jenkins.yaml.tmpl (12246B)
1 credentials: 2 system: 3 domainCredentials: 4 - credentials: 5 - vaultAppRoleCredential: 6 description: "Jenkins approle on vault.in0rdr.ch" 7 id: "vault.in0rdr.ch" 8 path: "approle" 9 roleId: "{{with secret "kv/jenkins/vault-secret-source"}}{{index .Data.data.role_id}}{{end}}" 10 scope: GLOBAL 11 secretId: "{{with secret "kv/jenkins/vault-secret-source"}}{{index .Data.data.secret_id}}{{end}}" 12 usePolicies: false 13 - string: 14 description: "Nomad ACL NOMAD_TOKEN for Nomad cloud plugin" 15 id: "nomad" 16 scope: GLOBAL 17 secret: "{{with secret "kv/jenkins/nomad_token"}}{{index .Data.data.password}}{{end}}" 18 unclassified: 19 location: 20 adminAddress: "{{ if nomadVarExists "nomad/jobs/jenkins" -}} 21 {{ with nomadVar "nomad/jobs/jenkins" }}{{ .admin_address }}{{ end -}} 22 {{ else }}address not configured yet <nobody@nowhere>{{ end}}" 23 url: "https://jenkins.in0rdr.ch" 24 hashicorpVault: 25 configuration: 26 vaultCredentialId: "vault.in0rdr.ch" 27 vaultUrl: "https://vault.in0rdr.ch" 28 mailer: 29 authentication: 30 password: "{{with secret "kv/jenkins/mailer"}}{{index .Data.data.password}}{{end}}" 31 username: "{{with secret "kv/jenkins/mailer"}}{{index .Data.data.username}}{{end}}" 32 replyToAddress: "no-reply@p0c.ch" 33 smtpHost: "{{with secret "kv/jenkins/mailer"}}{{index .Data.data.smtpHost}}{{end}}" 34 smtpPort: "{{with secret "kv/jenkins/mailer"}}{{index .Data.data.smtpPort}}{{end}}" 35 globalLibraries: 36 libraries: 37 - name: "in0rdr-jenkins-lib" 38 retriever: 39 modernSCM: 40 scm: 41 gitSource: 42 remote: "https://git.in0rdr.ch/jenkins-lib.git" 43 scmGit: 44 globalConfigEmail: "jenkins@jenkins.in0rdr.ch" 45 globalConfigName: "jenkins" 46 jenkins: 47 # https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/demos/jenkins/jenkins.yaml 48 systemMessage: | 49 {\__/} 50 ( • . •) 51 / >💾 Jenkins configured with Jenkins Configuration as Code plugin 52 # Building on the built-in node can be a security issue. You should set the 53 # number of executors on the built-in node to 0: 54 # https://www.jenkins.io/doc/book/security/controller-isolation/#not-building-on-the-built-in-node 55 numExecutors: 0 56 slaveAgentPort: 50000 57 authorizationStrategy: 58 loggedInUsersCanDoAnything: 59 allowAnonymousRead: false 60 securityRealm: 61 # https://github.com/jenkinsci/configuration-as-code-plugin/tree/master/demos/embedded-userdatabase 62 local: 63 allowsSignup: false 64 users: 65 - id: in0rdr 66 password: "{{with secret "kv/jenkins/users"}}{{index .Data.data.in0rdr}}{{end}}" 67 globalNodeProperties: 68 - envVars: 69 env: 70 - key: "GIT_AUTHOR_EMAIL" 71 value: "jenkins@jenkins.in0rdr.ch" 72 - key: "GIT_AUTHOR_NAME" 73 value: "jenkins" 74 clouds: 75 - nomad: 76 name: "nomad" 77 nomadUrl: "https://{{env "attr.unique.network.ip-address"}}:4646" 78 nomadACLCredentialsId: "nomad" 79 tlsEnabled: true 80 serverCertificate: "/etc/ssl/certs/nomad-agent-ca.p12" 81 # the truststore only contains public certificates, password is irrelevant here 82 serverPassword: "123456" 83 clientPassword: 84 prune: true 85 templates: 86 - idleTerminationInMinutes: 10 87 jobTemplate: |- 88 { 89 "Job": { 90 "Region": "global", 91 "ID": "%WORKER_NAME%", 92 "Namespace": "default", 93 "Type": "batch", 94 "Datacenters": [ 95 "dc1" 96 ], 97 "Constraints": [ 98 { 99 "LTarget": "^${attr.cpu.arch}", 100 "Operand": "=", 101 "RTarget": "arm64" 102 } 103 ], 104 "TaskGroups": [ 105 { 106 "Name": "jenkins-podman-worker-taskgroup", 107 "Count": 1, 108 "RestartPolicy": { 109 "Attempts": 0, 110 "Interval": 10000000000, 111 "Mode": "fail", 112 "Delay": 1000000000 113 }, 114 "Tasks": [ 115 { 116 "Name": "jenkins-podman-worker", 117 "Driver": "podman", 118 "User": "jenkins", 119 "Config": { 120 "security_opt": [ 121 "seccomp=unconfined", 122 "apparmor=unconfined", 123 "systempaths=unconfined" 124 ], 125 "volumes": [ 126 "/run/user/1312/podman/podman.sock:/home/jenkins/agent/podman.sock", 127 "/etc/containers/registries.conf:/etc/containers/registries.conf", 128 "/home/jenkins/workspace:/home/jenkins/workspace" 129 ], 130 "force_pull": true, 131 "image": "127.0.0.1:5000/jenkins-inbound-agent:${REMOTING_VERSION}-arm64" 132 }, 133 "Env": { 134 "REMOTING_OPTS": "-url http://{{ env "NOMAD_ADDR_jenkins" }} -name %WORKER_NAME% -secret %WORKER_SECRET% -tunnel {{ env "NOMAD_ADDR_jnlp" }}", 135 "DOCKER_HOST": "unix:///home/jenkins/agent/podman.sock" 136 }, 137 "Resources": { 138 "CPU": 500, 139 "MemoryMB": 512, 140 "MemoryMaxMB": 1024 141 } 142 } 143 ], 144 "EphemeralDisk": { 145 "SizeMB": 300 146 } 147 } 148 ] 149 } 150 } 151 labels: "nomad podman arm64" # use the 'podman' label in the Jenkins pipeline spec 152 numExecutors: 1 153 prefix: "jenkins-podman-arm64" 154 reusable: true 155 - idleTerminationInMinutes: 10 156 jobTemplate: |- 157 { 158 "Job": { 159 "Region": "global", 160 "ID": "%WORKER_NAME%", 161 "Namespace": "default", 162 "Type": "batch", 163 "Datacenters": [ 164 "dc1" 165 ], 166 "Constraints": [ 167 { 168 "LTarget": "^${attr.cpu.arch}", 169 "Operand": "=", 170 "RTarget": "amd64" 171 } 172 ], 173 "TaskGroups": [ 174 { 175 "Name": "jenkins-podman-worker-taskgroup", 176 "Count": 1, 177 "RestartPolicy": { 178 "Attempts": 0, 179 "Interval": 10000000000, 180 "Mode": "fail", 181 "Delay": 1000000000 182 }, 183 "Tasks": [ 184 { 185 "Name": "jenkins-podman-worker", 186 "Driver": "podman", 187 "User": "jenkins", 188 "Config": { 189 "security_opt": [ 190 "seccomp=unconfined", 191 "apparmor=unconfined", 192 "systempaths=unconfined" 193 ], 194 "volumes": [ 195 "/run/user/1312/podman/podman.sock:/home/jenkins/agent/podman.sock", 196 "/etc/containers/registries.conf:/etc/containers/registries.conf", 197 "/home/jenkins/workspace:/home/jenkins/workspace" 198 ], 199 "force_pull": true, 200 "image": "127.0.0.1:5000/jenkins-inbound-agent:${REMOTING_VERSION}-amd64" 201 }, 202 "Env": { 203 "REMOTING_OPTS": "-url http://{{ env "NOMAD_ADDR_jenkins" }} -name %WORKER_NAME% -secret %WORKER_SECRET% -tunnel {{ env "NOMAD_ADDR_jnlp" }}", 204 "DOCKER_HOST": "unix:///home/jenkins/agent/podman.sock" 205 }, 206 "Resources": { 207 "CPU": 500, 208 "MemoryMB": 512, 209 "MemoryMaxMB": 1024 210 } 211 } 212 ], 213 "EphemeralDisk": { 214 "SizeMB": 300 215 } 216 } 217 ] 218 } 219 } 220 labels: "nomad podman amd64" # use the 'podman' label in the Jenkins pipeline spec 221 numExecutors: 1 222 prefix: "jenkins-podman-amd64" 223 reusable: true 224 - idleTerminationInMinutes: 10 225 jobTemplate: |- 226 { 227 "Job": { 228 "Region": "global", 229 "ID": "%WORKER_NAME%", 230 "Namespace": "default", 231 "Type": "service", 232 "Datacenters": [ 233 "dc1" 234 ], 235 "TaskGroups": [ 236 { 237 "Name": "jenkins-packer-worker-taskgroup", 238 "Count": 1, 239 "RestartPolicy": { 240 "Attempts": 0, 241 "Interval": 10000000000, 242 "Mode": "fail", 243 "Delay": 1000000000 244 }, 245 "Tasks": [ 246 { 247 "Name": "jenkins-packer-worker", 248 "Driver": "exec", 249 "User": "jenkins", 250 "Config": { 251 "command": "/bin/sh", 252 "args": [ 253 "-c", 254 "java -jar ./${NOMAD_TASK_DIR}/remoting-${REMOTING_VERSION}.jar -url http://{{ env "NOMAD_ADDR_jenkins" }} -name %WORKER_NAME% -secret %WORKER_SECRET% -tunnel {{ env "NOMAD_ADDR_jnlp" }} $@" 255 ] 256 }, 257 "Artifacts": [ 258 { 259 "Chown": false, 260 "GetterHeaders": null, 261 "GetterInsecure": false, 262 "GetterMode": "any", 263 "GetterOptions": null, 264 "GetterSource": "https://repo.jenkins-ci.org/public/org/jenkins-ci/main/remoting/${REMOTING_VERSION}/remoting-${REMOTING_VERSION}.jar", 265 "RelativeDest": "${NOMAD_TASK_DIR}" 266 } 267 ], 268 "Resources": { 269 "CPU": 500, 270 "MemoryMB": 512, 271 "MemoryMaxMB": 1024 272 } 273 } 274 ], 275 "EphemeralDisk": { 276 "SizeMB": 300 277 } 278 } 279 ] 280 } 281 } 282 labels: "nomad packer" 283 numExecutors: 1 284 prefix: "jenkins-packer" 285 reusable: true 286 workerTimeout: 1 287 # Configuration example for the Docker cloud to spawn Jenkins agents directly 288 # in Docker containers without intermediary Nomad jobs: 289 # - https://plugins.jenkins.io/docker-plugin/#plugin-content-jcasc-plugin 290 #- docker: 291 # name: "docker" 292 # containerCap: 3 293 # dockerApi: 294 # connectTimeout: 23 295 # dockerHost: 296 # uri: "unix:///home/jenkins/agent/podman.sock" 297 # readTimeout: 43 298 # errorDuration: 313 299 # templates: 300 # - connector: 301 # jnlp: 302 # jenkinsUrl: "http://{{ env "NOMAD_ADDR_jenkins" }}" 303 # user: "1312" 304 # dockerTemplateBase: 305 # image: "127.0.0.1:5000/jenkins-inbound-agent:latest" 306 # environment: 307 # - JENKINS_TUNNEL={{ env "NOMAD_ADDR_jnlp" }} 308 # - DOCKER_HOST=unix:///home/jenkins/agent/podman.sock 309 # labelString: "podman" 310 # name: "alpine-jdk21" 311 # pullTimeout: 171 312 # remoteFs: "/home/jenkins/agent" 313 314 # https://github.com/jenkinsci/theme-manager-plugin 315 appearance: 316 themeManager: 317 disableUserThemes: false 318 theme: "dark" 319 customHeader: 320 enabled: true 321 logo: 322 image: 323 logoUrl: "https://www.jenkins.io/images/logos/kongfu/kongfu.png" 324 loginTheme: 325 branding: "https://www.jenkins.io/images/logos/kongfu/kongfu.png"