Take note of the name of the secret. It will be needed later - you will need to provide it in the values.yaml file
for the Operator.
Add carthago to your list of Helm chart repositories
If you’re installing Carthago Operator for Jenkins for the first time, you need to add Carthago Helm charts repository to your
local list of chart repositories. You can do that with:
If you’re updating Carthago Operator for Jenkins, you need to update your list of repositories to get the latest charts.
You can do that with:
$ helm repo update carthago
Prepare values.yaml files
Next, prepare your two values.yaml files: values-operator.yaml and values-crs.yaml, and specify all the
desired configuration for the Operator and other available Custom Resources.
Don’t forget to specify the namespace you created for Jenkins in values-operator.yaml operator.watchedNamespaces.
In the paid version, one operator instance is capable of watching multiple namespaces and Jenkins instances.
It’s recommended to have separate namespaces for each of the Jenkins instances.
You can copy and customize the default files:
# Carthago Operator for Jenkins Helm chart# apiVersion is the version of the Custom Resources manifestsapiVersion:carthago.cloud/v1beta1# operator is section for configuring operator deploymentoperator:replicaCount:1# image is the name (and tag) of the Carthago Operator for Jenkins imageimage:carthago.azurecr.io/carthago-op-jenkins:0.14.4# imagePullPolicy defines policy for pulling imagesimagePullPolicy:IfNotPresent# commandcommand:- /manager# args is used to specify flagsargs:- --leader-elect=true# nameOverride overrides the app namenameOverride:""# fullnameOverride overrides the deployment namefullnameOverride:""# Resource limit/request for Carthago Operator# See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ for detailsresources:{}# NodeSelector for Carthago Operator# For more details see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/nodeSelector:{}# Tolerations are applied to pods, and allow the pods to schedule onto nodes with matching taints.# See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ for more detailstolerations:[]# Affinity allows you to constrain which nodes your pod is eligible to be scheduled on, based on labels on the node.# For more details see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinityaffinity:{}# watchedNamespaces specifies namespaces that will be watched by the operatorwatchedNamespaces:- jenkins# licenseSecretName specifies a name for the secret with license key. For paid plan features to be available,# a secret with this name containing valid information must be present in the same namespace as Carthago Operator# is deployed in.licenseSecretName:""
# Carthago Operator for Jenkins Custom Resources Helm chart# apiVersion is the version of the Custom Resources manifestsapiVersion:carthago.cloud/v1beta1# Jenkins instance configurationjenkins:# enabled can enable or disable the Jenkins instance# Set to false if you have configured CR already and/or you want to deploy an operator onlyenabled:true# name of resource# The pod name will be jenkins-<name> (name will be set as suffix)name:jenkins# labels are injected into metadata labels field#labels: {}# annotations are injected into metadata annotations fieldannotations:{}# podLabels are injected into Jenkins Controller Pod's metadata labels fieldpodLabels:{}# podSpecpodSpec:initContainers:[]sidecars:[]jenkinsController:name:jenkins-controllerimage:jenkins/jenkins:2.332.1-ltsimagePullPolicy:IfNotPresentcommand:[]livenessProbe:{}readinessProbe:{}# Resource limit/request for Jenkins# See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ for detailsresources:limits:cpu:1500mmemory:3Girequests:cpu:1memory:500Mienv:[]envFrom:[]volumeMounts:[]volumes:[]restartPolicy:""imagePullSecrets:[]hostAliases:[]podSecurityContext:{}affinity:{}priorityClassName:""tolerations:[]# homePVC allows setting PersistentVolumeClaim properties for Jenkins homehomePVC:{}# accessMode specifies the way Jenkins home Volume can be mounted# accessMode: ""# resourceStorage is the volume size of Jenkins home Volume# resourceStorage: ""# storageClassName is the name of the StorageClass required by the claim# storageClassName: ""# storageClassName: ""# pluginsCache allows setting plugins cache specific pvc properties# pluginsCache is not available in the free plan and requires a valid licensepluginsCache:{}# accessMode specifies the way the plugins cache can be mounted# accessMode: ""# resourceStorage is the plugins cache volume size# resourceStorage: ""# storageClassName is the name of the StorageClass required by the claim# storageClassName: ""# plugins are plugins required by the user# You can define plugins here## Example:## plugins:# - name: jacoco# version: "3.1.1"plugins:[]# roles define a list of extra RBAC roles for the Jenkins Master pod service accountroles:[]# services allow configuring Jenkins servicesservices:{}# Http is Jenkins web UI service# http:# labels are injected into metadata labels field# labels: {}## annotations are injected into metadata annotations field# annotations: {}## Spec describes the attributes that a user creates on a service.# spec: {}## Agent is Jenkins agent service# agent:# labels are injected into metadata labels field# labels: {}## annotations are injected into metadata annotations field# annotations: {}## Spec describes the attributes that a user creates on a service.# spec: {}# defines authorization strategy of the operator for the Jenkins API.authorizationStrategy:createUser# disableCSRFProtection can enable or disable operator built-in CSRF protection# Set it to true if you are using OpenShift Jenkins Plugin# See https://github.com/jenkinsci/kubernetes-operator/pull/193 for more infodisableCSRFProtection:false# pluginSnapshot creates a configMap containing all the plugins in Jenkins at a particular moment and allows to keep a history of changes and restorepluginSnapshot:{}# restoreEnabled makes Jenkins use plugins specified in snapshotConfigMapRef# restoreEnabled: false## snapshotConfigMapRef specifies which configMap to use for restore if restoreEnabled is set. Otherwise it will overwrite the configMap whenever plugins change# snapshotConfigMapRef:# name: "config-map-name"## snapshotHistoryLength specifies, how many historical snapshots are to be kept. Has no effect if snapshotConfigMapRef is specified# snapshotHistoryLength: 3# jenkinsGroovyScriptsEnabled can enable or disable the JenkinsGroovyScript instances# Set to false if you have configured CR(s) already and/or you want to deploy an operator onlyjenkinsGroovyScriptsEnabled:true# JenkinsGroovyScripts instances configuration# JenkinsGroovyScriptSpec defines the desired state of JenkinsGroovyScript. It allows to write Groovy Scripts to modify the Jenkins.jenkinsGroovyScripts:# name of resource- name:groovy# labels are injected into metadata labels field. Each JenkinsSeedJob Custom Resource need to reference corresponding# Jenkins Custom Resource via labels fieldlabels:carthago.cloud/jenkins:jenkins# annotations are injected into metadata annotations fieldannotations:{}# data is inline Groovy scriptdata:| import jenkins.model.Jenkins
def systemMessage = "Hello from v1beta1.JenkinsGroovyScript!"
Jenkins jenkins = Jenkins.getInstance()
jenkins.setSystemMessage(systemMessage)
jenkins.save()
println "Hello world!"# secretRef is secret reference which allows to inject the secrets into Groovy script code#secretRef:#name: ""#namespace: ""# dependsOn is JenkinsGroovyScript reference which determines the order of the Groovy scripts#dependsOn:#name: ""#namespace: ""# jenkinsSeedJobsEnabled can enable or disable the JenkinsSeedJobs instances# Set to false if you have configured CR(s) already and/or you want to deploy an operator onlyjenkinsSeedJobsEnabled:true# JenkinsSeedJobs instances configuration# See https://docs.carthago.cloud/latest-version/getting-started/seedjob-configuration/ for additional infojenkinsSeedJobs:# name of resource- name:example# labels are injected into metadata labels field. Each JenkinsSeedJob Custom Resource need to reference corresponding# Jenkins Custom Resource via labels fieldlabels:carthago.cloud/jenkins:jenkins# annotations are injected into metadata annotations fieldannotations:{}# Repository is VCS repository settingsrepository:# branch is the repository branch where seed job definitions are storedbranch:master# URL is the repository access URL. Can be SSH or HTTPS.url:https://github.com/jenkinsci/kubernetes-operator.git# targets is the path from repository root where seed job definitions are storedtargets:"cicd/jobs/*.jenkins"# credentialID is the Kubernetes secret name which stores repository access credentialscredentialID:""# credentialType is the https://jenkinsci.github.io/kubernetes-credentials-provider-plugin/ credential type (optional)# allowed types:# "" define none Jenkins credential type# "basicSSHUserPrivateKey" basic SSH Jenkins credential type# "usernamePassword" define username & password Jenkins credential type# "external" defines other credential typecredentialType:""# agentRef represents a Jenkins Kubernetes Agent Reference. It has enough information to retrieve agent# in any namespace#agentRef:# name is unique within a namespace to reference a secret resource.#name:# namespace defines the space within which the secret name must be unique.#namespace:# triggers define circumstances that execute jobstriggers:# bitbucketTrigger is used for Bitbucket web hooks (optional)bitbucketTrigger:push:false# gitHubTrigger is used for GitHub web hooks (optional)gitHubTrigger:push:false# buildPeriodically is used for scheduled timer trigger (optional)buildPeriodically:""# pollSCM is setting for polling changes in SCM (optional)pollSCM:""# settings configure the job build optionssettings:# ignoreMissingFiles is setting for Job DSL API plugin to ignore files that are missing (optional)ignoreMissingFiles:false# additionalClasspath is setting for Job DSL API plugin to set Additional Classpath (optional)additionalClasspath:""# failOnMissingPlugin is setting for Job DSL API plugin that fails job if required plugin is missing (optional)failOnMissingPlugin:false# unstableOnDeprecation is setting for Job DSL API plugin that sets build status as unstable if build using deprecated features (optional)unstableOnDeprecation:false# jenkinsConfigurationsAsCodeEnabled can enable or disable the JenkinsConfigurationAsCode instances# Set to false if you have configured CR(s) already and/or you want to deploy an operator onlyjenkinsConfigurationsAsCodeEnabled:true# JenkinsConfigurationAsCode instances configuration# For configuration as code creation tutorial, check https://docs.carthago.cloud/latest-version/getting-started/customization/jenkinsConfigurationsAsCode:# name of resource- name:casc# labels are injected into metadata labels field. Each JenkinsConfigurationAsCode Custom Resource need to reference corresponding# Jenkins Custom Resource via labels fieldlabels:carthago.cloud/jenkins:jenkins# annotations are injected into metadata annotations fieldannotations:{}# data is inline Groovy scriptdata:| jenkins:
systemMessage: |
Welcome to your CI/CD server managed by Carthago Operator for Jenkins!# secretRef is secret reference which allows to inject the secrets into Configuration As Code script#secretRef:#name: ""#namespace: ""# jenkinsKubernetesAgentEnabled can enable or disable the JenkinsKubernetesAgent instances# Set to false if you have configured CR(s) already and/or you want to deploy an operator onlyjenkinsKubernetesAgentEnabled:true# JenkinsKubernetesAgent instances configuration# In the free plan, only 1 jenkinsKubernetesAgent can be configured, and its name must be equal to seed-job-agent# For configuration as code creation tutorial, check https://docs.carthago.cloud/latest-version/getting-started/seedjob-configuration/jenkinsKubernetesAgents:# name of resource# in the free plan, it must be equal to seed-job-agent- name:seed-job-agent# labels are injected into metadata labels field. Each JenkinsKubernetesAgent Custom Resource need to reference corresponding# Jenkins Custom Resource via labels fieldlabels:carthago.cloud/jenkins:jenkins# annotations are injected into metadata annotations fieldannotations:{}# PodSpec allows setting Jenkins Kubernetes Agent specific pod propertiespodSpec:containers:- name:jnlpimage:jenkins/inbound-agent:4.11.2-4imagePullPolicy:IfNotPresent# Description of Jenkins Agentdescription:""# Executors defines the maximum number of concurrent builds that Jenkins may perform on this node.executors:# RemoteRootDirectory is directory dedicated to Jenkins for temporary files storage purposes.remoteRootDirectory:""# Usage controls how Jenkins schedules builds on this node.# Available usage options are defined by AgentUsage enumusage:""# TunnelConnectionThrough allows to route connection to another host# Field allowed values: "HOST:PORT", ":PORT" and "HOST:"tunnelConnectionThrough:""# JVMOptions are additional startup arguments for Java Virtual Machine which runs agentjvmOptions:""# Roles defines list of extra RBAC roles for the Jenkins Kubernetes Agent pod service accountroles:[]# JenkinsAuthenticationEnabled can enable or disable the JenkinsAuthentication instance# Set to true if you want to deploy the resource, set to false if have configured CR(s) already and/or you want to deploy an operator onlyjenkinsAuthenticationEnabled:false# JenkinsAuthentication configuration# It is not available in the free plan and requires a valid license.# For authentication creation tutorial, check https://docs.carthago.cloud/latest-version/getting-started/authentication/jenkinsAuthentication:# name of resourcename:authentication# labels are injected into metadata labels field. Each JenkinsAuthentication Custom Resource need to reference corresponding# Jenkins Custom Resource via labels fieldlabels:carthago.cloud/jenkins:jenkins# annotations are injected into metadata annotations fieldannotations:{}# type indicates which authentication provider is settype:"githubOAuth"# githubOAuth is configuration for GitHub OAuth providergithubOAuth:# clientID is the client ID you received from GitHub for your OAuth App.clientID:""# clientSecretRef is a secret reference which allows to safely pass into Authorization Spec. Has to contain "clientSecret" key with value of# the client secret you received from GitHub for your OAuth App.clientSecretRef:name:""namespace:""# WebURI used if you are using GitHub Enterprise. The URL to the web UI root of your GitHub installation.# The 'https://' or 'http://' part needs to be specified. There should not be any trailing slash (/).# By default set to 'https://github.com'. (optional)webUri:"https://github.com"# APIURI used if you are using GitHub Enterprise. The URI to the API root of your GitHub installation.# The 'https://' or 'http://' part needs to be specified. There should not be any trailing slash (/).# By default set to 'https://api.github.com'. (optional)apiUri:"https://api.github.com"# Scopes let you specify exactly what your app is requesting access to. Scopes limit access for OAuth tokens.# They do not grant any additional permission beyond that which the user already has.# By default these are set to "org:user,user:email" (optional)scopes:- "read:org"- "user:email"# googleOAuth is configuration for Google OAuth providergoogleOAuth:# clientID is the client ID you from Google OAuth credentialsclientID:""# clientSecretRef is a secret reference which allows to safely pass into Authorization Spec. Has to contain "clientSecret" key with value of# the client secret from Google OAuth credentialsclientSecretRef:name:""namespace:""# Domain is the public domain of your Jenkins instance. Leave empty for localhost (optional)domain:""# openIDConnectAuth is configuration for various authentication providers compliant with OpenID Connect standard.# For more information, visit the documentation of the oic-auth: https://github.com/jenkinsci/oic-auth-pluginopenIDConnectAuth:# clientID is the client ID you received from your identity providerclientID:""# clientSecretRef is a secret reference which lets you safely pass the client secret to Authentication Spec.# The secret has to contain the "clientSecret" key with value of the client secret from OpenID Connect credentials.clientSecretRef:name:""namespace:""# autoManualConfigure specifies configuration mode. This can be either auto or manual.# If set to auto, WellKnownOpenIDConfigurationURL will be required and configuration will be fetched from the# well-known configuration endpoint. If set to false, tokenServerURL and authorizationServerURL will be required.autoManualConfig:""# WellKnownOpenIDConfigurationURL is an endpoint with well-known configuration endpoint, where your OpenID server# publishes its metadata. Required when autoManualConfigure is set to auto, otherwise optional.wellKnownOpenIDConfigurationURL:""# Required when autoManualConfigure is set to manual, otherwise optional.tokenServerURL:""# Required when autoManualConfigure is set to manual, otherwise optional.authorizationServerURL:""# (optional)userInfoServerURL:""# (optional)userNameField:""# (optional)tokenFieldToCheckKey:""# (optional)tokenFieldToCheckValue:""# (optional)fullNameFieldName:""# (optional)emailFieldName:""# scopes are used to specify access privileges while authenticating. It is a string containing space-separated# scopes. (optional)## Example:## scopes: "openid email profile"scopes:""# (optional)groupsFieldName:""# (optional)disableSSLVerification:false# logoutFromOpenIDProvider specifies whether to call endSessionEndpoint on logout from Jenkins. (optional)logoutFromOpenIDProvider:false# endSessionEndpoint is an endpoint to be called on logging out from Jenkins.# Required when logoutFromOpenIDProvider is set to true, otherwise optional.endSessionEndpoint:""# (optional)postLogoutRedirectURL:""# (optional)escapeHatchEnabled:false# (optional)escapeHatchUsername:""# escapeHatchSecretRef is a secret reference which lets you safely pass the escape hatch secret to Authentication Spec.# It is required when EscapeHatchEnabled is set to true.# The secret has to contain the "escapeHatchSecret" key with value of the client secret from OpenID Connect credentials.# Required when escapeHatchEnabled is set to true, otherwise optional.escapeHatchSecretRef:name:""namespace:""# (optional)escapeHatchGroup:""samlAuth:# idpMetadata is Identity Provider Metadata in XML format.# idpMetadata:# idpMetadataURL The Identity Provider metadata file source URL. If you provide idpMetadataURL please add refreshPeriod.idpMetadataURL:# refreshPeriod in minutes between Identity Provider metadata refreshes. Setting it to 0 disables refreshing metadata.refreshPeriod:# displayNameAttribute is the name of the attribute that carries the display name (optional)displayNameAttribute:# groupAttribute is the name of the attribute that carries user groups (optional)groupAttribute:# maximumAuthenticationLifetime is the number of seconds since the user was authenticated in IdP for which his authentication is considering as active.maximumAuthenitcationLifetime:# usernameAttribute is the name of the attribute that carries user name which will be used as the Jenkins ID (optional).usernameAttribute:# emailAttribute is the field name of email attribute in SAML response. (optional)emailAttribute:# usernameCaseConversion specifies how ID returned from SAML will be converted to the username for Authorization.usernameCaseConversion:# dataBindingMethod SAML specifies the method of redirection binding that will be used by SAML plugin.# The plugin supports HTTP-Redirect and HTTP-POST and by default it uses HTTP-Redirect.# Enum: http-post ; http-redirectdataBindingMethod:# logoutURL is the logout URL of your Identity Provider. Users will be redirected there on logout.logoutURL:# advancedConfiguration:# forceAuthentication specifies whether to request the SAML IdP to force reauthentication of the user,# rather than allowing an existing session with the IdP to be reused.# (optional) bool# forceAuthentication:# authenticationContext makes SAML IdP use a specific authentication context instead of its default one.# If left empty, default authentication context will be used.# (optional)# authenticationContext:# SPEntityID it overrides the default Entity ID for this Service Provider.# (optional)# SPEntityID:# nameIDPolicyFormat:# encryptionConfiguration can be used to specify the keystore details if your provider requires encryption or signing.# encryptionConfiguration:# keystorePath is the path to the keystore file created with the keygen command.# (optional)# keystorePath:# keystorePassword is the password used in the -storepass argument of the keytool command.# (optional)# keystorePasswordRef: # privateKeyAlias is the alias used in the -alias argument of the keytool< command.# (optional)# privateKeyAlias:# privateKeyPassword is the password used in the -keypass argument of keytool.# (optional)# privateKeyPasswordRef:# authRequestSignature enables signature of the Redirect Binding Auth Request.# If you enable it the encryption and signing key would available in the SP metadata file and URL (JENKINS_URL/securityRealm/metadata).# (optional) bool# authRequestSignature:# wantsAssertionSigned makes authentication accept only signed assertion sent by the IdP.# (optional) bool# wantsAssertionSigned:# JenkinsAuthorizationEnabled can enable or disable the jenkinsAuthorization instance# Set to true if you want to deploy the resource, set to false if have configured CR(s) already and/or you want to deploy an operator onlyjenkinsAuthorizationEnabled:false# JenkinsAuthorization configuration# For authorization creation tutorial, check https://docs.carthago.cloud/latest-version/getting-started/authorization/jenkinsAuthorization:# name of resourcename:authorization# labels are injected into metadata labels field. Each JenkinsAuthorization Custom Resource need to reference corresponding# Jenkins Custom Resource via labels fieldlabels:carthago.cloud/jenkins:jenkins# annotations are injected into metadata annotations fieldannotations:{}# type indicates which authorization provider is settype:"matrix"# Matrix Authorization Strategymatrix:users:- name:"user-example"permissions:- Overall/Read# Role-Based Authorization StrategyroleBased:roles:- name:"reader"permissions:- Overall/ReadusersOrGroups:- anonymous
Paid plan users need to set operator.licenseSecretName in values-operator.yaml to match the name of the license
secret created earlier. Otherwise, the licensing mechanism won’t be able to find it.
Install charts for Operator and Jenkins and Custom Resources
With values.yaml files prepared, you can proceed with installing the Operator and Jenkins alongside other Custom Resources.
Deploy Operator
Deploy Carthago Operator for Jenkins in the namespace you prepared for it by running helm install command: