Installation

# Carthago Operator for Jenkins Helm chart

# apiVersion is the version of the Custom Resources manifests
apiVersion: carthago.cloud/v1beta1

# operator is section for configuring operator deployment
operator:

  replicaCount: 1

  # image is the name (and tag) of the Carthago Operator for Jenkins image
  image: carthago.azurecr.io/carthago-op-jenkins:0.14.4

  # imagePullPolicy defines policy for pulling images
  imagePullPolicy: IfNotPresent

  # command
  command:
    - /manager

  # args is used to specify flags
  args:
    - --leader-elect=true

  # nameOverride overrides the app name
  nameOverride: ""

  # fullnameOverride overrides the deployment name
  fullnameOverride: ""

  # Resource limit/request for Carthago Operator
  # See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ for details
  resources: {}

  # NodeSelector for Carthago Operator
  # For more details see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
  nodeSelector: {}

  # Tolerations are applied to pods, and allow the pods to schedule onto nodes with matching taints.
  # See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ for more details
  tolerations: []

  # Affinity allows you to constrain which nodes your pod is eligible to be scheduled on, based on labels on the node.
  # For more details see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
  affinity: {}

  # watchedNamespaces specifies namespaces that will be watched by the operator
  watchedNamespaces:
    - jenkins

  # licenseSecretName specifies a name for the secret with license key. For paid plan features to be available,
  # a secret with this name containing valid information must be present in the same namespace as Carthago Operator
  # is deployed in.
  licenseSecretName: ""

# Carthago Operator for Jenkins Custom Resources Helm chart

# apiVersion is the version of the Custom Resources manifests
apiVersion: carthago.cloud/v1beta1

# Jenkins instance configuration
jenkins:
  # enabled can enable or disable the Jenkins instance
  # Set to false if you have configured CR already and/or you want to deploy an operator only
  enabled: true

  # name of resource
  # The pod name will be jenkins-<name> (name will be set as suffix)
  name: jenkins

  # labels are injected into metadata labels field
  #labels: {}

  # annotations are injected into metadata annotations field
  annotations: {}

  # podLabels are injected into Jenkins Controller Pod's metadata labels field
  podLabels: {}

  # podSpec
  podSpec:
    initContainers: []
    sidecars: []
    jenkinsController:
      name: jenkins-controller
      image: jenkins/jenkins:2.332.1-lts
      imagePullPolicy: IfNotPresent
      command: []
      livenessProbe: {}
      readinessProbe: {}
      # Resource limit/request for Jenkins
      # See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ for details
      resources:
        limits:
          cpu: 1500m
          memory: 3Gi
        requests:
          cpu: 1
          memory: 500Mi
      env: []
      envFrom: []
      volumeMounts: []
    volumes: []
    restartPolicy: ""
    imagePullSecrets: []
    hostAliases: []
    podSecurityContext: {}
    affinity: {}
    priorityClassName: ""
    tolerations: []

  # homePVC allows setting PersistentVolumeClaim properties for Jenkins home
  homePVC: {}

  # accessMode specifies the way Jenkins home Volume can be mounted
  # accessMode: ""

  # resourceStorage is the volume size of Jenkins home Volume
  # resourceStorage: ""

  # storageClassName is the name of the StorageClass required by the claim
  # storageClassName: ""
  # storageClassName: ""

  # pluginsCache allows setting plugins cache specific pvc properties
  # pluginsCache is not available in the free plan and requires a valid license
  pluginsCache: {}

  # accessMode specifies the way the plugins cache can be mounted
  # accessMode: ""

  # resourceStorage is the plugins cache volume size
  # resourceStorage: ""

  # storageClassName is the name of the StorageClass required by the claim
  # storageClassName: ""

  # plugins are plugins required by the user
  # You can define plugins here
  #
  # Example:
  #
  # plugins:
  # - name: jacoco
  #   version: "3.1.1"
  plugins: []

  # roles define a list of extra RBAC roles for the Jenkins Master pod service account
  roles: []

  # services allow configuring Jenkins services
  services: {}
#    Http is Jenkins web UI service
#    http:
#      labels are injected into metadata labels field
#      labels: {}
#
#      annotations are injected into metadata annotations field
#      annotations: {}
#
#      Spec describes the attributes that a user creates on a service.
#      spec: {}
#
#    Agent is Jenkins agent service
#    agent:
#      labels are injected into metadata labels field
#      labels: {}
#
#      annotations are injected into metadata annotations field
#      annotations: {}
#
#      Spec describes the attributes that a user creates on a service.
#      spec: {}

  # defines authorization strategy of the operator for the Jenkins API.
  authorizationStrategy: createUser

  # disableCSRFProtection can enable or disable operator built-in CSRF protection
  # Set it to true if you are using OpenShift Jenkins Plugin
  # See https://github.com/jenkinsci/kubernetes-operator/pull/193 for more info
  disableCSRFProtection: false

  # pluginSnapshot creates a configMap containing all the plugins in Jenkins at a particular moment and allows to keep a history of changes and restore
  pluginSnapshot: {}
#    restoreEnabled makes Jenkins use plugins specified in snapshotConfigMapRef
#    restoreEnabled: false
#
#    snapshotConfigMapRef specifies which configMap to use for restore if restoreEnabled is set. Otherwise it will overwrite the configMap whenever plugins change
#    snapshotConfigMapRef:
#      name: "config-map-name"
#
#    snapshotHistoryLength specifies, how many historical snapshots are to be kept. Has no effect if snapshotConfigMapRef is specified
#    snapshotHistoryLength: 3

# jenkinsGroovyScriptsEnabled can enable or disable the JenkinsGroovyScript instances
# Set to false if you have configured CR(s) already and/or you want to deploy an operator only
jenkinsGroovyScriptsEnabled: true

# JenkinsGroovyScripts instances configuration
# JenkinsGroovyScriptSpec defines the desired state of JenkinsGroovyScript. It allows to write Groovy Scripts to modify the Jenkins.
jenkinsGroovyScripts:
  # name of resource
  - name: groovy

    # labels are injected into metadata labels field. Each JenkinsSeedJob Custom Resource need to reference corresponding
    # Jenkins Custom Resource via labels field
    labels:
      carthago.cloud/jenkins: jenkins

    # annotations are injected into metadata annotations field
    annotations: {}

    # data is inline Groovy script
    data: |
      import jenkins.model.Jenkins
      def systemMessage = "Hello from v1beta1.JenkinsGroovyScript!"
      Jenkins jenkins = Jenkins.getInstance()
      jenkins.setSystemMessage(systemMessage)
      jenkins.save()
      println "Hello world!"      
    # secretRef is secret reference which allows to inject the secrets into Groovy script code
    #secretRef:
      #name: ""
      #namespace: ""

    # dependsOn is JenkinsGroovyScript reference which determines the order of the Groovy scripts
    #dependsOn:
      #name: ""
      #namespace: ""

# jenkinsSeedJobsEnabled can enable or disable the JenkinsSeedJobs instances
# Set to false if you have configured CR(s) already and/or you want to deploy an operator only
jenkinsSeedJobsEnabled: true

# JenkinsSeedJobs instances configuration
# See https://docs.carthago.cloud/latest-version/getting-started/seedjob-configuration/ for additional info
jenkinsSeedJobs:
  # name of resource
  - name: example

    # labels are injected into metadata labels field. Each JenkinsSeedJob Custom Resource need to reference corresponding
    # Jenkins Custom Resource via labels field
    labels:
      carthago.cloud/jenkins: jenkins

    # annotations are injected into metadata annotations field
    annotations: {}

    # Repository is VCS repository settings
    repository:

      # branch is the repository branch where seed job definitions are stored
      branch: master

      # URL is the repository access URL. Can be SSH or HTTPS.
      url: https://github.com/jenkinsci/kubernetes-operator.git

      # targets is the path from repository root where seed job definitions are stored
      targets: "cicd/jobs/*.jenkins"

      # credentialID is the Kubernetes secret name which stores repository access credentials
      credentialID: ""

      # credentialType is the https://jenkinsci.github.io/kubernetes-credentials-provider-plugin/ credential type (optional)
      # allowed types:
      # "" define none Jenkins credential type
      # "basicSSHUserPrivateKey" basic SSH Jenkins credential type
      # "usernamePassword" define username & password Jenkins credential type
      # "external" defines other credential type
      credentialType: ""

    # agentRef represents a Jenkins Kubernetes Agent Reference. It has enough information to retrieve agent
    # in any namespace
    #agentRef:

      # name is unique within a namespace to reference a secret resource.
      #name:

      # namespace defines the space within which the secret name must be unique.
      #namespace:

    # triggers define circumstances that execute jobs
    triggers:

      # bitbucketTrigger is used for Bitbucket web hooks (optional)
      bitbucketTrigger:
        push: false

      # gitHubTrigger is used for GitHub web hooks (optional)
      gitHubTrigger:
        push: false

      # buildPeriodically is used for scheduled timer trigger (optional)
      buildPeriodically: ""

      # pollSCM is setting for polling changes in SCM (optional)
      pollSCM: ""

    # settings configure the job build options
    settings:

      # ignoreMissingFiles is setting for Job DSL API plugin to ignore files that are missing (optional)
      ignoreMissingFiles: false

      # additionalClasspath is setting for Job DSL API plugin to set Additional Classpath (optional)
      additionalClasspath: ""

      # failOnMissingPlugin is setting for Job DSL API plugin that fails job if required plugin is missing (optional)
      failOnMissingPlugin: false

      # unstableOnDeprecation is setting for Job DSL API plugin that sets build status as unstable if build using deprecated features (optional)
      unstableOnDeprecation: false

# jenkinsConfigurationsAsCodeEnabled can enable or disable the JenkinsConfigurationAsCode instances
# Set to false if you have configured CR(s) already and/or you want to deploy an operator only
jenkinsConfigurationsAsCodeEnabled: true

# JenkinsConfigurationAsCode instances configuration
# For configuration as code creation tutorial, check https://docs.carthago.cloud/latest-version/getting-started/customization/
jenkinsConfigurationsAsCode:
  # name of resource
  - name: casc

    # labels are injected into metadata labels field. Each JenkinsConfigurationAsCode Custom Resource need to reference corresponding
    # Jenkins Custom Resource via labels field
    labels:
      carthago.cloud/jenkins: jenkins

    # annotations are injected into metadata annotations field
    annotations: {}

    # data is inline Groovy script
    data: |
      jenkins:
        systemMessage: |
          Welcome to your CI/CD server managed by Carthago Operator for Jenkins!      
    # secretRef is secret reference which allows to inject the secrets into Configuration As Code script
    #secretRef:
      #name: ""
      #namespace: ""

# jenkinsKubernetesAgentEnabled can enable or disable the JenkinsKubernetesAgent instances
# Set to false if you have configured CR(s) already and/or you want to deploy an operator only
jenkinsKubernetesAgentEnabled: true

# JenkinsKubernetesAgent instances configuration
# In the free plan, only 1 jenkinsKubernetesAgent can be configured, and its name must be equal to seed-job-agent
# For configuration as code creation tutorial, check https://docs.carthago.cloud/latest-version/getting-started/seedjob-configuration/
jenkinsKubernetesAgents:
  # name of resource
  # in the free plan, it must be equal to seed-job-agent
  - name: seed-job-agent

    # labels are injected into metadata labels field. Each JenkinsKubernetesAgent Custom Resource need to reference corresponding
    # Jenkins Custom Resource via labels field
    labels:
      carthago.cloud/jenkins: jenkins

    # annotations are injected into metadata annotations field
    annotations: {}

    # PodSpec allows setting Jenkins Kubernetes Agent specific pod properties
    podSpec:
      containers:
        - name: jnlp
          image: jenkins/inbound-agent:4.11.2-4
          imagePullPolicy: IfNotPresent
    # Description of Jenkins Agent
    description: ""

    # Executors defines the maximum number of concurrent builds that Jenkins may perform on this node.
    executors:

    # RemoteRootDirectory is directory dedicated to Jenkins for temporary files storage purposes.
    remoteRootDirectory: ""

    # Usage controls how Jenkins schedules builds on this node.
    # Available usage options are defined by AgentUsage enum
    usage: ""

    # TunnelConnectionThrough allows to route connection to another host
    # Field allowed values: "HOST:PORT", ":PORT" and "HOST:"
    tunnelConnectionThrough: ""

    # JVMOptions are additional startup arguments for Java Virtual Machine which runs agent
    jvmOptions: ""

    # Roles defines list of extra RBAC roles for the Jenkins Kubernetes Agent pod service account
    roles: []

# JenkinsAuthenticationEnabled can enable or disable the JenkinsAuthentication instance
# Set to true if you want to deploy the resource, set to false if have configured CR(s) already and/or you want to deploy an operator only
jenkinsAuthenticationEnabled: false

# JenkinsAuthentication configuration
# It is not available in the free plan and requires a valid license.
# For authentication creation tutorial, check https://docs.carthago.cloud/latest-version/getting-started/authentication/
jenkinsAuthentication:
  # name of resource
  name: authentication

  # labels are injected into metadata labels field. Each JenkinsAuthentication Custom Resource need to reference corresponding
  # Jenkins Custom Resource via labels field
  labels:
    carthago.cloud/jenkins: jenkins

  # annotations are injected into metadata annotations field
  annotations: {}

  # type indicates which authentication provider is set
  type: "githubOAuth"

  # githubOAuth is configuration for GitHub OAuth provider
  githubOAuth:
    # clientID is the client ID you received from GitHub for your OAuth App.
    clientID: ""

    # clientSecretRef is a secret reference which allows to safely pass into Authorization Spec. Has to contain "clientSecret" key with value of
    # the client secret you received from GitHub for your OAuth App.
    clientSecretRef:
      name: ""
      namespace: ""

    # WebURI used if you are using GitHub Enterprise. The URL to the web UI root of your GitHub installation.
    # The 'https://' or 'http://' part needs to be specified. There should not be any trailing slash (/).
    # By default set to 'https://github.com'. (optional)
    webUri: "https://github.com"

    # APIURI used if you are using GitHub Enterprise. The URI to the API root of your GitHub installation.
    # The 'https://' or 'http://' part needs to be specified. There should not be any trailing slash (/).
    # By default set to 'https://api.github.com'. (optional)
    apiUri: "https://api.github.com"

    # Scopes let you specify exactly what your app is requesting access to. Scopes limit access for OAuth tokens.
    # They do not grant any additional permission beyond that which the user already has.
    # By default these are set to "org:user,user:email" (optional)
    scopes:
      - "read:org"
      - "user:email"

  # googleOAuth is configuration for Google OAuth provider
  googleOAuth:
    # clientID is the client ID you from Google OAuth credentials
    clientID: ""

    # clientSecretRef is a secret reference which allows to safely pass into Authorization Spec. Has to contain "clientSecret" key with value of
    # the client secret from Google OAuth credentials
    clientSecretRef:
      name: ""
      namespace: ""

    # Domain is the public domain of your Jenkins instance. Leave empty for localhost (optional)
    domain: ""

  # openIDConnectAuth is configuration for various authentication providers compliant with OpenID Connect standard.
  # For more information, visit the documentation of the oic-auth: https://github.com/jenkinsci/oic-auth-plugin
  openIDConnectAuth:
    # clientID is the client ID you received from your identity provider
    clientID: ""

    # clientSecretRef is a secret reference which lets you safely pass the client secret to Authentication Spec.
    # The secret has to contain the "clientSecret" key with value of the client secret from OpenID Connect credentials.
    clientSecretRef:
      name: ""
      namespace: ""

    # autoManualConfigure specifies configuration mode. This can be either auto or manual.
    # If set to auto, WellKnownOpenIDConfigurationURL will be required and configuration will be fetched from the
    # well-known configuration endpoint. If set to false, tokenServerURL and authorizationServerURL will be required.
    autoManualConfig: ""

    # WellKnownOpenIDConfigurationURL is an endpoint with well-known configuration endpoint, where your OpenID server
    # publishes its metadata. Required when autoManualConfigure is set to auto, otherwise optional.
    wellKnownOpenIDConfigurationURL: ""

    # Required when autoManualConfigure is set to manual, otherwise optional.
    tokenServerURL: ""

    # Required when autoManualConfigure is set to manual, otherwise optional.
    authorizationServerURL: ""

    # (optional)
    userInfoServerURL: ""

    # (optional)
    userNameField: ""

    # (optional)
    tokenFieldToCheckKey: ""

    # (optional)
    tokenFieldToCheckValue: ""

    # (optional)
    fullNameFieldName: ""

    # (optional)
    emailFieldName: ""

    # scopes are used to specify access privileges while authenticating. It is a string containing space-separated
    # scopes. (optional)
    #
    # Example:
    #
    # scopes: "openid email profile"
    scopes: ""

    # (optional)
    groupsFieldName: ""

    # (optional)
    disableSSLVerification: false

    # logoutFromOpenIDProvider specifies whether to call endSessionEndpoint on logout from Jenkins. (optional)
    logoutFromOpenIDProvider: false

    # endSessionEndpoint is an endpoint to be called on logging out from Jenkins.
    # Required when logoutFromOpenIDProvider is set to true, otherwise optional.
    endSessionEndpoint: ""

    # (optional)
    postLogoutRedirectURL: ""

    # (optional)
    escapeHatchEnabled: false

    # (optional)
    escapeHatchUsername: ""

    # escapeHatchSecretRef is a secret reference which lets you safely pass the escape hatch secret to Authentication Spec.
    # It is required when EscapeHatchEnabled is set to true.
    # The secret has to contain the "escapeHatchSecret" key with value of the client secret from OpenID Connect credentials.
    # Required when escapeHatchEnabled is set to true, otherwise optional.
    escapeHatchSecretRef:
      name: ""
      namespace: ""

    # (optional)
    escapeHatchGroup: ""

  samlAuth:
    # idpMetadata is Identity Provider Metadata in XML format.
    # idpMetadata:

    # idpMetadataURL The Identity Provider metadata file source URL. If you provide idpMetadataURL please add refreshPeriod.
    idpMetadataURL:

    # refreshPeriod in minutes between Identity Provider metadata refreshes. Setting it to 0 disables refreshing metadata.
    refreshPeriod:

    # displayNameAttribute is the name of the attribute that carries the display name (optional)
    displayNameAttribute:

    # groupAttribute is the name of the attribute that carries user groups (optional)
    groupAttribute:

    # maximumAuthenticationLifetime is the number of seconds since the user was authenticated in IdP for which his authentication is considering as active.
    maximumAuthenitcationLifetime:

    # usernameAttribute is the name of the attribute that carries user name which will be used as the Jenkins ID (optional).
    usernameAttribute:

    # emailAttribute is the field name of email attribute in SAML response. (optional)
    emailAttribute:

    # usernameCaseConversion specifies how ID returned from SAML will be converted to the username for Authorization.
    usernameCaseConversion:

    # dataBindingMethod SAML specifies the method of redirection binding that will be used by SAML plugin.
    # The plugin supports HTTP-Redirect and HTTP-POST and by default it uses HTTP-Redirect.
    # Enum: http-post ; http-redirect
    dataBindingMethod:

    # logoutURL is the logout URL of your Identity Provider. Users will be redirected there on logout.
    logoutURL:

    # advancedConfiguration:

      # forceAuthentication specifies whether to request the SAML IdP to force reauthentication of the user,
      # rather than allowing an existing session with the IdP to be reused.
      # (optional) bool
      # forceAuthentication:

      # authenticationContext makes SAML IdP use a specific authentication context instead of its default one.
      # If left empty, default authentication context will be used.
      # (optional)
      # authenticationContext:

      # SPEntityID it overrides the default Entity ID for this Service Provider.
      # (optional)
      # SPEntityID:

      # nameIDPolicyFormat:

    # encryptionConfiguration can be used to specify the keystore details if your provider requires encryption or signing.
    # encryptionConfiguration:

      # keystorePath is the path to the keystore file created with the keygen command.
      # (optional)
      # keystorePath:

      # keystorePassword is the password used in the -storepass argument of the keytool command.
      # (optional)
      # keystorePasswordRef: 

      # privateKeyAlias is the alias used in the -alias argument of the keytool< command.
      # (optional)
      # privateKeyAlias:

      # privateKeyPassword is the password used in the -keypass argument of keytool.
      # (optional)
      # privateKeyPasswordRef:

      # authRequestSignature enables signature of the Redirect Binding Auth Request.
      # If you enable it the encryption and signing key would available in the SP metadata file and URL (JENKINS_URL/securityRealm/metadata).
      # (optional) bool
      # authRequestSignature:

      # wantsAssertionSigned makes authentication accept only signed assertion sent by the IdP.
      # (optional) bool
      # wantsAssertionSigned:

# JenkinsAuthorizationEnabled can enable or disable the jenkinsAuthorization instance
# Set to true if you want to deploy the resource, set to false if have configured CR(s) already and/or you want to deploy an operator only
jenkinsAuthorizationEnabled: false

# JenkinsAuthorization configuration
# For authorization creation tutorial, check https://docs.carthago.cloud/latest-version/getting-started/authorization/
jenkinsAuthorization:
  # name of resource
  name: authorization

  # labels are injected into metadata labels field. Each JenkinsAuthorization Custom Resource need to reference corresponding
  # Jenkins Custom Resource via labels field
  labels:
    carthago.cloud/jenkins: jenkins

  # annotations are injected into metadata annotations field
  annotations: {}

  # type indicates which authorization provider is set
  type: "matrix"

  # Matrix Authorization Strategy
  matrix:
    users:
      - name: "user-example"
        permissions:
          - Overall/Read

  # Role-Based Authorization Strategy
  roleBased:
    roles:
      - name: "reader"
        permissions:
          - Overall/Read
        usersOrGroups:
          - anonymous