helm in the setup step before? + helm repo add ibm https://registry.bluemix.net/helm/ibm + helm repo update + helm install ibm/ibmcloud-block-storage-plugin --name ibmcloud-block-storage-plugin +``` + +* Make block default + +```bash + kubectl patch storageclass ibmc-file-bronze -p \ + '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}' +``` + +* Alternatively (if included in your plan) you can also choose `ibmc-block-silver` or `ibmc-block-gold` for better IOPS + +```bash + kubectl patch storageclass ibmc-block-silver -p \ + '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}' +``` + +#### Setup https (Recommended) + +WARNING: This does not work and needs further testing/investigation! + +Note: There is also a jenkins- addon, may work but never tested with IBM Cloud + +```bash +# Optional/Sometime necessary? kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.6.1/deploy/manifests/00-crds.yaml +helm install \ + --namespace=kube-system \ + --name=cert-manager stable/cert-manager \ + --set=ingressShim.defaultIssuerKind=ClusterIssuer \ + --set=ingressShim.defaultIssuerName=letsencrypt-staging \ + --version v0.5.2 +cat << EOF| kubectl create -n kube-system -f - +apiVersion: certmanager.k8s.io/v1alpha1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: YOUREEMAIL@ca.ibm.com + privateKeySecretRef: + name: letsencrypt-staging + http01: {} +EOF +``` + +#### Install JX manually + +* Have your GitHub account at hand, +* Have your cluster subdomain for the domain flag (example provided) at hand, +* answer Y to create ingress when asked, + +```bash +jx install cluster --provider=iks \ + --domain='jx-wdc07.us-east.containers.appdomain.cloud' \ + [ --default-admin-password= ] +``` + +* wait until done. can check status by doing `kubectl get deployments,services,pvc,pv,ingress -n jx` in another terminal +* Upgrade ingress if you have installed https: `jx upgrade ingress` +* Make sure you can push and pull images into the account: `ibmcloud cr token-add --non-expiring --readwrite --description "Jenkins-X Token"` + +## Open issues + +There are some open issues at the time of this writing (2019-02-05), some of which may limit your usage of IKS. + +NOTE: This is only a snapshot, check out their state or if others exist meanwhile: https://github.com/jenkins-x/jx/issues?utf8=%E2%9C%93&q=is%3Aopen+is%3Aissue+label%3Aarea%2FIKS+ + +| *Limitation* | *GitHub Issue* | *WIP* | +| ------------------------------------------------------------------------- |:----------------------------------------------------:|:-----:| +| Currently it is only possible to create a cluster in the region *us-east* | [#2984](https://github.com/jenkins-x/jx/issues/2984) | - | +| JX environments are not created automatically | [#2985](https://github.com/jenkins-x/jx/issues/2985) | - | +| Cluster registry is not automatically created | [#2997](https://github.com/jenkins-x/jx/issues/2997) | - | +| `batch-mode`, `verbose`-Flag etc. not possible | [#2996](https://github.com/jenkins-x/jx/issues/2996) | - | +| IKS needs `kaniko` to perform builds | [#3971](https://github.com/jenkins-x/jx/issues/3971) | - | +---- + +## Appendix + +These setups are usually not necessary. + +### Create Docker secret + +* `kubectl --namespace default create secret docker-registry registrysecret --docker-server=registry..bluemix.net --docker-username=token --docker-password= --docker-email=` +* Copy the "Token" + + echo -n token: | base64 -w0 + +* Copy the base64 value and create a file called `config.json` with this contents: + +```{ + "auths": { + "registry.ng.bluemix.net": { + "auth": "" + } + } +} +``` + +* Replace the existing Docker secret + + kubectl delete secret jenkins-docker-cfg -n jx + kubectl create secret generic jenkins-docker-cfg --from-file=./config.json -n jx + +* At this point the jenkins server needs to restarted to pick up the new docker creds: `kubectl -njx delete pods` -lapp=jenkins + +### Use IBM Git + +If you want to use git.ng.bluemix.net (gitlab), create a personal access token there + + jx create git server gitlab https://git.ng.bluemix.net -n gitlab + jx create git token -n gitlab -t diff --git a/kubeProviders/iks/values.tmpl.yaml b/kubeProviders/iks/values.tmpl.yaml new file mode 100644 index 0000000..47cc698 --- /dev/null +++ b/kubeProviders/iks/values.tmpl.yaml @@ -0,0 +1,21 @@ +# Override configuration from https://github.com/jenkins-x/jenkins-x-platform/blob/master/jenkins-x-platform/values.yaml +jenkins: + Servers: + Global: + EnvVars: + DOCKER_REGISTRY: "registry.ng.bluemix.net" + # Smaller cluster configurations require more time + Master: + Readiness: + InitialDelaySeconds: 600 + Liveness: + InitialDelaySeconds: 660 + +docker-registry: + enabled: false + +jenkins-x-platform: + # lets disable creating the jenkins-x-docker-cfg secret + # we can manage that by hand for now + .PipelineSecrets: + DockerConfig: "" diff --git a/kubeProviders/kubernetes/README.md b/kubeProviders/kubernetes/README.md new file mode 100644 index 0000000..3fc9cc4 --- /dev/null +++ b/kubeProviders/kubernetes/README.md @@ -0,0 +1 @@ +# Jenkins X Boot configuration for generic Kubernetes \ No newline at end of file diff --git a/kubeProviders/kubernetes/values.tmpl.yaml b/kubeProviders/kubernetes/values.tmpl.yaml new file mode 100644 index 0000000..0cb3c10 --- /dev/null +++ b/kubeProviders/kubernetes/values.tmpl.yaml @@ -0,0 +1 @@ +# Override configuration from https://github.com/jenkins-x/jenkins-x-platform/blob/master/jenkins-x-platform/values.yaml diff --git a/kubeProviders/minikube/values.tmpl.yaml b/kubeProviders/minikube/values.tmpl.yaml new file mode 100644 index 0000000..4ed5377 --- /dev/null +++ b/kubeProviders/minikube/values.tmpl.yaml @@ -0,0 +1,5 @@ +# Override configuration from https://github.com/jenkins-x/jenkins-x-platform/blob/master/jenkins-x-platform/values.yaml +exposecontroller: + exposecontroller: + HTTP: "true" + TLSACME: "false" \ No newline at end of file diff --git a/kubeProviders/minishift/values.tmpl.yaml b/kubeProviders/minishift/values.tmpl.yaml new file mode 100644 index 0000000..3fca803 --- /dev/null +++ b/kubeProviders/minishift/values.tmpl.yaml @@ -0,0 +1,64 @@ +# Override configuration from https://github.com/jenkins-x/jenkins-x-platform/blob/master/jenkins-x-platform/values.yaml +exposecontroller: + exposecontroller: + HTTP: "true" + TLSACME: "false" + +# disable monocular until the routing is fixed +monocular: + enabled: false + + +docker-registry: + enabled: false + +jenkins: + Master: + Image: "davidconde/jenkinsx-openshift" + ImageTag: "0.0.1" + ServiceAccountAnnotations: | + serviceaccounts.openshift.io/oauth-redirectreference.jenkins: >- + {"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"jenkins"}} + AuthorizationStrategyClass: "hudson.security.GlobalMatrixAuthorizationStrategy" + AuthorizationStrategyAttributes: + - name: "permission" + value: "hudson.model.Computer.Configure:admin" + - name: "permission" + value: "hudson.model.Computer.Delete:admin" + - name: "permission" + value: "hudson.model.Hudson.Administer:admin" + - name: "permission" + value: "hudson.model.Hudson.Read:admin" + - name: "permission" + value: "hudson.model.Item.Build:admin" + - name: "permission" + value: "hudson.model.Item.Configure:admin" + - name: "permission" + value: "hudson.model.Item.Create:admin" + - name: "permission" + value: "hudson.model.Item.Delete:admin" + - name: "permission" + value: "hudson.model.Item.Read:admin" + - name: "permission" + value: "hudson.model.Item.Workspace:admin" + - name: "permission" + value: "hudson.model.Run.Delete:admin" + - name: "permission" + value: "hudson.model.Run.Update:admin" + - name: "permission" + value: "hudson.model.View.Configure:admin" + - name: "permission" + value: "hudson.model.View.Create:admin" + - name: "permission" + value: "hudson.model.View.Delete:admin" + - name: "permission" + value: "hudson.scm.SCM.Tag:admin" + SecurityRealmClass: "hudson.security.HudsonPrivateSecurityRealm" + SecurityRealmAttributes: + - name: "disableSignup" + value: "true" + - name: "enableCaptcha" + value: "false" + Global: + EnvVars: + DOCKER_REGISTRY: "docker-registry.default.svc:5000" \ No newline at end of file diff --git a/kubeProviders/oke/README.md b/kubeProviders/oke/README.md new file mode 100644 index 0000000..edb5525 --- /dev/null +++ b/kubeProviders/oke/README.md @@ -0,0 +1 @@ +# Jenkins X Boot configuration for Oracle Cloud Infrastructure Container Engine for Kubernetes \ No newline at end of file diff --git a/kubeProviders/oke/values.tmpl.yaml b/kubeProviders/oke/values.tmpl.yaml new file mode 100644 index 0000000..7ae30fd --- /dev/null +++ b/kubeProviders/oke/values.tmpl.yaml @@ -0,0 +1,14 @@ +chartmuseum: + persistence: + Size: 50Gi +jenkins: + Persistence: + Size: 50Gi +monocular: + mongodb: + persistence: + size: 50Gi + +jenkins: + Agent: + KubernetesServerURL: "https://kubernetes.default.svc" diff --git a/kubeProviders/openshift/values.tmpl.yaml b/kubeProviders/openshift/values.tmpl.yaml new file mode 100644 index 0000000..12c23cb --- /dev/null +++ b/kubeProviders/openshift/values.tmpl.yaml @@ -0,0 +1,63 @@ +# Override configuration from https://github.com/jenkins-x/jenkins-x-platform/blob/master/jenkins-x-platform/values.yaml +exposecontroller: + exposecontroller: + HTTP: "true" + TLSACME: "false" + +# disable monocular until the routing is fixed +monocular: + enabled: false + +docker-registry: + enabled: false + +jenkins: + Master: + Image: "davidconde/jenkinsx-openshift" + ImageTag: "0.0.1" + ServiceAccountAnnotations: | + serviceaccounts.openshift.io/oauth-redirectreference.jenkins: >- + {"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"jenkins"}} + AuthorizationStrategyClass: "hudson.security.GlobalMatrixAuthorizationStrategy" + AuthorizationStrategyAttributes: + - name: "permission" + value: "hudson.model.Computer.Configure:admin" + - name: "permission" + value: "hudson.model.Computer.Delete:admin" + - name: "permission" + value: "hudson.model.Hudson.Administer:admin" + - name: "permission" + value: "hudson.model.Hudson.Read:admin" + - name: "permission" + value: "hudson.model.Item.Build:admin" + - name: "permission" + value: "hudson.model.Item.Configure:admin" + - name: "permission" + value: "hudson.model.Item.Create:admin" + - name: "permission" + value: "hudson.model.Item.Delete:admin" + - name: "permission" + value: "hudson.model.Item.Read:admin" + - name: "permission" + value: "hudson.model.Item.Workspace:admin" + - name: "permission" + value: "hudson.model.Run.Delete:admin" + - name: "permission" + value: "hudson.model.Run.Update:admin" + - name: "permission" + value: "hudson.model.View.Configure:admin" + - name: "permission" + value: "hudson.model.View.Create:admin" + - name: "permission" + value: "hudson.model.View.Delete:admin" + - name: "permission" + value: "hudson.scm.SCM.Tag:admin" + SecurityRealmClass: "hudson.security.HudsonPrivateSecurityRealm" + SecurityRealmAttributes: + - name: "disableSignup" + value: "true" + - name: "enableCaptcha" + value: "false" + Global: + EnvVars: + DOCKER_REGISTRY: "docker-registry.default.svc:5000" diff --git a/kubeProviders/pks/README.md b/kubeProviders/pks/README.md new file mode 100644 index 0000000..e043734 --- /dev/null +++ b/kubeProviders/pks/README.md @@ -0,0 +1 @@ +# Jenkins X Boot configuration for PKS \ No newline at end of file diff --git a/kubeProviders/pks/values.tmpl.yaml b/kubeProviders/pks/values.tmpl.yaml new file mode 100644 index 0000000..fbe71ef --- /dev/null +++ b/kubeProviders/pks/values.tmpl.yaml @@ -0,0 +1,24 @@ +# Override configuration from https://github.com/jenkins-x/jenkins-x-platform/blob/master/jenkins-x-platform/values.yaml + +jenkins: + Agent: + # for PKS there is a different docker host path + DockerHostPath: "/var/vcap/sys/run/docker/docker.sock" + DockerMountPath: "/var/run/docker.sock" + +jenkins-x-platform: + PipelineSecrets: +{{- if eq .Parameters.enableDocker true }} + DockerConfig: |- + { + "auths":{ + {{ .Parameters.docker.url | quote }}: + { + "auth": {{ printf "%s:%s" .Parameters.docker.username .Parameters.docker.password | b64enc | quote}}, + "email": {{ .Parameters.docker.email | quote}} + } + } + } +{{- else}} + DockerConfig: "" +{{- end}} diff --git a/prowConfig/README.md b/prowConfig/README.md new file mode 100644 index 0000000..b393fdc --- /dev/null +++ b/prowConfig/README.md @@ -0,0 +1 @@ +The Prow `ConfigMap` resources called `config` and `plugins` are generated here in case you wish to store them in git \ No newline at end of file diff --git a/repositories/Chart.yaml b/repositories/Chart.yaml new file mode 100644 index 0000000..018bee6 --- /dev/null +++ b/repositories/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +description: Source Repositories Chart +maintainers: +- name: Team +name: repositories +version: "1" diff --git a/repositories/templates/default-group.yaml b/repositories/templates/default-group.yaml new file mode 100644 index 0000000..6c1ad9d --- /dev/null +++ b/repositories/templates/default-group.yaml @@ -0,0 +1,10 @@ +apiVersion: jenkins.io/v1 +kind: SourceRepositoryGroup +metadata: + name: default-group +spec: + scheduler: + apiVersion: jenkins.io/v1 + kind: Scheduler + name: default-scheduler + repositories: [] diff --git a/systems/acme/Chart.yaml b/systems/acme/Chart.yaml new file mode 100644 index 0000000..4064895 --- /dev/null +++ b/systems/acme/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +appVersion: 1.0.82 +description: ACME Chart +maintainers: +- name: Team +name: acme +version: 1.0.82 diff --git a/systems/acme/templates/cert-manager-prod-certificate.yaml b/systems/acme/templates/cert-manager-prod-certificate.yaml new file mode 100644 index 0000000..81587eb --- /dev/null +++ b/systems/acme/templates/cert-manager-prod-certificate.yaml @@ -0,0 +1,17 @@ +{{- if .Values.certmanager.enabled }} +{{- if eq .Values.certmanager.production "true" }} +apiVersion: cert-manager.io/v1alpha2 +kind: Certificate +metadata: + name: "tls-{{ .Values.cluster.domain | replace "." "-" }}-p" + labels: + jenkins.io/letsencrypt-service: production +spec: + secretName: "tls-{{ .Values.cluster.domain | replace "." "-" }}-p" + issuerRef: + name: letsencrypt-prod + commonName: "*.{{ .Values.cluster.domain }}" + dnsNames: + - "*.{{ .Values.cluster.domain }}" +{{- end }} +{{- end }} diff --git a/systems/acme/templates/cert-manager-prod-issuer.yaml b/systems/acme/templates/cert-manager-prod-issuer.yaml new file mode 100644 index 0000000..21b7080 --- /dev/null +++ b/systems/acme/templates/cert-manager-prod-issuer.yaml @@ -0,0 +1,35 @@ +{{- if .Values.certmanager.enabled }} +{{- if eq .Values.certmanager.production "true" }} +apiVersion: cert-manager.io/v1alpha2 +kind: Issuer +metadata: + name: letsencrypt-prod +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: "{{ .Values.certmanager.email }}" + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-prod + solvers: + - selector: + dnsNames: + - "*.{{ .Values.cluster.domain }}" + - "{{ .Values.cluster.domain }}" + # ACME DNS-01 provider configurations + dns01: +{{- if eq .Values.cluster.provider "gke" }} + clouddns: + # The project in which to update the DNS zone + project: "{{ .Values.cluster.projectID }}" + # A secretKeyRef to a google cloud json service account + serviceAccountSecretRef: + name: external-dns-gcp-sa + key: credentials.json +{{- end }} +{{- if eq .Values.cluster.provider "eks" }} + route53: + region: {{ .Values.cluster.region }} +{{- end }} +{{- end }} +{{- end }} diff --git a/systems/acme/templates/cert-manager-staging-certificate.yaml b/systems/acme/templates/cert-manager-staging-certificate.yaml new file mode 100644 index 0000000..a7ef804 --- /dev/null +++ b/systems/acme/templates/cert-manager-staging-certificate.yaml @@ -0,0 +1,17 @@ +{{- if .Values.certmanager.enabled }} +{{- if eq .Values.certmanager.production "false" }} +apiVersion: cert-manager.io/v1alpha2 +kind: Certificate +metadata: + name: "tls-{{ .Values.cluster.domain | replace "." "-" }}-s" + labels: + jenkins.io/letsencrypt-service: staging +spec: + secretName: "tls-{{ .Values.cluster.domain | replace "." "-" }}-s" + issuerRef: + name: letsencrypt-staging + commonName: "*.{{ .Values.cluster.domain }}" + dnsNames: + - "*.{{ .Values.cluster.domain }}" +{{- end }} +{{- end }} diff --git a/systems/acme/templates/cert-manager-staging-issuer.yaml b/systems/acme/templates/cert-manager-staging-issuer.yaml new file mode 100644 index 0000000..8b97efe --- /dev/null +++ b/systems/acme/templates/cert-manager-staging-issuer.yaml @@ -0,0 +1,35 @@ +{{- if .Values.certmanager.enabled }} +{{- if eq .Values.certmanager.production "false" }} +apiVersion: cert-manager.io/v1alpha2 +kind: Issuer +metadata: + name: letsencrypt-staging +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: "{{ .Values.certmanager.email }}" + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-staging + solvers: + - selector: + dnsNames: + - "*.{{ .Values.cluster.domain }}" + - "{{ .Values.cluster.domain }}" + # ACME DNS-01 provider configurations + dns01: +{{- if eq .Values.cluster.provider "gke" }} + clouddns: + # The project in which to update the DNS zone + project: "{{ .Values.cluster.projectID }}" + # A secretKeyRef to a google cloud json service account + serviceAccountSecretRef: + name: external-dns-gcp-sa + key: credentials.json +{{- end }} +{{- if eq .Values.cluster.provider "eks" }} + route53: + region: {{ .Values.cluster.region }} +{{- end }} +{{- end }} +{{- end }} diff --git a/systems/acme/values.tmpl.yaml b/systems/acme/values.tmpl.yaml new file mode 100644 index 0000000..92c0b2e --- /dev/null +++ b/systems/acme/values.tmpl.yaml @@ -0,0 +1,20 @@ +cluster: + domain: {{ .Requirements.ingress.domain }} + provider: {{ .Requirements.cluster.provider }} +{{- if hasKey .Requirements.cluster "project" }} + projectID: {{ .Requirements.cluster.project }} +{{- else }} + projectID: "" +{{- end }} +{{- if hasKey .Requirements.cluster "region" }} + region: {{ .Requirements.cluster.region }} +{{- else }} + region: "" +{{- end }} + + {{- if .Requirements.ingress.tls }} +certmanager: + production: "{{ .Requirements.ingress.tls.production }}" + email: "{{ .Requirements.ingress.tls.email }}" + enabled: {{ .Requirements.ingress.tls.enabled }} +{{- end }} diff --git a/systems/cm/Chart.yaml b/systems/cm/Chart.yaml new file mode 100644 index 0000000..a1356bd --- /dev/null +++ b/systems/cm/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +description: Cert Manager Chart +maintainers: +- name: Team +name: cm +version: "1" diff --git a/systems/cm/requirements.yaml b/systems/cm/requirements.yaml new file mode 100644 index 0000000..8f9c5a1 --- /dev/null +++ b/systems/cm/requirements.yaml @@ -0,0 +1,5 @@ +dependencies: +- alias: cert-manager + condition: cert-manager.enabled + name: cert-manager + repository: https://charts.jetstack.io diff --git a/systems/cm/values.tmpl.yaml b/systems/cm/values.tmpl.yaml new file mode 100644 index 0000000..4d9a9c7 --- /dev/null +++ b/systems/cm/values.tmpl.yaml @@ -0,0 +1,16 @@ +cert-manager: + enabled: {{ .Requirements.ingress.tls.enabled }} +{{- if eq .Requirements.cluster.provider "eks" }} + extraArgs: + - --issuer-ambient-credentials + securityContext: + enabled: true + fsGroup: 1001 +{{- end }} + rbac: + create: true + webhook: + enabled: false + +webhook: + enabled: false \ No newline at end of file diff --git a/systems/external-dns/Chart.yaml b/systems/external-dns/Chart.yaml new file mode 100644 index 0000000..4ee4983 --- /dev/null +++ b/systems/external-dns/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +description: External-DNS Chart +maintainers: +- name: Team +name: external-dns +version: "1" diff --git a/systems/external-dns/requirements.yaml b/systems/external-dns/requirements.yaml new file mode 100644 index 0000000..9c8660f --- /dev/null +++ b/systems/external-dns/requirements.yaml @@ -0,0 +1,4 @@ +dependencies: +- condition: external-dns.enabled + name: external-dns + repository: https://charts.bitnami.com/bitnami diff --git a/systems/external-dns/values.tmpl.yaml b/systems/external-dns/values.tmpl.yaml new file mode 100644 index 0000000..5203ffb --- /dev/null +++ b/systems/external-dns/values.tmpl.yaml @@ -0,0 +1,27 @@ +external-dns: + enabled: {{ .Requirements.ingress.externalDNS }} + sources: + - ingress +{{- if eq .Requirements.cluster.provider "eks"}} + provider: aws + aws: + region: {{ .Requirements.cluster.region}} + securityContext: + fsGroup: 65534 +{{- else if eq .Requirements.cluster.provider "gke"}} + provider: google + google: + serviceAccountSecret: external-dns-gcp-sa + {{- if hasKey .Requirements.cluster "project" }} + project: "{{ .Requirements.cluster.project }}" + {{ end }} +{{- end}} + + rbac: + create: true + domainFilters: +{{- range .Requirements.environments }} + {{- if .ingress.domain }} + - "{{ .ingress.domain }}" + {{- end }} +{{- end }} diff --git a/systems/jx-auth/Chart.yaml b/systems/jx-auth/Chart.yaml new file mode 100644 index 0000000..4813a12 --- /dev/null +++ b/systems/jx-auth/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +description: Jx Auth Chart +maintainers: +- name: Team +name: jx-auth +version: "1" diff --git a/systems/jx-auth/jx-auth-configmap.tmpl.yaml b/systems/jx-auth/jx-auth-configmap.tmpl.yaml new file mode 100644 index 0000000..c0c734b --- /dev/null +++ b/systems/jx-auth/jx-auth-configmap.tmpl.yaml @@ -0,0 +1,24 @@ +{{- if eq .Requirements.secretStorage "vault" }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: jx-auth-config + labels: + jenkins.io/created-by: jx + jenkins.io/config-type: auth +data: + gitAuth.yaml: | + currentserver: "{{ .Requirements.cluster.gitServer }}" + defaultusername: "{{ .Parameters.pipelineUser.username }}" + pipelineserver: "{{ .Requirements.cluster.gitServer }}" + pipelineusername: "{{ .Parameters.pipelineUser.username }}" + servers: + - currentuser: "{{ .Parameters.pipelineUser.username }}" + kind: "{{ .Requirements.cluster.gitKind }}" + name: "{{ .Requirements.cluster.gitName }}" + url: "{{ .Requirements.cluster.gitServer }}" + users: + - apitoken: "{{ .Parameters.pipelineUser.token }}" + bearertoken: "" + username: "{{ .Parameters.pipelineUser.username }}" +{{- end }} diff --git a/systems/jx-auth/templates/jx-auth-configmap.yaml b/systems/jx-auth/templates/jx-auth-configmap.yaml new file mode 100644 index 0000000..9d7d395 --- /dev/null +++ b/systems/jx-auth/templates/jx-auth-configmap.yaml @@ -0,0 +1 @@ +# This jx auth configmap will be generated from template diff --git a/systems/jxing/Chart.yaml b/systems/jxing/Chart.yaml new file mode 100644 index 0000000..4ec1fc3 --- /dev/null +++ b/systems/jxing/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +description: Ingress Chart +icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v1.5.5/deployments/helm-chart/chart-icon.png +maintainers: +- name: Team +name: jxing +version: "1" diff --git a/systems/jxing/requirements.yaml b/systems/jxing/requirements.yaml new file mode 100644 index 0000000..2ec9fdd --- /dev/null +++ b/systems/jxing/requirements.yaml @@ -0,0 +1,4 @@ +dependencies: +- alias: nginx-ingress + name: nginx-ingress + repository: https://kubernetes-charts.storage.googleapis.com diff --git a/systems/jxing/values.tmpl.yaml b/systems/jxing/values.tmpl.yaml new file mode 100644 index 0000000..710ac30 --- /dev/null +++ b/systems/jxing/values.tmpl.yaml @@ -0,0 +1,16 @@ +nginx-ingress: + controller: + replicaCount: 3 + extraArgs: + publish-service: kube-system/jxing-nginx-ingress-controller + service: + omitClusterIP: true +{{- if eq .Requirements.cluster.provider "eks" }} + annotations: + service.beta.kubernetes.io/aws-load-balancer-type: nlb +{{- end }} + defaultBackend: + service: + omitClusterIP: true + rbac: + create: true diff --git a/systems/vault/Chart.yaml b/systems/vault/Chart.yaml new file mode 100644 index 0000000..be3f7b8 --- /dev/null +++ b/systems/vault/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +description: Vault Chart +maintainers: +- name: Team +name: vault +version: "1" diff --git a/systems/vault/values.tmpl.yaml b/systems/vault/values.tmpl.yaml new file mode 100644 index 0000000..82f6020 --- /dev/null +++ b/systems/vault/values.tmpl.yaml @@ -0,0 +1,4 @@ +vault: + service: + annotations: + fabric8.io/exposeUrl: vault{{ .Requirements.ingress.namespaceSubDomain | default ".jx." }}{{ .Requirements.ingress.domain }} diff --git a/systems/vault/vault-ing.tmpl.yaml b/systems/vault/vault-ing.tmpl.yaml new file mode 100644 index 0000000..b8ae441 --- /dev/null +++ b/systems/vault/vault-ing.tmpl.yaml @@ -0,0 +1,25 @@ +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + annotations: + kubernetes.io/ingress.class: nginx + helm.sh/hook: pre-install,pre-upgrade + name: {{ .Requirements.vault.name }} +spec: + rules: + - host: vault{{ .Requirements.ingress.namespaceSubDomain | default ".jx." }}{{ .Requirements.ingress.domain }} + http: + paths: + - backend: + serviceName: {{ .Requirements.vault.name }} + servicePort: 8200 +{{- if .Requirements.ingress.tls.enabled }} + tls: + - hosts: + - vault{{ .Requirements.ingress.namespaceSubDomain | default ".jx." }}{{ .Requirements.ingress.domain }} +{{- if .Requirements.ingress.tls.production }} + secretName: "tls-{{ .Requirements.ingress.domain | replace "." "-" }}-p" +{{- else }} + secretName: "tls-{{ .Requirements.ingress.domain | replace "." "-" }}-s" +{{- end }} +{{- end }} diff --git a/systems/velero-backups/Chart.yaml b/systems/velero-backups/Chart.yaml new file mode 100644 index 0000000..1fb4b74 --- /dev/null +++ b/systems/velero-backups/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +description: Velero Backup Chart +maintainers: +- name: Team +name: velero-backups +version: "1" diff --git a/systems/velero-backups/README.MD b/systems/velero-backups/README.MD new file mode 100644 index 0000000..34b4fc9 --- /dev/null +++ b/systems/velero-backups/README.MD @@ -0,0 +1,6 @@ +# velero + +|App Metadata|| +|---|---| +| **Version** | 1.1.0 | +| **Chart Repository** | https://kubernetes-charts.storage.googleapis.com | diff --git a/systems/velero-backups/templates/default-backup.yaml b/systems/velero-backups/templates/default-backup.yaml new file mode 100644 index 0000000..a9229e0 --- /dev/null +++ b/systems/velero-backups/templates/default-backup.yaml @@ -0,0 +1,21 @@ +{{- if .Values.velero.enabled }} +apiVersion: velero.io/v1 +kind: Schedule +metadata: + name: default-backup +spec: + schedule: {{ .Values.velero.schedule | quote }} + template: + excludedNamespaces: null + excludedResources: null + hooks: + resources: null + includeClusterResources: null + includedNamespaces: + - '*' + includedResources: null + labelSelector: null + storageLocation: "" + ttl: {{ .Values.velero.ttl }} + volumeSnapshotLocations: null +{{- end }} diff --git a/systems/velero-backups/values.tmpl.yaml b/systems/velero-backups/values.tmpl.yaml new file mode 100644 index 0000000..bd20f75 --- /dev/null +++ b/systems/velero-backups/values.tmpl.yaml @@ -0,0 +1,12 @@ +velero: +{{- if and (hasKey .Requirements "velero") (hasKey .Requirements.velero "namespace") }} + {{- if .Requirements.velero.namespace }} + enabled: true + schedule: {{ .Requirements.velero.schedule | default "0 * * * *" | quote }} + ttl: {{ .Requirements.velero.ttl | default "720h0m0s" }} + {{- else }} + enabled: false + {{- end }} +{{- else }} + enabled: false +{{- end }} diff --git a/systems/velero/Chart.yaml b/systems/velero/Chart.yaml new file mode 100644 index 0000000..b580a8f --- /dev/null +++ b/systems/velero/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +description: Velero Chart +maintainers: +- name: Team +name: velero +version: "1" diff --git a/systems/velero/README.MD b/systems/velero/README.MD new file mode 100644 index 0000000..34b4fc9 --- /dev/null +++ b/systems/velero/README.MD @@ -0,0 +1,6 @@ +# velero + +|App Metadata|| +|---|---| +| **Version** | 1.1.0 | +| **Chart Repository** | https://kubernetes-charts.storage.googleapis.com | diff --git a/systems/velero/requirements.yaml b/systems/velero/requirements.yaml new file mode 100644 index 0000000..f5f4933 --- /dev/null +++ b/systems/velero/requirements.yaml @@ -0,0 +1,5 @@ +dependencies: +- condition: velero.enabled + alias: velero + name: velero + repository: https://kubernetes-charts.storage.googleapis.com \ No newline at end of file diff --git a/systems/velero/values.tmpl.yaml b/systems/velero/values.tmpl.yaml new file mode 100644 index 0000000..0a84a1f --- /dev/null +++ b/systems/velero/values.tmpl.yaml @@ -0,0 +1,78 @@ +velero: +{{- if and (hasKey .Requirements "velero") (hasKey .Requirements.velero "namespace") }} + {{- if .Requirements.velero.namespace }} + enabled: true + {{- else }} + enabled: false + {{- end }} +{{- else }} + enabled: false +{{- end }} + rbac: + create: true + credentials: + useSecret: true + existingSecret: velero-secret + snapshotsEnabled: false +{{- if eq .Requirements.cluster.provider "gke" }} + initContainers: + - name: velero-plugin-for-gcp + image: velero/velero-plugin-for-gcp:v1.0.0 + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /target + name: plugins + configuration: + provider: gcp + backupStorageLocation: + name: gcp + bucket: {{ .Requirements.storage.backup.url | removeScheme | quote }} +{{- else if or (eq .Requirements.cluster.provider "aws") (eq .Requirements.cluster.provider "eks") }} + initContainers: + - name: velero-plugin-for-aws + image: velero/velero-plugin-for-aws:v1.0.0 + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /target + name: plugins + configuration: + provider: aws + backupStorageLocation: + name: aws + bucket: {{ .Requirements.storage.backup.url | removeScheme | quote }} + config: + region: {{ .Requirements.cluster.region | quote }} +{{- else if eq .Requirements.cluster.provider "azure" }} + initContainers: + - name: velero-plugin-for-azure + image: velero/velero-plugin-for-microsoft-azure:v1.0.0 + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /target + name: plugins + configuration: + provider: azure + backupStorageLocation: + name: azure + bucket: {{ .Requirements.storage.backup.url | removeScheme | quote }} + config: + storageAccount: {{ .Requirements.velero.serviceAccount | quote }} +{{- else if eq .Requirements.cluster.provider "iks" }} + initContainers: + - name: velero-plugin-for-aws + image: velero/velero-plugin-for-aws:v1.0.0 + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /target + name: plugins + configuration: + provider: aws + backupStorageLocation: + name: aws + bucket: bucket-name + config: + region: {{ .Requirements.cluster.region | quote }} + s3ForcePathStyle: "true" + s3Url: {{ .Requirements.storage.backup.url | quote }} +{{- end }} +