一、版本说明
- CentOS Linux 7
- Jenkins 2.332.2
- minikube version: v1.25.2
- MacOS 12.3.1
二、部署步骤
sudo wget -O /etc/yum.repos.d/jenkins.repo https://pkg.jenkins.io/redhat-stable/jenkins.repo --no-check-certificate
这里注意,pkg.jenkins.io的证书过期了,我们要加上--no-check-certificate
[xiaoyu@localhost ~]$ sudo wget -O /etc/yum.repos.d/jenkins.repo https://pkg.jenkins.io/redhat-stable/jenkins.repo --no-check-certificate --2022-04-22 19:54:23-- https://pkg.jenkins.io/redhat-stable/jenkins.repo 正在解析主机 pkg.jenkins.io (pkg.jenkins.io)... 151.101.74.133, 2a04:4e42:1a::645 正在连接 pkg.jenkins.io (pkg.jenkins.io)|151.101.74.133|:443... 已连接。 警告: 无法验证 pkg.jenkins.io 的由 “/C=US/O=Let's Encrypt/CN=R3” 颁发的证书: 颁发的证书已经过期。 已发出 HTTP 请求,正在等待回应... 200 OK 长度:85 正在保存至: “/etc/yum.repos.d/jenkins.repo” 100%[=========================================================================================>] 85 --.-K/s 用时 0s 2022-04-22 19:54:24 (6.71 MB/s) - 已保存 “/etc/yum.repos.d/jenkins.repo” [85/85])
sudo rpm --import https://pkg.jenkins.io/redhat-stable/jenkins.io.key sudo yum install fontconfig java-11-openjdk sudo yum install jenkins sudo systemctl daemon-reload
上面三条没有什么问题,注意的是给root权限即可。
三、启动
以下命令分别为
- 设置jenkins开机启动
- 启动jenkins服务
- 查看jenkins服务状态
[xiaoyu@localhost ~]$ sudo systemctl enable jenkins Created symlink from /etc/systemd/system/multi-user.target.wants/jenkins.service to /usr/lib/systemd/system/jenkins.service. [xiaoyu@localhost ~]$ sudo systemctl start jenkins [xiaoyu@localhost ~]$ sudo systemctl status jenkins ● jenkins.service - Jenkins Continuous Integration Server Loaded: loaded (/usr/lib/systemd/system/jenkins.service; enabled; vendor preset: disabled) Active: active (running) since 五 2022-04-22 20:19:45 CST; 10s ago Main PID: 20521 (java) Tasks: 42 CGroup: /system.slice/jenkins.service └─20521 /usr/bin/java -Djava.awt.headless=true -jar /usr/share/java/jenkins.war --webroot=%C/jenkins/war --httpPort=8... 4月 22 20:19:28 localhost.localdomain jenkins[20521]: This may also be found at: /var/lib/jenkins/secrets/initialAdminPassword 4月 22 20:19:28 localhost.localdomain jenkins[20521]: ************************************************************* 4月 22 20:19:28 localhost.localdomain jenkins[20521]: ************************************************************* 4月 22 20:19:28 localhost.localdomain jenkins[20521]: ************************************************************* 4月 22 20:19:45 localhost.localdomain jenkins[20521]: 2022-04-22 12:19:45.012+0000 [id=43] INFO h.m.Download...aller 4月 22 20:19:45 localhost.localdomain jenkins[20521]: 2022-04-22 12:19:45.012+0000 [id=43] INFO hudson.util....pt #1 4月 22 20:19:45 localhost.localdomain jenkins[20521]: 2022-04-22 12:19:45.014+0000 [id=43] INFO hudson.model...23 ms 4月 22 20:19:45 localhost.localdomain jenkins[20521]: 2022-04-22 12:19:45.867+0000 [id=28] INFO jenkins.Init...ation 4月 22 20:19:45 localhost.localdomain jenkins[20521]: 2022-04-22 12:19:45.884+0000 [id=20] INFO hudson.lifec...nning 4月 22 20:19:45 localhost.localdomain systemd[1]: Started Jenkins Continuous Integration Server. Hint: Some lines were ellipsized, use -l to show in full.
通过增加-l查看完整信息,我们可以看到jenkins用的是8080端口,初始密码在/var/lib/jenkins/secrets/initialAdminPassword中,需要root权限查看。
[xiaoyu@localhost ~]$ sudo systemctl status jenkins -l ● jenkins.service - Jenkins Continuous Integration Server Loaded: loaded (/usr/lib/systemd/system/jenkins.service; enabled; vendor preset: disabled) Active: active (running) since 五 2022-04-22 20:19:45 CST; 2min 44s ago Main PID: 20521 (java) Tasks: 35 CGroup: /system.slice/jenkins.service └─20521 /usr/bin/java -Djava.awt.headless=true -jar /usr/share/java/jenkins.war --webroot=%C/jenkins/war --httpPort=8080 4月 22 20:19:28 localhost.localdomain jenkins[20521]: This may also be found at: /var/lib/jenkins/secrets/initialAdminPassword 4月 22 20:19:28 localhost.localdomain jenkins[20521]: ************************************************************* 4月 22 20:19:28 localhost.localdomain jenkins[20521]: ************************************************************* 4月 22 20:19:28 localhost.localdomain jenkins[20521]: ************************************************************* 4月 22 20:19:45 localhost.localdomain jenkins[20521]: 2022-04-22 12:19:45.012+0000 [id=43] INFO h.m.DownloadService$Downloadable#load: Obtained the updated data file for hudson.tasks.Maven.MavenInstaller 4月 22 20:19:45 localhost.localdomain jenkins[20521]: 2022-04-22 12:19:45.012+0000 [id=43] INFO hudson.util.Retrier#start: Performed the action check updates server successfully at the attempt #1 4月 22 20:19:45 localhost.localdomain jenkins[20521]: 2022-04-22 12:19:45.014+0000 [id=43] INFO hudson.model.AsyncPeriodicWork#lambda$doRun$1: Finished Download metadata. 16,623 ms 4月 22 20:19:45 localhost.localdomain jenkins[20521]: 2022-04-22 12:19:45.867+0000 [id=28] INFO jenkins.InitReactorRunner$1#onAttained: Completed initialization 4月 22 20:19:45 localhost.localdomain jenkins[20521]: 2022-04-22 12:19:45.884+0000 [id=20] INFO hudson.lifecycle.Lifecycle#onReady: Jenkins is fully up and running 4月 22 20:19:45 localhost.localdomain systemd[1]: Started Jenkins Continuous Integration Server. [xiaoyu@localhost ~]$ sudo cat /var/lib/jenkins/secrets/initialAdminPassword 9e87859e96cc49b39276d6a63f80df1b
云主机注意需要放行8080端口,不然无法访问。
四、初始配置
浏览器访问服务器的8080端口,即可访问jenkins。
直接选择推荐的插件即可。
创建第一个用户。
下一步是配置地址,建议做一层nginx,生产环境使用域名解析,我这里用的本地虚拟机就这样了。
到此,jenkins安装完成。
五、k8s下的安装
本文采用MacOS下本地安装,基于minikebe。
启动minikube
(base) xiaoyu@localhost ~ % minikube start 😄 Darwin 12.3.1 上的 minikube v1.25.2 ✨ 根据现有的配置文件使用 hyperkit 驱动程序 👍 Starting control plane node minikube in cluster minikube 🏃 Updating the running hyperkit "minikube" VM ... ❗ This VM is having trouble accessing https://k8s.gcr.io 💡 To pull new external images, you may need to configure a proxy: https://minikube.sigs.k8s.io/docs/reference/networking/proxy/ 🐳 正在 Docker 20.10.12 中准备 Kubernetes v1.23.3… ▪ kubelet.housekeeping-interval=5m 🔎 Verifying Kubernetes components... ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5 ▪ Using image kubernetesui/metrics-scraper:v1.0.7 ▪ Using image kubernetesui/dashboard:v2.3.1 🌟 Enabled addons: default-storageclass, storage-provisioner, dashboard ❗ /usr/local/bin/kubectl is version 1.21.2, which may have incompatibilites with Kubernetes 1.23.3. ▪ Want kubectl v1.23.3? Try 'minikube kubectl -- get pods -A' 🏄 Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default
创建命名空间
(base) xiaoyu@localhost ~ % kubectl create namespace jenkins namespace/jenkins created
确定命名空间创建完成。
通过Helm安装jenkins
Helm 是 Kubernetes 的包管理器,可以简化jenkins的安装。
brew install helm
helm repo add jenkinsci https://charts.jenkins.iohelm repo update可以找到jenkinss包(base) xiaoyu@localhost ~ % helm search repo jenkinsciNAME CHART VERSION APP VERSION DESCRIPTION jenkinsci/jenkins 3.12.0 2.332.2 Jenkins - Build great things at any scale!
创建持久卷存储数据
我们采用持久卷的方式挂载数据,防止每次minikube重启的时候丢失数据。
以下内容存放在jenkins-volume.yaml中,注意,hostPath下path为绝对路径,需要根据实际情况更改。
apiVersion: v1 kind: PersistentVolume metadata: name: jenkins-pv namespace: jenkins spec: storageClassName: jenkins-pv accessModes: - ReadWriteOnce capacity: storage: 20Gi persistentVolumeReclaimPolicy: Retain hostPath: path: /Users/xiaoyu/develop/jenkins-pv/data/
在文件当前目录执行kubectl apply -f jenkins-volume.yaml。提示已经创建。
(base) xiaoyu@localhost jenkinss-pv % kubectl apply -f jenkins-volume.yamlpersistentvolume/jenkins-pv created
配置权限
(base) xiaoyu@localhost ~ % minikube ssh _ _ _ _ ( ) ( ) ___ ___ (_) ___ (_)| |/') _ _ | |_ __ /' _ ` _ `\| |/' _ `\| || , < ( ) ( )| '_`\ /'__`\| ( ) ( ) || || ( ) || || |\`\ | (_) || |_) )( ___/(_) (_) (_)(_)(_) (_)(_)(_) (_)`\___/'(_,__/'`\____)$ sudo chown -R 1000:1000 /Users/xiaoyu/develop/jenkinss-pv/data
创建jenkins用户
为了保证安全性,一般我们为某个单独的服务配置单独的管理员用户,用来处理单独的工作。在k8s中,默认配置一个和命名空间一致的用户作为这个命名空间内操作的授权用户。
基于文件即配置的思想,我们依然创建一个文件,名称是jenkins-sa.yaml,当然名称不是固定的,这样比较好区分。并将下面内容写入文件内,我们可以看到k8s是如何配置用户并分配权限的。
--- apiVersion: v1 kind: ServiceAccount metadata: name: jenkins namespace: jenkins --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: kubernetes.io/bootstrapping: rbac-defaults name: jenkins rules: - apiGroups: - '*' resources: - statefulsets - services - replicationcontrollers - replicasets - podtemplates - podsecuritypolicies - pods - pods/log - pods/exec - podpreset - poddisruptionbudget - persistentvolumes - persistentvolumeclaims - jobs - endpoints - deployments - deployments/scale - daemonsets - cronjobs - configmaps - namespaces - events - secrets verbs: - create - get - watch - delete - list - patch - update - apiGroups: - "" resources: - nodes verbs: - get - list - watch - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: kubernetes.io/bootstrapping: rbac-defaults name: jenkins roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: jenkins subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts:jenkins
(base) xiaoyu@localhost jenkinss-pv % kubectl apply -f jenkins-sa.yamlserviceaccount/jenkins createdclusterrole.rbac.authorization.k8s.io/jenkins createdclusterrolebinding.rbac.authorization.k8s.io/jenkins created
以上操作分别完成了创建用户、创建权限、绑定权限操作。
安装 Jenkins
和上面操作一样,新建文件jenkins-values.yaml。
# Default values for jenkins. # This is a YAML-formatted file. # Declare name/value pairs to be passed into your templates. # name: value ## Overrides for generated resource names # See templates/_helpers.tpl # nameOverride: # fullnameOverride: # namespaceOverride: # For FQDN resolving of the controller service. Change this value to match your existing configuration. # ref: https://github.com/kubernetes/dns/blob/master/docs/specification.md clusterZone: "cluster.local" renderHelmLabels: true controller: # Used for label app.kubernetes.io/component componentName: "jenkins-controller" image: "jenkins/jenkins" # tag: "2.332.2-jdk11" tagLabel: jdk11 imagePullPolicy: "Always" imagePullSecretName: # Optionally configure lifetime for controller-container lifecycle: # postStart: # exec: # command: # - "uname" # - "-a" disableRememberMe: false numExecutors: 0 # configures the executor mode of the Jenkins node. Possible values are: NORMAL or EXCLUSIVE executorMode: "NORMAL" # This is ignored if enableRawHtmlMarkupFormatter is true markupFormatter: plainText customJenkinsLabels: [] # The default configuration uses this secret to configure an admin user # If you don't need that user or use a different security realm then you can disable it adminSecret: true hostNetworking: false # When enabling LDAP or another non-Jenkins identity source, the built-in admin account will no longer exist. # If you disable the non-Jenkins identity store and instead use the Jenkins internal one, # you should revert controller.adminUser to your preferred admin user: adminUser: "admin" # adminPassword: <defaults to random> admin: existingSecret: "" userKey: xiaoyuqingnian passwordKey: xiaoyuqingnian # This values should not be changed unless you use your custom image of jenkins or any devired from. If you want to use # Cloudbees Jenkins Distribution docker, you should set jenkinsHome: "/var/cloudbees-jenkins-distribution" jenkinsHome: "/var/jenkins_home" # This values should not be changed unless you use your custom image of jenkins or any devired from. If you want to use # Cloudbees Jenkins Distribution docker, you should set jenkinsRef: "/usr/share/cloudbees-jenkins-distribution/ref" jenkinsRef: "/usr/share/jenkins/ref" # Path to the jenkins war file which is used by jenkins-plugin-cli. jenkinsWar: "/usr/share/jenkins/jenkins.war" # Overrides the default arguments passed to the war # overrideArgs: # - --httpPort=8080 resources: requests: cpu: "50m" memory: "256Mi" limits: cpu: "2000m" memory: "4096Mi" # Overrides the init container default values # initContainerResources: # requests: # cpu: "50m" # memory: "256Mi" # limits: # cpu: "2000m" # memory: "4096Mi" # Environment variables that get added to the init container (useful for e.g. http_proxy) # initContainerEnv: # - name: http_proxy # value: "http://192.168.64.1:3128" # containerEnv: # - name: http_proxy # value: "http://192.168.64.1:3128" # Set min/max heap here if needed with: # javaOpts: "-Xms512m -Xmx512m" # jenkinsOpts: "" # If you are using the ingress definitions provided by this chart via the `controller.ingress` block the configured hostname will be the ingress hostname starting with `https://` or `http://` depending on the `tls` configuration. # The Protocol can be overwritten by specifying `controller.jenkinsUrlProtocol`. # jenkinsUrlProtocol: "https" # If you are not using the provided ingress you can specify `controller.jenkinsUrl` to change the url definition. # jenkinsUrl: "" # If you set this prefix and use ingress controller then you might want to set the ingress path below # jenkinsUriPrefix: "/jenkins" # Enable pod security context (must be `true` if podSecurityContextOverride, runAsUser or fsGroup are set) usePodSecurityContext: true # Note that `runAsUser`, `fsGroup`, and `securityContextCapabilities` are # being deprecated and replaced by `podSecurityContextOverride`. # Set runAsUser to 1000 to let Jenkins run as non-root user 'jenkins' which exists in 'jenkins/jenkins' docker image. # When setting runAsUser to a different value than 0 also set fsGroup to the same value: runAsUser: 1000 fsGroup: 1000 # If you have PodSecurityPolicies that require dropping of capabilities as suggested by CIS K8s benchmark, put them here securityContextCapabilities: {} # drop: # - NET_RAW # Completely overwrites the contents of the `securityContext`, ignoring the # values provided for the deprecated fields: `runAsUser`, `fsGroup`, and # `securityContextCapabilities`. In the case of mounting an ext4 filesystem, # it might be desirable to use `supplementalGroups` instead of `fsGroup` in # the `securityContext` block: https://github.com/kubernetes/kubernetes/issues/67014#issuecomment-589915496 # podSecurityContextOverride: # runAsUser: 1000 # runAsNonRoot: true # supplementalGroups: [1000] # # capabilities: {} # Container securityContext containerSecurityContext: runAsUser: 1000 runAsGroup: 1000 readOnlyRootFilesystem: true allowPrivilegeEscalation: false servicePort: 8080 targetPort: 8080 # For minikube, set this to NodePort, elsewhere use LoadBalancer # Use ClusterIP if your setup includes ingress controller serviceType: ClusterIP # Use Local to preserve the client source IP and avoids a second hop for LoadBalancer and Nodeport type services, # but risks potentially imbalanced traffic spreading. serviceExternalTrafficPolicy: # Jenkins controller service annotations serviceAnnotations: {} # Jenkins controller custom labels statefulSetLabels: {} # foo: bar # bar: foo # Jenkins controller service labels serviceLabels: {} # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https # Put labels on Jenkins controller pod podLabels: {} # Used to create Ingress record (should used with ServiceType: ClusterIP) # nodePort: <to set explicitly, choose port between 30000-32767 # Enable Kubernetes Startup, Liveness and Readiness Probes # if Startup Probe is supported, enable it too # ~ 2 minutes to allow Jenkins to restart when upgrading plugins. Set ReadinessTimeout to be shorter than LivenessTimeout. healthProbes: true probes: startupProbe: httpGet: path: '{{ default "" .Values.controller.jenkinsUriPrefix }}/login' port: http periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 12 livenessProbe: failureThreshold: 5 httpGet: path: '{{ default "" .Values.controller.jenkinsUriPrefix }}/login' port: http periodSeconds: 10 timeoutSeconds: 5 # If Startup Probe is not supported on your Kubernetes cluster, you might want to use "initialDelaySeconds" instead. # It delays the initial liveness probe while Jenkins is starting # initialDelaySeconds: 60 readinessProbe: failureThreshold: 3 httpGet: path: '{{ default "" .Values.controller.jenkinsUriPrefix }}/login' port: http periodSeconds: 10 timeoutSeconds: 5 # If Startup Probe is not supported on your Kubernetes cluster, you might want to use "initialDelaySeconds" instead. # It delays the initial readyness probe while Jenkins is starting # initialDelaySeconds: 60 # PodDisruptionBudget config podDisruptionBudget: enabled: false # For Kubernetes v1.5+, use 'policy/v1beta1' # For Kubernetes v1.21+, use 'policy/v1' apiVersion: "policy/v1beta1" annotations: {} labels: {} # maxUnavailable: "0" agentListenerEnabled: true agentListenerPort: 50000 agentListenerHostPort: agentListenerNodePort: agentListenerExternalTrafficPolicy: agentListenerLoadBalancerSourceRanges: - 0.0.0.0/0 disabledAgentProtocols: - JNLP-connect - JNLP2-connect csrf: defaultCrumbIssuer: enabled: true proxyCompatability: true # Kubernetes service type for the JNLP agent service # agentListenerServiceType is the Kubernetes Service type for the JNLP agent service, # either 'LoadBalancer', 'NodePort', or 'ClusterIP' # Note if you set this to 'LoadBalancer', you *must* define annotations to secure it. By default # this will be an external load balancer and allowing inbound 0.0.0.0/0, a HUGE # security risk: https://github.com/kubernetes/charts/issues/1341 agentListenerServiceType: "ClusterIP" # Optionally assign an IP to the LoadBalancer agentListenerService LoadBalancer # GKE users: only regional static IPs will work for Service Load balancer. agentListenerLoadBalancerIP: agentListenerServiceAnnotations: {} # Example of 'LoadBalancer' type of agent listener with annotations securing it # agentListenerServiceType: LoadBalancer # agentListenerServiceAnnotations: # service.beta.kubernetes.io/aws-load-balancer-internal: "True" # service.beta.kubernetes.io/load-balancer-source-ranges: "172.0.0.0/8, 10.0.0.0/8" # LoadBalancerSourcesRange is a list of allowed CIDR values, which are combined with ServicePort to # set allowed inbound rules on the security group assigned to the controller load balancer loadBalancerSourceRanges: - 0.0.0.0/0 # Optionally assign a known public LB IP # loadBalancerIP: 1.2.3.4 # Optionally configure a JMX port # requires additional javaOpts, ie # javaOpts: > # -Dcom.sun.management.jmxremote.port=4000 # -Dcom.sun.management.jmxremote.authenticate=false # -Dcom.sun.management.jmxremote.ssl=false # jmxPort: 4000 # Optionally configure other ports to expose in the controller container extraPorts: [] # - name: BuildInfoProxy # port: 9000 # List of plugins to be install during Jenkins controller start installPlugins: - kubernetes:1.31.3 - workflow-aggregator:2.6 - git:4.10.2 - configuration-as-code:1414.v878271fc496f # Set to false to download the minimum required version of all dependencies. installLatestPlugins: true # Set to true to download latest dependencies of any plugin that is requested to have the latest version. installLatestSpecifiedPlugins: false # List of plugins to install in addition to those listed in controller.installPlugins additionalPlugins: [] # Enable to initialize the Jenkins controller only once on initial installation. # Without this, whenever the controller gets restarted (Evicted, etc.) it will fetch plugin updates which has the potential to cause breakage. # Note that for this to work, `persistence.enabled` needs to be set to `true` initializeOnce: false # Enable to always override the installed plugins with the values of 'controller.installPlugins' on upgrade or redeployment. # overwritePlugins: true # Configures if plugins bundled with `controller.image` should be overwritten with the values of 'controller.installPlugins' on upgrade or redeployment. overwritePluginsFromImage: true # Enable HTML parsing using OWASP Markup Formatter Plugin (antisamy-markup-formatter), useful with ghprb plugin. # The plugin is not installed by default, please update controller.installPlugins. enableRawHtmlMarkupFormatter: false # Used to approve a list of groovy functions in pipelines used the script-security plugin. Can be viewed under /scriptApproval scriptApproval: [] # - "method groovy.json.JsonSlurperClassic parseText java.lang.String" # - "new groovy.json.JsonSlurperClassic" # List of groovy init scripts to be executed during Jenkins controller start initScripts: [] # - | # print 'adding global pipeline libraries, register properties, bootstrap jobs...' # 'name' is a name of an existing secret in same namespace as jenkins, # 'keyName' is the name of one of the keys inside current secret. # the 'name' and 'keyName' are concatenated with a '-' in between, so for example: # an existing secret "secret-credentials" and a key inside it named "github-password" should be used in Jcasc as ${secret-credentials-github-password} # 'name' and 'keyName' must be lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-', # and must start and end with an alphanumeric character (e.g. 'my-name', or '123-abc') additionalExistingSecrets: [] # - name: secret-name-1 # keyName: username # - name: secret-name-1 # keyName: password additionalSecrets: [] # - name: nameOfSecret # value: secretText # Generate SecretClaim resources in order to create Kubernetes secrets from HashiCorp Vault using kube-vault-controller. # 'name' is name of the secret that will be created in Kubernetes. The Jenkins fullname is prepended to this value. # 'path' is the fully qualified path to the secret in Vault # 'type' is an optional Kubernetes secret type. Defaults to 'Opaque' # 'renew' is an optional secret renewal time in seconds secretClaims: [] # - name: secretName # required # path: testPath # required # type: kubernetes.io/tls # optional # renew: 60 # optional # Name of default cloud configuration. cloudName: "kubernetes" # Below is the implementation of Jenkins Configuration as Code. Add a key under configScripts for each configuration area, # where each corresponds to a plugin or section of the UI. Each key (prior to | character) is just a label, and can be any value. # Keys are only used to give the section a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label # characters: lowercase letters, numbers, and hyphens. The keys become the name of a configuration yaml file on the controller in # /var/jenkins_home/casc_configs (by default) and will be processed by the Configuration as Code Plugin. The lines after each | # become the content of the configuration yaml file. The first line after this is a JCasC root element, eg jenkins, credentials, # etc. Best reference is https://<jenkins_url>/configuration-as-code/reference. The example below creates a welcome message: JCasC: defaultConfig: true configScripts: {} # welcome-message: | # jenkins: # systemMessage: Welcome to our CI\CD server. This Jenkins is configured and managed 'as code'. # Ignored if securityRealm is defined in controller.JCasC.configScripts and # ignored if controller.enableXmlConfig=true as controller.securityRealm takes precedence securityRealm: |- local: allowsSignup: false enableCaptcha: false users: - id: "${chart-admin-username}" name: "Jenkins Admin" password: "${chart-admin-password}" # Ignored if authorizationStrategy is defined in controller.JCasC.configScripts authorizationStrategy: |- loggedInUsersCanDoAnything: allowAnonymousRead: false # Optionally specify additional init-containers customInitContainers: [] # - name: custom-init # image: "alpine:3.7" # imagePullPolicy: Always # command: [ "uname", "-a" ] sidecars: configAutoReload: # If enabled: true, Jenkins Configuration as Code will be reloaded on-the-fly without a reboot. If false or not-specified, # jcasc changes will cause a reboot and will only be applied at the subsequent start-up. Auto-reload uses the # http://<jenkins_url>/reload-configuration-as-code endpoint to reapply config when changes to the configScripts are detected. enabled: true image: kiwigrid/k8s-sidecar:1.15.0 imagePullPolicy: IfNotPresent resources: {} # limits: # cpu: 100m # memory: 100Mi # requests: # cpu: 50m # memory: 50Mi # How many connection-related errors to retry on reqRetryConnect: 10 # env: # - name: REQ_TIMEOUT # value: "30" # SSH port value can be set to any unused TCP port. The default, 1044, is a non-standard SSH port that has been chosen at random. # Is only used to reload jcasc config from the sidecar container running in the Jenkins controller pod. # This TCP port will not be open in the pod (unless you specifically configure this), so Jenkins will not be # accessible via SSH from outside of the pod. Note if you use non-root pod privileges (runAsUser & fsGroup), # this must be > 1024: sshTcpPort: 1044 # folder in the pod that should hold the collected dashboards: folder: "/var/jenkins_home/casc_configs" # If specified, the sidecar will search for JCasC config-maps inside this namespace. # Otherwise the namespace in which the sidecar is running will be used. # It's also possible to specify ALL to search in all namespaces: # searchNamespace: containerSecurityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false # Allows you to inject additional/other sidecars other: [] ## The example below runs the client for https://smee.io as sidecar container next to Jenkins, ## that allows to trigger build behind a secure firewall. ## https://jenkins.io/blog/2019/01/07/webhook-firewalls/#triggering-builds-with-webhooks-behind-a-secure-firewall ## ## Note: To use it you should go to https://smee.io/new and update the url to the generete one. # - name: smee # image: docker.io/twalter/smee-client:1.0.2 # args: ["--port", "{{ .Values.controller.servicePort }}", "--path", "/github-webhook/", "--url", "https://smee.io/new"] # resources: # limits: # cpu: 50m # memory: 128Mi # requests: # cpu: 10m # memory: 32Mi # Name of the Kubernetes scheduler to use schedulerName: "" # Node labels and tolerations for pod assignment # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature nodeSelector: {} terminationGracePeriodSeconds: terminationMessagePath: terminationMessagePolicy: tolerations: [] affinity: {} # Leverage a priorityClass to ensure your pods survive resource shortages # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ priorityClassName: podAnnotations: {} # Add StatefulSet annotations statefulSetAnnotations: {} # StatefulSet updateStrategy # ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies updateStrategy: {} ingress: enabled: false # Override for the default paths that map requests to the backend paths: [] # - backend: # serviceName: ssl-redirect # servicePort: use-annotation # - backend: # serviceName: >- # {{ template "jenkins.fullname" . }} # # Don't use string here, use only integer value! # servicePort: 8080 # For Kubernetes v1.14+, use 'networking.k8s.io/v1beta1' # For Kubernetes v1.19+, use 'networking.k8s.io/v1' apiVersion: "extensions/v1beta1" labels: {} annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress # ingressClassName: nginx # Set this path to jenkinsUriPrefix above or use annotations to rewrite path # path: "/jenkins" # configures the hostname e.g. jenkins.example.com hostName: tls: # - secretName: jenkins.cluster.local # hosts: # - jenkins.cluster.local # often you want to have your controller all locked down and private # but you still want to get webhooks from your SCM # A secondary ingress will let you expose different urls # with a differnt configuration secondaryingress: enabled: false # paths you want forwarded to the backend # ex /github-webhook paths: [] # For Kubernetes v1.14+, use 'networking.k8s.io/v1beta1' # For Kubernetes v1.19+, use 'networking.k8s.io/v1' apiVersion: "extensions/v1beta1" labels: {} annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress # ingressClassName: nginx # configures the hostname e.g. jenkins-external.example.com hostName: tls: # - secretName: jenkins-external.example.com # hosts: # - jenkins-external.example.com # If you're running on GKE and need to configure a backendconfig # to finish ingress setup, use the following values. # Docs: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig backendconfig: enabled: false apiVersion: "extensions/v1beta1" name: labels: {} annotations: {} spec: {} # Openshift route route: enabled: false labels: {} annotations: {} # path: "/jenkins" # controller.hostAliases allows for adding entries to Pod /etc/hosts: # https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ hostAliases: [] # - ip: 192.168.50.50 # hostnames: # - something.local # - ip: 10.0.50.50 # hostnames: # - other.local # Expose Prometheus metrics prometheus: # If enabled, add the prometheus plugin to the list of plugins to install # https://plugins.jenkins.io/prometheus enabled: false # Additional labels to add to the ServiceMonitor object serviceMonitorAdditionalLabels: {} # Set a custom namespace where to deploy ServiceMonitor resource # serviceMonitorNamespace: monitoring scrapeInterval: 60s # This is the default endpoint used by the prometheus plugin scrapeEndpoint: /prometheus # Additional labels to add to the PrometheusRule object alertingRulesAdditionalLabels: {} # An array of prometheus alerting rules # See here: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ # The `groups` root object is added by default, simply add the rule entries alertingrules: [] # Set a custom namespace where to deploy PrometheusRule resource prometheusRuleNamespace: "" # Can be used to disable rendering controller test resources when using helm template testEnabled: true httpsKeyStore: jenkinsHttpsJksSecretName: '' enable: false httpPort: 8081 path: "/var/jenkins_keystore" fileName: "keystore.jks" password: "password" # Convert keystore.jks files content to base64 ( cat keystore.jks | base64 ) and put the output here jenkinsKeyStoreBase64Encoded: | /u3+7QAAAAIAAAABAAAAAQANamVua2luc2NpLmNvbQAAAW2r/b1ZAAAFATCCBP0wDgYKKwYBBAEq AhEBAQUABIIE6QbCqasvoHS0pSwYqSvdydMCB9t+VNfwhFIiiuAelJfO5sSe2SebJbtwHgLcRz1Z gMtWgOSFdl3bWSzA7vrW2LED52h+jXLYSWvZzuDuh8hYO85m10ikF6QR+dTi4jra0whIFDvq3pxe TnESxEsN+DvbZM3jA3qsjQJSeISNpDjO099dqQvHpnCn18lyk7J4TWJ8sOQQb1EM2zDAfAOSqA/x QuPEFl74DlY+5DIk6EBvpmWhaMSvXzWZACGA0sYqa157dq7O0AqmuLG/EI5EkHETO4CrtBW+yLcy 2dUCXOMA+j+NjM1BjrQkYE5vtSfNO6lFZcISyKo5pTFlcA7ut0Fx2nZ8GhHTn32CpeWwNcZBn1gR pZVt6DxVVkhTAkMLhR4rL2wGIi/1WRs23ZOLGKtyDNvDHnQyDiQEoJGy9nAthA8aNHa3cfdF10vB Drb19vtpFHmpvKEEhpk2EBRF4fTi644Fuhu2Ied6118AlaPvEea+n6G4vBz+8RWuVCmZjLU+7h8l Hy3/WdUPoIL5eW7Kz+hS+sRTFzfu9C48dMkQH3a6f3wSY+mufizNF9U298r98TnYy+PfDJK0bstG Ph6yPWx8DGXKQBwrhWJWXI6JwZDeC5Ny+l8p1SypTmAjpIaSW3ge+KgcL6Wtt1R5hUV1ajVwVSUi HF/FachKqPqyLJFZTGjNrxnmNYpt8P1d5JTvJfmfr55Su/P9n7kcyWp7zMcb2Q5nlXt4tWogOHLI OzEWKCacbFfVHE+PpdrcvCVZMDzFogIq5EqGTOZe2poPpBVE+1y9mf5+TXBegy5HToLWvmfmJNTO NCDuBjgLs2tdw2yMPm4YEr57PnMX5gGTC3f2ZihXCIJDCRCdQ9sVBOjIQbOCzxFXkVITo0BAZhCi Yz61wt3Ud8e//zhXWCkCsSV+IZCxxPzhEFd+RFVjW0Nm9hsb2FgAhkXCjsGROgoleYgaZJWvQaAg UyBzMmKDPKTllBHyE3Gy1ehBNGPgEBChf17/9M+j8pcm1OmlM434ctWQ4qW7RU56//yq1soFY0Te fu2ei03a6m68fYuW6s7XEEK58QisJWRAvEbpwu/eyqfs7PsQ+zSgJHyk2rO95IxdMtEESb2GRuoi Bs+AHNdYFTAi+GBWw9dvEgqQ0Mpv0//6bBE/Fb4d7b7f56uUNnnE7mFnjGmGQN+MvC62pfwfvJTT EkT1iZ9kjM9FprTFWXT4UmO3XTvesGeE50sV9YPm71X4DCQwc4KE8vyuwj0s6oMNAUACW2ClU9QQ y0tRpaF1tzs4N42Q5zl0TzWxbCCjAtC3u6xf+c8MCGrr7DzNhm42LOQiHTa4MwX4x96q7235oiAU iQqSI/hyF5yLpWw4etyUvsx2/0/0wkuTU1FozbLoCWJEWcPS7QadMrRRISxHf0YobIeQyz34regl t1qSQ3dCU9D6AHLgX6kqllx4X0fnFq7LtfN7fA2itW26v+kAT2QFZ3qZhINGfofCja/pITC1uNAZ gsJaTMcQ600krj/ynoxnjT+n1gmeqThac6/Mi3YlVeRtaxI2InL82ZuD+w/dfY9OpPssQjy3xiQa jPuaMWXRxz/sS9syOoGVH7XBwKrWpQcpchozWJt40QV5DslJkclcr8aC2AGlzuJMTdEgz1eqV0+H bAXG9HRHN/0eJTn1/QAAAAEABVguNTA5AAADjzCCA4swggJzAhRGqVxH4HTLYPGO4rzHcCPeGDKn xTANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMCY2ExEDAOBgNVBAgMB29udGFyaW8xEDAOBgNV BAcMB3Rvcm9udG8xFDASBgNVBAoMC2plbmtpbnN0ZXN0MRkwFwYDVQQDDBBqZW5raW5zdGVzdC5p bmZvMR0wGwYJKoZIhvcNAQkBFg50ZXN0QHRlc3QuaW5mbzAeFw0xOTEwMDgxNTI5NTVaFw0xOTEx MDcxNTI5NTVaMIGBMQswCQYDVQQGEwJjYTEQMA4GA1UECAwHb250YXJpbzEQMA4GA1UEBwwHdG9y b250bzEUMBIGA1UECgwLamVua2luc3Rlc3QxGTAXBgNVBAMMEGplbmtpbnN0ZXN0LmluZm8xHTAb BgkqhkiG9w0BCQEWDnRlc3RAdGVzdC5pbmZvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEA02q352JTHGvROMBhSHvSv+vnoOTDKSTz2aLQn0tYrIRqRo+8bfmMjXuhkwZPSnCpvUGNAJ+w Jrt/dqMoYUjCBkjylD/qHmnXN5EwS1cMg1Djh65gi5JJLFJ7eNcoSsr/0AJ+TweIal1jJSP3t3PF 9Uv21gm6xdm7HnNK66WpUUXLDTKaIs/jtagVY1bLOo9oEVeLN4nT2CYWztpMvdCyEDUzgEdDbmrP F5nKUPK5hrFqo1Dc5rUI4ZshL3Lpv398aMxv6n2adQvuL++URMEbXXBhxOrT6rCtYzbcR5fkwS9i d3Br45CoWOQro02JAepoU0MQKY5+xQ4Bq9Q7tB9BAwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAe 4xc+mSvKkrKBHg9/zpkWgZUiOp4ENJCi8H4tea/PCM439v6y/kfjT/okOokFvX8N5aa1OSz2Vsrl m8kjIc6hiA7bKzT6lb0EyjUShFFZ5jmGVP4S7/hviDvgB5yEQxOPpumkdRP513YnEGj/o9Pazi5h /MwpRxxazoda9r45kqQpyG+XoM4pB+Fd3JzMc4FUGxfVPxJU4jLawnJJiZ3vqiSyaB0YyUL+Er1Q 6NnqtR4gEBF0ZVlQmkycFvD4EC2boP943dLqNUvop+4R3SM1QMM6P5u8iTXtHd/VN4MwMyy1wtog hYAzODo1Jt59pcqqKJEas0C/lFJEB3frw4ImNx5fNlJYOpx+ijfQs9m39CevDq0= agent: enabled: true defaultsProviderTemplate: "" # URL for connecting to the Jenkins contoller jenkinsUrl: # connect to the specified host and port, instead of connecting directly to the Jenkins controller jenkinsTunnel: kubernetesConnectTimeout: 5 kubernetesReadTimeout: 15 maxRequestsPerHostStr: "32" namespace: image: "jenkins/inbound-agent" tag: "4.11.2-4" workingDir: "/home/jenkins/agent" nodeUsageMode: "NORMAL" customJenkinsLabels: [] # name of the secret to be used for image pulling imagePullSecretName: componentName: "jenkins-agent" websocket: false privileged: false runAsUser: runAsGroup: resources: requests: cpu: "512m" memory: "512Mi" limits: cpu: "512m" memory: "512Mi" # You may want to change this to true while testing a new image alwaysPullImage: false # Controls how agent pods are retained after the Jenkins build completes # Possible values: Always, Never, OnFailure podRetention: "Never" # Disable if you do not want the Yaml the agent pod template to show up # in the job Console Output. This can be helpful for either security reasons # or simply to clean up the output to make it easier to read. showRawYaml: true # You can define the volumes that you want to mount for this container # Allowed types are: ConfigMap, EmptyDir, HostPath, Nfs, PVC, Secret # Configure the attributes as they appear in the corresponding Java class for that type # https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes volumes: [] # - type: ConfigMap # configMapName: myconfigmap # mountPath: /var/myapp/myconfigmap # - type: EmptyDir # mountPath: /var/myapp/myemptydir # memory: false # - type: HostPath # hostPath: /var/lib/containers # mountPath: /var/myapp/myhostpath # - type: Nfs # mountPath: /var/myapp/mynfs # readOnly: false # serverAddress: "192.0.2.0" # serverPath: /var/lib/containers # - type: PVC # claimName: mypvc # mountPath: /var/myapp/mypvc # readOnly: false # - type: Secret # defaultMode: "600" # mountPath: /var/myapp/mysecret # secretName: mysecret # Pod-wide environment, these vars are visible to any container in the agent pod # You can define the workspaceVolume that you want to mount for this container # Allowed types are: DynamicPVC, EmptyDir, HostPath, Nfs, PVC # Configure the attributes as they appear in the corresponding Java class for that type # https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes/workspace workspaceVolume: {} ## DynamicPVC example # type: DynamicPVC # configMapName: myconfigmap ## EmptyDir example # type: EmptyDir # memory: false ## HostPath example # type: HostPath # hostPath: /var/lib/containers ## NFS example # type: Nfs # readOnly: false # serverAddress: "192.0.2.0" # serverPath: /var/lib/containers ## PVC example # type: PVC # claimName: mypvc # readOnly: false # # Pod-wide environment, these vars are visible to any container in the agent pod envVars: [] # - name: PATH # value: /usr/local/bin nodeSelector: {} # Key Value selectors. Ex: # jenkins-agent: v1 # Executed command when side container gets started command: args: "${computer.jnlpmac} ${computer.name}" # Side container name sideContainerName: "jnlp" # Doesn't allocate pseudo TTY by default TTYEnabled: false # Max number of spawned agent containerCap: 10 # Pod name podName: "default" # Allows the Pod to remain active for reuse until the configured number of # minutes has passed since the last step was executed on it. idleMinutes: 0 # Raw yaml template for the Pod. For example this allows usage of toleration for agent pods. # https://github.com/jenkinsci/kubernetes-plugin#using-yaml-to-define-pod-templates # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ yamlTemplate: "" # yamlTemplate: |- # apiVersion: v1 # kind: Pod # spec: # tolerations: # - key: "key" # operator: "Equal" # value: "value" # Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates: merge or override yamlMergeStrategy: "override" # Timeout in seconds for an agent to be online connectTimeout: 100 # Annotations to apply to the pod. annotations: {} # Disable the default Jenkins Agent configuration. # Useful when configuring agents only with the podTemplates value, since the default podTemplate populated by values mentioned above will be excluded in the rendered template. disableDefaultAgent: false # Below is the implementation of custom pod templates for the default configured kubernetes cloud. # Add a key under podTemplates for each pod template. Each key (prior to | character) is just a label, and can be any value. # Keys are only used to give the pod template a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label # characters: lowercase letters, numbers, and hyphens. Each pod template can contain multiple containers. # For this pod templates configuration to be loaded the following values must be set: # controller.JCasC.defaultConfig: true # Best reference is https://<jenkins_url>/configuration-as-code/reference#Cloud-kubernetes. The example below creates a python pod template. podTemplates: {} # python: | # - name: python # label: jenkins-python # serviceAccount: jenkins # containers: # - name: python # image: python:3 # command: "/bin/sh -c" # args: "cat" # ttyEnabled: true # privileged: true # resourceRequestCpu: "400m" # resourceRequestMemory: "512Mi" # resourceLimitCpu: "1" # resourceLimitMemory: "1024Mi" # Here you can add additional agents # They inherit all values from `agent` so you only need to specify values which differ additionalAgents: {} # maven: # podName: maven # customJenkinsLabels: maven # # An example of overriding the jnlp container # # sideContainerName: jnlp # image: jenkins/jnlp-agent-maven # tag: latest # python: # podName: python # customJenkinsLabels: python # sideContainerName: python # image: python # tag: "3" # command: "/bin/sh -c" # args: "cat" # TTYEnabled: true persistence: enabled: true ## A manually managed Persistent Volume and Claim ## Requires persistence.enabled: true ## If defined, PVC must be created manually before volume will be bound existingClaim: ## jenkins data Persistent Volume Storage Class ## If defined, storageClassName: <storageClass> ## If set to "-", storageClassName: "", which disables dynamic provisioning ## If undefined (the default) or set to null, no storageClassName spec is ## set, choosing the default provisioner. (gp2 on AWS, standard on ## GKE, AWS & OpenStack) ## storageClass: jenkins-pv annotations: {} labels: {} accessMode: "ReadWriteOnce" size: "8Gi" volumes: # - name: nothing # emptyDir: {} mounts: # - mountPath: /var/nothing # name: nothing # readOnly: true networkPolicy: # Enable creation of NetworkPolicy resources. enabled: false # For Kubernetes v1.4, v1.5 and v1.6, use 'extensions/v1beta1' # For Kubernetes v1.7, use 'networking.k8s.io/v1' apiVersion: networking.k8s.io/v1 # You can allow agents to connect from both within the cluster (from within specific/all namespaces) AND/OR from a given external IP range internalAgents: allowed: true podLabels: {} namespaceLabels: {} # project: myproject externalAgents: {} # ipCIDR: 172.17.0.0/16 # except: # - 172.17.1.0/24 ## Install Default RBAC roles and bindings rbac: create: true readSecrets: false serviceAccount: create: false # The name of the service account is autogenerated by default name: jenkins annotations: {} imagePullSecretName: serviceAccountAgent: # Specifies whether a ServiceAccount should be created create: false # The name of the ServiceAccount to use. # If not set and create is true, a name is generated using the fullname template name: annotations: {} imagePullSecretName: ## Backup cronjob configuration ## Ref: https://github.com/maorfr/kube-tasks backup: # Backup must use RBAC # So by enabling backup you are enabling RBAC specific for backup enabled: false # Used for label app.kubernetes.io/component componentName: "backup" # Schedule to run jobs. Must be in cron time format # Ref: https://crontab.guru/ schedule: "0 2 * * *" labels: {} serviceAccount: create: true name: annotations: {} # Example for authorization to AWS S3 using kube2iam or IRSA # Can also be done using environment variables # iam.amazonaws.com/role: "jenkins" # "eks.amazonaws.com/role-arn": "arn:aws:iam::123456789012:role/jenkins-backup" # Set this to terminate the job that is running/failing continously and set the job status to "Failed" activeDeadlineSeconds: "" image: repository: "maorfr/kube-tasks" tag: "0.2.0" # Additional arguments for kube-tasks # Ref: https://github.com/maorfr/kube-tasks#simple-backup extraArgs: [] # Add existingSecret for AWS credentials existingSecret: {} ## Example for using an existing secret # jenkinsaws: ## Use this key for AWS access key ID # awsaccesskey: jenkins_aws_access_key ## Use this key for AWS secret access key # awssecretkey: jenkins_aws_secret_key # Add additional environment variables # jenkinsgcp: ## Use this key for GCP credentials # gcpcredentials: credentials.json env: [] # Example environment variable required for AWS credentials chain # - name: "AWS_REGION" # value: "us-east-1" resources: requests: memory: 1Gi cpu: 1 limits: memory: 1Gi cpu: 1 # Destination to store the backup artifacts # Supported cloud storage services: AWS S3, Minio S3, Azure Blob Storage, Google Cloud Storage # Additional support can added. Visit this repository for details # Ref: https://github.com/maorfr/skbn destination: "s3://jenkins-data/backup" # By enabling only the jenkins_home/jobs folder gets backed up, not the whole jenkins instance onlyJobs: false # Enable backup pod security context (must be `true` if runAsUser or fsGroup are set) usePodSecurityContext: true # When setting runAsUser to a different value than 0 also set fsGroup to the same value: runAsUser: 1000 fsGroup: 1000 securityContextCapabilities: {} # drop: # - NET_RAW checkDeprecation: true awsSecurityGroupPolicies: enabled: false policies: - name: "" securityGroupIds: [] podSelector: {}
chart=jenkinsci/jenkins
(base) xiaoyu@localhost jenkinss-pv % helm install jenkins -n jenkins -f jenkins-values.yaml $chartNAME: jenkinsLAST DEPLOYED: Thu Apr 28 09:52:04 2022NAMESPACE: jenkinsSTATUS: deployedREVISION: 1NOTES:1. Get your 'admin' user password by running: kubectl exec --namespace jenkins -it svc/jenkins -c jenkins -- /bin/cat /run/secrets/chart-admin-password && echo2. Get the Jenkins URL to visit by running these commands in the same shell: echo http://127.0.0.1:8080 kubectl --namespace jenkins port-forward svc/jenkins 8080:80803. Login with the password from step 1 and the username: admin4. Configure security realm and authorization strategy5. Use Jenkins Configuration as Code by specifying configScripts in your values.yaml file, see documentation: http:///configuration-as-code and examples: https://github.com/jenkinsci/configuration-as-code-plugin/tree/master/demosFor more information on running Jenkins on Kubernetes, visit:https://cloud.google.com/solutions/jenkins-on-container-engineFor more information about Jenkins Configuration as Code, visit:https://jenkins.io/projects/jcasc/NOTE: Consider using a custom image with pre-installed plugins
上面已经提示部署完成了,接下来获取初始密码。
(base) xiaoyu@localhost jenkinss-pv % jsonpath="{.data.jenkins-admin-password}"(base) xiaoyu@localhost jenkinss-pv % secret=$(kubectl get secret -n jenkins jenkins -o jsonpath=$jsonpath)(base) xiaoyu@localhost jenkinss-pv % echo $(echo $secret | base64 --decode)By8cnPs8g8s1vO4MgCYRIw
得到初始密码之后,获取jenkins的URL。
(base) xiaoyu@localhost jenkinss-pv % jsonpath="{.spec.ports[0].nodePort}"(base) xiaoyu@localhost jenkinss-pv % NODE_PORT=$(kubectl get -n jenkins -o jsonpath=$jsonpath services jenkins)(base) xiaoyu@localhost jenkinss-pv % jsonpath="{.items[0].status.addresses[0].address}"(base) xiaoyu@localhost jenkinss-pv % NODE_IP=$(kubectl get nodes -n jenkins -o jsonpath=$jsonpath)(base) xiaoyu@localhost jenkinss-pv % echo http://$NODE_IP:$NODE_PORT/loginhttp://192.168.64.3:/login
获取jenkins的pod信息。
(base) xiaoyu@localhost jenkinss-pv % kubectl get pods -n jenkinsNAME READY STATUS RESTARTS AGEjenkins-0 2/2 Running 0 4h52m
同样配置在控制面板中我们也可以看到,注意切换命名空间。
配置接口转发。
(base) xiaoyu@localhost jenkinss-pv % kubectl -n jenkins port-forward jenkins-0 8080:8080Forwarding from 127.0.0.1:8080 -> 8080Forwarding from [::1]:8080 -> 8080
这样就可以访问到了,用户名admin,密码对应上面的查到的密码。
六、总结
本文介绍了两种jenkins的部署方式,其中基于k8s的部署方式是重点,后续的jenkins的实践也是基于在k8s上展开的。
