jenkinsci / kubernetes-operator Goto Github PK

This project forked from virtuslab/jenkins-operator

Kubernetes native Jenkins Operator

Home Page: https://jenkinsci.github.io/kubernetes-operator

License: Other

Makefile 3.37% Dockerfile 0.27% Groovy 0.23% Go 82.85% Shell 4.45% HTML 4.59% JavaScript 0.44% SCSS 3.10% Mustache 0.16% Nix 0.54%

kubernetes jenkins operator cloud-native continuous-integration

kubernetes-operator's Introduction

Jenkins Operator

What's the Jenkins Operator?

The Jenkins Operator is a Kubernetes Native Operator which manages operations for Jenkins on Kubernetes. It has been built with Immutability and declarative Configuration as Code in mind.

Preliminaries

Considering that this Operator is created for managing instances for Jenkins, it is important to understand what

Jenkins Pipelines and
CasC (Configuration as Code) are.

Jenkins Pipelines use Scripts written in Groovy which aid in the CasC aspect of Jenkins.

Jenkins uses plugins like CasC to extend it's solution space by carrying out Jobs of different kinds and providing a composable infrastructure for your CI/CD.

Out of the box it provides:

Integration with Kubernetes (Jenkins kubernetes-plugin)
Pipelines as Code (Jenkins pipelines)
Extensibility via Groovy Scripts (similar to Jenkins script console) or (configuration as code plugin)
Secure Defaults and Hardening (see the security section of the documentation)

Problem statement and goals

The main reason why we decided to implement the Jenkins Operator is the fact that we faced a lot of problems with standard Jenkins deployment. We want to make Jenkins more robust, suitable for dynamic and multi-tenant environments.

Some of the problems we want to solve:

installing plugins with incompatible versions or security vulnerabilities
better configuration as code
security and hardening out of the box
make errors more visible for end users
orphaned jobs with no JNLP connection
handle graceful shutdown properly
proper end to end tests for Jenkins lifecycle

Documentation

Go to our documentation website for more information.

Selected content:

Common Issues and Workarounds

Multibranch Pipelines and Backup Issues: #104 (comment)

Community

Main channel of communication on topics related to Jenkins Operator is Jenkins Operator Category on Jenkins Community Discourse.

Here you can ask questions about the project, discuss best practices on using it, and talk to other users of the Operator, contributors and project's maintainers.

We also have a gitter/matrix channel, come to say hi!

Snapshots between releases

We are trying our best to resolve issues quickly, but they have to wait to be released. If you can't wait for an official docker image release and acknowledge the risk, you can use our unofficial images, which are built nightly.

You can find the project's Quay.io repository here.

Look for the images with tag "{git-hash}", where {git-hash} is the hash of the master commit that interests you.

Contribution

Feel free to file issues or pull requests, but please consult CONTRIBUTING document beforehand.

Before any big pull request please consult the maintainers to ensure a common direction.

Presentations

About the authors

This project was originally developed by VirtusLab and the following CONTRIBUTORS.

kubernetes-operator's People

Contributors

Stargazers

Watchers

Forkers

oldsj lemaral dcoraboeuf tedchangtr tveal waveywaves akram spencedy akdldid benlangfeld rome84 th3w4y sabreoss woyaowoyao takitake antoniaklja mxandeco aweis89 gregnebu nicksneo knowncitizen anthonydahanne rickdennis mruoss bechampion sinramyeon cgrigel underscoreanuj natalia-pokrovskaya redhat-developer bigpafik pdolega cendrier rkhozinov raghuramnaidu yeefoner zeromsi k8s-canux pbecotte salluvada fowlie ricbir sbose78 webmobix srineshar onophris ossys subhanirelease serhatcetinkaya tumevoiz admssa gdzy1987 avni-sharma mkarebski harivallabha anxolerd cwr0401 mikejianzhang mikesay ravikrddy eriklundjensen jkhelil majanpaul venkat22 ebele25 wyw-linux joel-adams simonn89 trieszklr peske polarpoint-io rusenask smolin venkatakrishn neiljfwhite rolnick brmclaren secondsun guanwei dene14 cooldsachin vherzog-cb nicolasenno kpavan95 timbyr cvstebut aleksandr-morozov nilavec nwton bobiology sylvi21 anqingxu dr-zeta nilaveorg piyush0609 rcosnita sylwiabrant faraz891 rajesh-ibm-power alex-home-greenman

kubernetes-operator's Issues

Q: How to use configuration as a code plugin?

Configuration as a code plugin loads configuration from env variable CASC_JENKINS_CONFIG, or from /home/jenkins/jenkins.yaml file

Could you explain how to use this with Jenkins operator?

Thank you

Jenkins master node spec's resource limits and requests are overridden

Motivation

The default values are too aggressive on CPU and too lenient on RAM. In our use case it makes sense to remove the hard limit on RAM and CPU, and increase the memory request value. The default values are as follows:

resources:
  limits:
    cpu: 1500m
    memory: 3Gi
  requests:
    cpu: 1000m
    memory: 500Mi

Bug

As per the examples in the documentation it appears to be possible to adjust the Kubernetes resource request using the Jenkins master node spec:

apiVersion: jenkins.io/v1alpha2
kind: Jenkins
spec:
  master:
    containers:
    - name: jenkins-master
      image: jenkins/jenkins:lts
      # Attempting to specify resource values:
      resources:
        requests:
          cpu: 500m
          memory: 2.5Gi

However, the Jenkins container is still created with default resource values.

The operator logs the following lines when we attempt to update the resource requirements on the container (and the Jenkins pod isn't cycled/updated):

2019-07-30T14:32:16.634Z  INFO  controller-jenkins  jenkins/handler.go:89 *v1alpha2.Jenkins/jenkins has been updated  {"cr": "jenkins"}
2019-07-30T14:32:16.634Z  INFO  controller-jenkins  jenkins/jenkins_controller.go:353 Setting default Jenkins master container resource requirements  {"cr": "jenkins"}
2019-07-30T14:32:16.717Z  INFO  controller-jenkins  jenkins/handler.go:89 *v1alpha2.Jenkins/jenkins has been updated  {"cr": "jenkins"}

Versions

Operator API version: jenkins.io/v1alpha2
Jenkins operator version: v0.1.1

2019-07-30T14:27:12.023Z	INFO	controller-jenkins	manager/main.go:44	Version: v0.1.1
2019-07-30T14:27:12.023Z	INFO	controller-jenkins	manager/main.go:45	Git commit: 6fffcb6
2019-07-30T14:27:12.023Z	INFO	controller-jenkins	manager/main.go:46	Go Version: go1.12
2019-07-30T14:27:12.023Z	INFO	controller-jenkins	manager/main.go:47	Go OS/Arch: linux/amd64
2019-07-30T14:27:12.023Z	INFO	controller-jenkins	manager/main.go:48	operator-sdk Version: v0.8.1

reconciliation loop fails with GitHub authentication, jenkins-operator connot authenticate

Security document states that other realms are possible to configure through scripts. This breaks the reconciliation-operator loop, however, since jenkins-operator cannot authenticate Jenkins API calls

Error when backup is run

2019-06-25T06:08:28.530Z INFO controller-jenkins backuprestore/backuprestore.go:157 Performing backup '1' {"cr": "jenkins"}
E0625 06:08:28.758173 1 reflector.go:251] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:95: Failed to watch *v1.Event: unknown (get events)
2019-06-25T06:08:29.175Z WARN controller-jenkins jenkins/jenkins_controller.go:159 Reconcile loop failed: pod exec error operation on stream: stdout 'Running backup
' stderr 'tar: can't open '/backup/1.tar.gz': Permission denied

apiVersion: jenkins.io/v1alpha2
kind: Jenkins
metadata:
  name: jenkins
  namespace: jenkins
spec:
  backup:
    action:
      exec:
        command:
        - /home/user/bin/backup.sh # this command is invoked on "backup" container to make backup, for example /home/user/bin/backup.sh <backup_number>, <backup_number> is passed by operator
        # - echo
    containerName: backup # container name is responsible for backup
    interval: 30 # how often make backup in seconds
    makeBackupBeforePodDeletion: true # make backup before pod deletion
  master:
    containers:
      - name: jenkins-master
        image: jenkins/jenkins:lts
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 12
          httpGet:
            path: /login
            port: http
            scheme: HTTP
          initialDelaySeconds: 80
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 5
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /login
            port: http
            scheme: HTTP
          initialDelaySeconds: 30
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        resources:
          limits:
            cpu: 1
            memory: 4Gi
          requests:
            cpu: 1
            memory: 4Gi
      - name: backup # container responsible for backup and restore
        env:
        - name: BACKUP_DIR
          value: /backup
        - name: JENKINS_HOME
          value: /jenkins-home
        image: virtuslab/jenkins-operator-backup-pvc:v0.0.2 # look at backup/pvc directory
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - mountPath: /jenkins-home # Jenkins home volume
          name: jenkins-home
        - mountPath: /backup # backup volume
          name: backup
    volumes:
    - name: backup # PVC volume where backups will be stored
      persistentVolumeClaim:
        claimName: jenkins-backup-new

    plugins:
      - name: github-branch-source
        version: 2.5.2
      - name: simple-theme-plugin
        version: 0.5.1

  restore:
    action:
      exec:
        command:
        - /home/user/bin/restore.sh # this command is invoked on "backup" container to make restore backup, for example /home/user/bin/restore.sh <backup_number>, <backup_number> is passed by operator
    containerName: backup # container name is responsible for restore backup
    #recoveryOnce: <backup_number> # if want to restore specific backup configure this field and then Jenkins will be restarted and desired backup will be restored
  seedJobs:
  - id: x
    targets: "cicd/jobs/*.jenkins"
    description: "x"
    credentialType: usernamePassword
    credentialID: ghe-x
    repositoryBranch: master
    repositoryUrl: x

Use on Openshift?

I'm trying to get this running on OpenShift, but am finding the following error in the logs for the operator pod. Is there a way to trigger the operator to run within the allotted range?

2019-08-08T14:59:10.785Z WARN controller-jenkins jenkins/jenkins_controller.go:158 Reconcile loop failed ten times with the same error, giving up: pods "jenkins-jenkins" is forbidden: unable to validate against any security context constraint: [fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group spec.containers[0].securityContext.securityContext.runAsUser: Invalid value: 1000: must be in the ranges: [1000000000, 1000009999] fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group spec.containers[0].securityContext.securityContext.runAsUser: Invalid value: 1000: must be in the ranges: [1000000000, 1000009999]] {"cr": "jenkins"}

If I set a runAsUser like this it moves forward.

apiVersion: jenkins.io/v1alpha2
kind: Jenkins
metadata:
  name: jenkins
spec:
  master:
    securityContext:
      runAsUser: 1000000500
      runAsGroup: 0

EDIT: Setting the runAsUser to an ID within the range 1000000000, 1000009999 works because that is set aside for this project, but we can't make it static (at least for automation purposes) because it will be given a different range in a different project. Each project increments 10k on the previous one.

Q: How to authenticate to https?

Our pods don't have ssh access, and we've been unsuccessfully trying to seed our jobs from a private bitbucket repo. How would one use secrets in this case?

Our deployment looks like this

apiVersion: jenkins.io/v1alpha1
kind: Jenkins
metadata:
  name: GS
  namespace: jenkins
spec:
  master:
   image: jenkins/jenkins
  seedJobs:
  - id: GS
    targets: "cicd/jobs/*.jenkins"
    description: "GS Jenkins Operator repository"
    repositoryBranch: master
    repositoryUrl: https://user:[email protected]/somerepo/test.git

And this is what jenkins does with it

Started
Running as SYSTEM
Building in workspace /var/jenkins/home/workspace/GS-job-dsl-seed
Cloning the remote Git repository
Using shallow clone
Avoid fetching tags
Cloning repository https://user:[email protected]/somerepo/test.git
 > git init /var/jenkins/home/workspace/GS-job-dsl-seed # timeout=10
Fetching upstream changes from https://[email protected]/somerepo/test.git
 > git --version # timeout=10
using GIT_SSH to set credentials Greensteam
 > git fetch --no-tags --progress https://[email protected]/somerepo/test.git +refs/heads/*:refs/remotes/origin/* --depth=1 # timeout=10
ERROR: Error cloning remote repo 'origin'
hudson.plugins.git.GitException: Command "git fetch --no-tags --progress https://[email protected]/somerepo/test.git +refs/heads/*:refs/remotes/origin/* --depth=1" returned status code 128:
stdout: 
stderr: remote: Invalid username or password
fatal: Authentication failed for 'https://[email protected]/somerepo/test.git/'

	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:2042)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:1761)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$400(CliGitAPIImpl.java:72)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:442)
	at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$2.execute(CliGitAPIImpl.java:655)
	at hudson.plugins.git.GitSCM.retrieveChanges(GitSCM.java:1146)
	at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1186)
	at hudson.scm.SCM.checkout(SCM.java:504)
	at hudson.model.AbstractProject.checkout(AbstractProject.java:1208)
	at hudson.model.AbstractBuild$AbstractBuildExecution.defaultCheckout(AbstractBuild.java:574)
	at jenkins.scm.SCMCheckoutStrategy.checkout(SCMCheckoutStrategy.java:86)
	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:499)
	at hudson.model.Run.execute(Run.java:1816)
	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
	at hudson.model.ResourceController.execute(ResourceController.java:97)
	at hudson.model.Executor.run(Executor.java:429)
ERROR: Error cloning remote repo 'origin'
Finished: FAILURE

Removing yaml file (CasC) from config does not trigger the job

The 6-approvals.yaml was deleted and job no. 10 should show up, but it didn't:

Logs:

2019-07-15T07:31:15.400Z        INFO    controller-jenkins      jenkins/handler.go:41   *v1.ConfigMap/jenkins-operator-user-configuration-infrastructure has been updated       {"cr": "infrastructure"}
2019-07-15T07:31:15.543Z        INFO    controller-jenkins      jobs/jobs.go:235        Running job, {JobName:jenkins-operator-user-configuration Hash:jbmxxsZ6iD05P1EEyHIYq/lvpisqhwwWhuZ71f9E5QA= Number:0 Status: Retires:0 CreateTime:2019-07-15 07:31:15.543609433 +0000 UTC m=+493812.641621984 LastUpdateTime:<nil>}     {"cr": "infrastructure"}
2019-07-15T07:31:15.902Z        INFO    controller-jenkins      jobs/jobs.go:235        Running job, {JobName:jenkins-operator-user-configuration Hash:jbmxxsZ6iD05P1EEyHIYq/lvpisqhwwWhuZ71f9E5QA= Number:0 Status: Retires:0 CreateTime:2019-07-15 07:31:15.90222891 +0000 UTC m=+493813.000241463 LastUpdateTime:<nil>}      {"cr": "infrastructure"}
2019-07-15T07:31:48.012Z        WARN    controller-jenkins      jobs/jobs.go:140        Build failed, {JobName:jenkins-operator-user-configuration Hash:jbmxxsZ6iD05P1EEyHIYq/lvpisqhwwWhuZ71f9E5QA= Number:2 Status:failure Retires:0 CreateTime:2019-07-15 07:31:15 +0000 UTC LastUpdateTime:2019-07-15 07:31:37 +0000 UTC}   {"cr": "infrastructure"}
2019-07-15T07:31:48.012Z        WARN    controller-jenkins      jenkins/jenkins_controller.go:167       Reconcile loop failed: build failed     {"cr": "infrastructure"}
2019-07-15T07:31:48.283Z        INFO    controller-jenkins      jobs/jobs.go:235        Running job, {JobName:jenkins-operator-user-configuration Hash:jbmxxsZ6iD05P1EEyHIYq/lvpisqhwwWhuZ71f9E5QA= Number:2 Status:failure Retires:1 CreateTime:2019-07-15 07:31:15 +0000 UTC LastUpdateTime:2019-07-15 07:31:48 +0000 UTC}    {"cr": "infrastructure"}
2019-07-15T07:31:49.445Z        INFO    controller-jenkins      jobs/jobs.go:235        Running job, {JobName:jenkins-operator-user-configuration Hash:jbmxxsZ6iD05P1EEyHIYq/lvpisqhwwWhuZ71f9E5QA= Number:2 Status:failure Retires:1 CreateTime:2019-07-15 07:31:15 +0000 UTC LastUpdateTime:2019-07-15 07:31:48 +0000 UTC}    {"cr": "infrastructure"}
2019-07-15T07:31:49.462Z        WARN    controller-jenkins      jobs/jobs.go:155        Couldn't retry build, {JobName:jenkins-operator-user-configuration Hash:jbmxxsZ6iD05P1EEyHIYq/lvpisqhwwWhuZ71f9E5QA= Number:2 Status:failure Retires:1 CreateTime:2019-07-15 07:31:15 +0000 UTC LastUpdateTime:2019-07-15 07:31:48 +0000 UTC}   {"cr": "infrastructure"}
2019-07-15T07:32:19.268Z        WARN    controller-jenkins      jobs/jobs.go:140        Build failed, {JobName:jenkins-operator-user-configuration Hash:jbmxxsZ6iD05P1EEyHIYq/lvpisqhwwWhuZ71f9E5QA= Number:3 Status:failure Retires:1 CreateTime:2019-07-15 07:31:15 +0000 UTC LastUpdateTime:2019-07-15 07:32:16 +0000 UTC}   {"cr": "infrastructure"}
2019-07-15T07:32:19.268Z        WARN    controller-jenkins      jenkins/jenkins_controller.go:167       Reconcile loop failed: build failed     {"cr": "infrastructure"}
2019-07-15T07:32:21.643Z        INFO    controller-jenkins      jobs/jobs.go:235        Running job, {JobName:jenkins-operator-user-configuration Hash:jbmxxsZ6iD05P1EEyHIYq/lvpisqhwwWhuZ71f9E5QA= Number:3 Status:failure Retires:2 CreateTime:2019-07-15 07:31:15 +0000 UTC LastUpdateTime:2019-07-15 07:32:19 +0000 UTC}    {"cr": "infrastructure"}
2019-07-15T07:32:22.847Z        INFO    controller-jenkins      jobs/jobs.go:235        Running job, {JobName:jenkins-operator-user-configuration Hash:jbmxxsZ6iD05P1EEyHIYq/lvpisqhwwWhuZ71f9E5QA= Number:3 Status:failure Retires:2 CreateTime:2019-07-15 07:31:15 +0000 UTC LastUpdateTime:2019-07-15 07:32:19 +0000 UTC}    {"cr": "infrastructure"}
2019-07-15T07:32:22.866Z        WARN    controller-jenkins      jobs/jobs.go:155        Couldn't retry build, {JobName:jenkins-operator-user-configuration Hash:jbmxxsZ6iD05P1EEyHIYq/lvpisqhwwWhuZ71f9E5QA= Number:3 Status:failure Retires:2 CreateTime:2019-07-15 07:31:15 +0000 UTC LastUpdateTime:2019-07-15 07:32:19 +0000 UTC}   {"cr": "infrastructure"}
2019-07-15T07:32:35.512Z        INFO    controller-jenkins      jobs/jobs.go:134        Build finished successfully, {JobName:jenkins-operator-user-configuration Hash:jbmxxsZ6iD05P1EEyHIYq/lvpisqhwwWhuZ71f9E5QA= Number:4 Status:success Retires:2 CreateTime:2019-07-15 07:31:15 +0000 UTC LastUpdateTime:2019-07-15 07:32:21 +0000 UTC}    {"cr": "infrastructure"}

Also, maybe operator should restart master on removals?

Crashing

Hello,

jenkins-opperation keep crashing and Jenkins pod never created.

kubectl get pods -w
NAME READY STATUS RESTARTS AGE
heapster-heapster-556f4f7648-d4m6h 2/2 Running 9 22h
jenkins-operator-7dff456666-g4n8v 1/1 Running. 2 86s
jenkins-operator-7dff456666-g4n8v 0/1 Error 2 111s
jenkins-operator-7dff456666-g4n8v 0/1 CrashLoopBackOff 2 2m4s
jenkins-operator-7dff456666-g4n8v 1/1 Running. 3 2m20s
jenkins-operator-7dff456666-g4n8v 0/1 Error 3 2m49s
jenkins-operator-7dff456666-g4n8v 0/1 CrashLoopBackOff. 3 3m1s

System info
Distributor ID: Debian
Description: Debian GNU/Linux 9.9 (stretch)
Release: 9.9
Codename: stretch

Docker Info
Client:
Version: 18.09.6
API version: 1.39
Go version: go1.10.8
Git commit: 481bc77
Built: Sat May 4 02:36:00 2019
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 18.09.6
API version: 1.39 (minimum version 1.12)
Go version: go1.10.8
Git commit: 481bc77
Built: Sat May 4 01:59:36 2019
OS/Arch: linux/amd64
Experimental: false

Kubenertes Info
Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.2", GitCommit:"66049e3b21efe110454d67df4fa62b08ea79a19b", GitTreeState:"clean", BuildDate:"2019-05-16T16:23:09Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.2", GitCommit:"66049e3b21efe110454d67df4fa62b08ea79a19b", GitTreeState:"clean", BuildDate:"2019-05-16T16:14:56Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}

create secrets manually not automatically

Hey, thx for the awesome project!

I'd like to ask, if it is somehow possible to create the jenkins-operator-credentials-master secret manually, or will it be overwritten by the operator? if its possible to create it manually, should it look like below?
what kind of format does the token need to have? is something missing in the resource below?

thx for hints in advance!

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  user: base64
  password: base64
  token: base64?

Documents how to develop with a remote k8s cluster

Hi team,

I made some addons to documentation in order to be able to test and develop within a remote or locally configured cluster other than minikube.

Before submitting the PR, I wanted to get your opinion about it.

Feature Request: Support for optional PersistentVolumeClaims

I would like to see the ability to persist Jenkins' state across pod restarts/moving to another node/etc.

I think the easiest way to accomplish this would be to mount the jenkins homedir from a persistent volume. Ideally this would be optional in the CR spec. An example config might look like this:

---
apiVersion: jenkins.io/v1alpha1
kind: Jenkins
metadata:
  name: example
spec:
  master:
   image: jenkins/jenkins:lts
   persistentHomeVolumeClaim: jenkins-operator-example-pvc
  seedJobs: []

If persistentHomeVolumeClaim isn't specified, then the current behavior of using an emptyDir would still be used. It could also be enablePersistence: true and let the operator generate the pvc, but I'm assuming it should at least be somewhat customizable.

My other thought was that there could be a customVolumes key under spec.master that would get merged with the final spec.volumes in the generated pod resource. I'm not sure if the added customizability would be needed or not compared to just passing in a claim name. You'd also probably need customMounts to go along with it.

Clarify customisation documentation

Customisation steps about configs are confusing and need to be clarified.

config lifecycle description
CR names needs to be parameterized, now example is hardcoded everywhere
cleanup example snippets

seed jobs are not updated in jenkins when removed from CR

When a seed jobs is removed from the CR configuration, Jenkins seed jobs are not updated.

The deleted one is still there until manual Jenkins master restart.

Feature Request: Support reference to jenkins-operator creds in user ConfigMap

I'm trying to pass the jenkins-operator secret (password) to a SecurityRealm plugin via CasC. I see how to do it in the user's config secret, but is there a way to get the operator's credential secret into the user's ConfigMap? The goal is to get the generated operator password into the instantiation of a SecurityRealm plugin as a roboticSecret, so that future requests to the Jenkins master can be authenticated in the SecurityRealm plugin. Such as roboticSecret == operatorPassword (and user for that matter, but it appears to be hard-coded as jenkins-operator). Since the operator cred is re-generated at times, I need the update to the operator's secret to also be refreshed in the user's ConfigMap.

I have to use the Crowd 2 Plugin for Jenkins, but it doesn't support a robotic id as-is, so I'm currently working with a custom local build that adds a robotic id implementation. See the mod here. I'm also using the matrix-auth plugin. Below, the ROBOTIC_ID and ROBOTIC_SECRET need to be the jenkins-operator username and password.

My sample user-config CasC:

1-system-config-security.yaml: |2
  jenkins:
    securityRealm:
      crowd:
        applicationName: "${CROWD_APP_NAME}"
        password: "${CROWD_PASSWORD}"
        sessionValidationInterval: 20
        url: "https://path-to-my-crowd-server"
        group: ""
        roboticId: "${ROBOTIC_ID}"
        roboticSecret: "${ROBOTIC_SECRET}"
        roboticGroup: "jenkins-administrators"
2-permisions-matrix.yaml: |2
  jenkins:
    authorizationStrategy:
      globalMatrix:
        permissions:
        - "Agent/Build:jenkins-administrators"
        - "Agent/Configure:jenkins-administrators"
        - "Agent/Connect:jenkins-administrators"
        - "Agent/Create:jenkins-administrators"
        - "Agent/Delete:jenkins-administrators"
        - "Agent/Disconnect:jenkins-administrators"
        ...

If I could reference the operator's configuration secret from the user's configmap, then I'd be set. As it is, best I can tell anyways, I can only access the user config secret from the user configmap. That seems reasonable except for this use-case. How can I pass the operator's generated password to the user configmap?

I'd rather not have to do a manual step to copy the creds for the operator secret to the user secret with kubectl - I'd have to run that hack everything the operator regenerates a password and re-instantiate the Jenkins master since it wasn't automated with the operator's management.

Issues updating plugins and jenkins-operator-user-configuration

Hi,

When I try to update kubernetes or configuration-as-code plugins I get below. Looks like expect certain versions?

I also noticed that version needs to be in quotes otherwise it causes some issues

Another issues I have with jenkins-operator-user-configuration. When I use default everything is fine but when I add another script or modify existing I get below

Please advise.
Cheers

Reconcile loop fails on invalid URL port

When trying to configure with CasS:

...
  3-location.yaml: |2
    unclassified:
      location:
        adminAddress: redacted@redacted
        url: http://master-jenkins-redacted:8080
...

Warning shows up in logs:

2019-06-05T13:37:00.247Z	WARN	controller-jenkins	jenkins/jenkins_controller.go:117	Reconcile loop failed: Get http://jenkins-operator-http-infrastructure:8080master-jenkins-redacted:8080/job/jenkins-operator-user-configuration-casc//4/api/json?depth=1: invalid URL port "8080master-jenkins-redacted:8080"
github.com/jenkinsci/kubernetes-operator/pkg/controller/jenkins/jobs.(*Jobs).ensureRunningBuild
	/home/tsek/work/projects/go/src/github.com/jenkinsci/kubernetes-operator/pkg/controller/jenkins/jobs/jobs.go:120
github.com/jenkinsci/kubernetes-operator/pkg/controller/jenkins/jobs.(*Jobs).EnsureBuildJob
	/home/tsek/work/projects/go/src/github.com/jenkinsci/kubernetes-operator/pkg/controller/jenkins/jobs/jobs.go:64
github.com/jenkinsci/kubernetes-operator/pkg/controller/jenkins/configuration/user/casc.(*ConfigurationAsCode).Ensure
	/home/tsek/work/projects/go/src/github.com/jenkinsci/kubernetes-operator/pkg/controller/jenkins/configuration/user/casc/caac.go:80
github.com/jenkinsci/kubernetes-operator/pkg/controller/jenkins/configuration/user.(*ReconcileUserConfiguration).ensureUserConfiguration
	/home/tsek/work/projects/go/src/github.com/jenkinsci/kubernetes-operator/pkg/controller/jenkins/configuration/user/reconcile.go:113
github.com/jenkinsci/kubernetes-operator/pkg/controller/jenkins/configuration/user.(*ReconcileUserConfiguration).Reconcile
	/home/tsek/work/projects/go/src/github.com/jenkinsci/kubernetes-operator/pkg/controller/jenkins/configuration/user/reconcile.go:54
github.com/jenkinsci/kubernetes-operator/pkg/controller/jenkins.(*ReconcileJenkins).reconcile
	/home/tsek/work/projects/go/src/github.com/jenkinsci/kubernetes-operator/pkg/controller/jenkins/jenkins_controller.go:190
github.com/jenkinsci/kubernetes-operator/pkg/controller/jenkins.(*ReconcileJenkins).Reconcile
	/home/tsek/work/projects/go/src/github.com/jenkinsci/kubernetes-operator/pkg/controller/jenkins/jenkins_controller.go:111
github.com/jenkinsci/kubernetes-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/home/tsek/work/projects/go/src/github.com/jenkinsci/kubernetes-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:207
github.com/jenkinsci/kubernetes-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func1
	/home/tsek/work/projects/go/src/github.com/jenkinsci/kubernetes-operator/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:157
github.com/jenkinsci/kubernetes-operator/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil.func1
	/home/tsek/work/projects/go/src/github.com/jenkinsci/kubernetes-operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:133
github.com/jenkinsci/kubernetes-operator/vendor/k8s.io/apimachinery/pkg/util/wait.JitterUntil
	/home/tsek/work/projects/go/src/github.com/jenkinsci/kubernetes-operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:134
github.com/jenkinsci/kubernetes-operator/vendor/k8s.io/apimachinery/pkg/util/wait.Until
	/home/tsek/work/projects/go/src/github.com/jenkinsci/kubernetes-operator/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:88
runtime.goexit
	/usr/lib/go-1.10/src/runtime/asm_amd64.s:2361	{"cr": "infrastructure"}

Looks like a parsing bug.

Unable to connect to jenkins: 8080: connect: connection refused

I've deployed jenkins-operator to a namespace jx but I am unable to connect:

 Warning  Unhealthy  9s (x5 over 49s)  kubelet, devs0251  Liveness probe failed: Get http://10.42.8.106:8080/login: dial tcp 10.42.8.106:8080: connect: connection refused
  Warning  Unhealthy  8s (x5 over 48s)  kubelet, devs0251  Readiness probe failed: Get http://10.42.8.106:8080/login: dial tcp 10.42.8.106:8080: connect: connection refused

Setup

kubectl create ns jx
kubectl apply -f deploy/crds/jenkinsio_v1alpha1_jenkins_crd.yaml -n jx
kubectl apply -f deploy/service_account.yaml -n jx
kubectl apply -f deploy/role.yaml -n jx
kubectl apply -f deploy/role_binding.yaml -n jx
kubectl apply -f deploy/operator.yaml -n jx

kubectl apply -f deploy/crds/jenkinsio_v1alpha1_jenkins_cr.yaml -n jx

Problem Details

pods are there but one seems not running

$ kubectl.exe get pods -n jx
NAME                                READY     STATUS    RESTARTS   AGE
jenkins-operator-57b5787bf6-j6fjb   1/1       Running   0          1h
jenkins-operator-example            0/1       Running   0          22s

service is there as well

$ kubectl describe svc jenkins-operator-example
Name:              jenkins-operator-example
Namespace:         jx
Labels:            app=jenkins-operator
                   jenkins-cr=example
Annotations:       <none>
Selector:          app=jenkins-operator,jenkins-cr=example
Type:              ClusterIP
IP:                10.43.88.123
Port:              http  8080/TCP
TargetPort:        8080/TCP
Endpoints:
Port:              slavelistener  50000/TCP
TargetPort:        50000/TCP
Endpoints:
Session Affinity:  None
Events:            <none>

However, connection is refused

$ kubectl port-forward jenkins-operator-example 8080:8080
Forwarding from 127.0.0.1:8080 -> 8080
Forwarding from [::1]:8080 -> 8080
Handling connection for 8080
E0226 15:14:22.038742  503488 portforward.go:331] an error occurred forwarding 8080 -> 8080: error forwarding port 8080 to pod e7260c39209deba75df0ceb6c690f6908918486867bb7fd74237023c6972d863, uid : exit status 1: 2019/02/26 14:14:21 socat[20604] E connect(5, AF=2 127.0.0.1:8080, 16): Connection refused
Handling connection for 8080

also probe readyness fails

$  kubectl.exe describe pod jenkins-operator-example -n jx :
Name:               jenkins-operator-example
Namespace:          jx
Priority:           0
PriorityClassName:  <none>
Node:               devs0251/10.120.32.31
Start Time:         Tue, 26 Feb 2019 14:57:47 +0100
Labels:             app=jenkins-operator
                    jenkins-cr=example
Annotations:        cni.projectcalico.org/podIP=10.42.8.106/32
                    kubernetes.io/psp=unrestricted-psp
Status:             Running
IP:                 10.42.8.106
Controlled By:      Jenkins/example
Containers:
  jenkins-master:
    Container ID:  docker://f30eeeebdc1856492b28d00f4e147dc84974224e2fb7f16b850d88e5045d47d0
    Image:         jenkins/jenkins
    Image ID:      docker-pullable://jenkins/jenkins@sha256:786920119322dad0967199ba0a1130ec38fefa87f50a2e1a1818b15cd45b563e
    Ports:         50000/TCP, 8080/TCP
    Host Ports:    0/TCP, 0/TCP
    Command:
      bash
      /var/jenkins/scripts/init.sh
    State:          Running
      Started:      Tue, 26 Feb 2019 14:57:48 +0100
    Ready:          False
    Restart Count:  0
    Limits:
      cpu:     1500m
      memory:  3Gi
    Requests:
      cpu:      1
      memory:   500Mi
    Liveness:   http-get http://:http/login delay=30s timeout=5s period=10s #success=1 #failure=12
    Readiness:  http-get http://:http/login delay=30s timeout=1s period=10s #success=1 #failure=3
    Environment:
      JENKINS_HOME:  /var/jenkins/home
      JAVA_OPTS:     -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -XX:MaxRAMFraction=1 -Djenkins.install.runSetupWizard=false -Djava.awt.headless=true
    Mounts:
      /var/jenkins/base-configuration from base-configuration (ro)
      /var/jenkins/home from home (rw)
      /var/jenkins/init-configuration from init-configuration (ro)
      /var/jenkins/operator-credentials from operator-credentials (ro)
      /var/jenkins/scripts from scripts (ro)
      /var/jenkins/user-configuration from user-configuration (ro)
      /var/run/secrets/kubernetes.io/serviceaccount from jenkins-operator-example-token-2krcf (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             False
  ContainersReady   False
  PodScheduled      True
Volumes:
  home:
    Type:    EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:
  scripts:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      jenkins-operator-scripts-example
    Optional:  false
  init-configuration:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      jenkins-operator-init-configuration-example
    Optional:  false
  base-configuration:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      jenkins-operator-base-configuration-example
    Optional:  false
  user-configuration:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      jenkins-operator-user-configuration-example
    Optional:  false
  operator-credentials:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  jenkins-operator-credentials-example
    Optional:    false
  jenkins-operator-example-token-2krcf:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  jenkins-operator-example-token-2krcf
    Optional:    false
QoS Class:       Burstable
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute for 300s
                 node.kubernetes.io/unreachable:NoExecute for 300s
Events:
  Type     Reason     Age               From               Message
  ----     ------     ----              ----               -------
  Normal   Scheduled  1m                default-scheduler  Successfully assigned jx/jenkins-operator-example to devs0251
  Normal   Pulling    1m                kubelet, devs0251  pulling image "jenkins/jenkins"
  Normal   Pulled     1m                kubelet, devs0251  Successfully pulled image "jenkins/jenkins"
  Normal   Created    1m                kubelet, devs0251  Created container
  Normal   Started    1m                kubelet, devs0251  Started container
  Warning  Unhealthy  9s (x5 over 49s)  kubelet, devs0251  Liveness probe failed: Get http://10.42.8.106:8080/login: dial tcp 10.42.8.106:8080: connect: connection refused
  Warning  Unhealthy  8s (x5 over 48s)  kubelet, devs0251  Readiness probe failed: Get http://10.42.8.106:8080/login: dial tcp 10.42.8.106:8080: connect: connection refused

Custom auth overridden on jenkins restart

It looks like this script gets run every time Jenkins starts up:

https://github.com/jenkinsci/kubernetes-operator/blob/v0.0.4/pkg/controller/jenkins/configuration/base/resources/init_configuration_configmap.go#L16-L30

We're currently configuring a 3rd party auth plugin in the user-config groovy scripts. This works fine until someone either restarts Jenkins from the UI or another config script does a safe restart. This causes the above script to run again and then the new auth plugin has to be reconfigured.

Can you provide some guidance on how this should be resolved? The options I can think of right now are:

We can probably override the init-configuration configmap and remove that part of the init script. I don't know if this configmap ever gets re-created by the operator though, or if it's meant to be overridden.
Should this be a feature request to have an option in the CR for customAuth: true or something similar that the script can check and skip those config items?

Feature Request: Support config as code options in the crd

Thanks for working on the jenkins operator... I'd like the option to put configuration as code in the jenkins custom resource, instead of having to create a file in a configmap first:

apiVersion: jenkins.io/v1alpha1
kind: Jenkins
metadata:
  name: example
spec:
  master:
   image: jenkins/jenkins
  config:
    jenkins:
      systemMessage: "Hello world"

I think this follows the philosophy of operator a bit closer and does not need to be mutually exclusive with existing approach.

Getting WARN when installing new plugin

After I've added new plugin and checked logs from operator I did get warn message:
WARN: Incompatible plugin '{pipeline-utility-steps 2.3.0}' version, actual '' {"cr": "infrastructure"}

Issue is that plugin was compatible and installed successfully thus above message is not accurate.

Support to set http proxy

Access to the internet to install plugins is behind a proxy.
But its unclear where to set that in the operator.

Incorrect plugin path used when fetching plugins

On a new 1.15.2 K8s cluster, and the operator installed, using the following JenkinsInstance manifest the plugin path is incorrect

apiVersion: jenkins.jenkinsoperator.samsung-cnct.github.com/v1alpha2
kind: JenkinsInstance
metadata:
  labels:
    controller-tools.k8s.io: "1.0"
  name: jenkinsinstance
spec:
  image: "jenkins/jenkins:lts"
  plugins:
    - id: kubernetes
      version: latest
  cascconfig:
    configmap: jenkins-config
  cascsecret: admin-secret
  executors: 1
  adminsecret: admin-secret
  service:
    name: jenkins
    servicetype: ClusterIP
  cascconfig:
      configmap: jenkinsinstance-httpproxy
  cascsecret: jenkins-admin-secret
  storage:
    jobspvc: jenkins
    jobspvcspec:
      accessModes:
        - ReadWriteOnce
      resources:
        requests:
          storage: 1G

The attempted plugin download command is:

curl -sSfL --connect-timeout 20 \
--retry 3 --retry-delay 0 --retry-max-time 60 \
https://updates.jenkins.io/2.176/latest/kubernetes-plugin.hpi \
-o /usr/share/jenkins/ref/plugins/kubernetes-plugin.jpi

When I run that command manually a 404 is returned

curl: (22) The requested URL returned error: 404 Not Found

Checking the website where plugins reside, this path is valid (removing the trailing "-plugin"):

curl -ksSfL --connect-timeout 20 \
--retry 3 --retry-delay 0 --retry-max-time 60 \
https://updates.jenkins.io/2.176/latest/kubernetes.hpi
# output path redacted for brevity

I'm not sure where to change that reference to be able to fetch plugins from a valid path.
Code "getting-started.md" says the init.sh is provided by the operator, but cannot find any init.sh in master branch, or any reference to it, other than the "getting-started.md".

Improve TestConfiguration e2e test

Add the following checks:

Jenkins CR spec.master.securityContext is propagated to Jenkins pod spec.securityContext
Jenkins CR spec.master.containers[jenkins-master].command is propagated to Jenkins pod spec.containers[jenkins-master].command

jenkins --prefix= question

Hi,

Is it possible to use --prefix= with operator? Usually below needs to be added in Deployment configuration.

     env:
     - name: JENKINS_OPTS
       value: --prefix=/jenkins

Instance is up and running with with prefix i.e http://localhost:8080/jenkins/login but Operator fails to configure it.

Thanks.

Support seed-job configuration through Jenkins.spec.seedJobs

We would like to configure the Seed Job created by the operator, we are particularly interested
in configuring:

Build Trigger:
- Build periodically
- GitHub hook trigger for GITScm polling
- Poll SCM
Build
- Ignore missing files
- Additional classpath
- Fail build if a plugin must be installed or updated
- Mark build as unstable when using deprecated features

Looks like the only way to have that support is to extend the CRD?

Just to be clear, we do not mean the jenkins-operator-configure-seed-job, but the jobs generated from that.

External documentation for kubernetes-operator

Hi everyone,

I think it's time to start working on external GitHub static website for kubernetes-operator documentation.

My suggestions:

use https://gohugo.io/
create an additional repository for docs
document more patterns/recipes for using kubernetes-operator

cc @ndeloof

Error: cannot find volume "jenkins-home" to mount into container "jenkins-master"

Hi,

I'm running k8s on azure cloud and tried to setup jenkins-operator with default setup as in documentation using latest version.

I'm getting below error when deploying Jenkins

Error: cannot find volume "jenkins-home" to mount into container "jenkins-master"

Cheers

Jenkins Operator Active Directory

Hi,

Does operator supports active directory credentials? I setup Azure Active Directory security realm with matrix based security.
Everything is setup properly. I'm able to login but when some change is being triggered i.e
jenkins-operator-user-configuration pipeline doesn't start. Message is displayed in logs
Reconcile loop failed: couldn't poll data from Jenkins API, invalid status code returned: 403

I played around with jenkins-operator-credentials but no success.

Thanks.

How to upgrade plugin

There's a list of base plugins installed by default, but how to upgrade any of those plugins? e.g. if upgrade kubernetes plugin in Jenkins.master.plugins section as follows:

   plugins:
     kubernetes:1.15.5: []

Then the operator validation would fail, due to there exists 2 versions for kubernetes plugin.

$ kubectl logs jenkins-operator-6d9f5c7ff7-97ngz
...
2019-06-04T02:00:39.985Z        WARN    controller-jenkins      plugins/plugin.go:73    Plugin 'kubernetes:1.15.5' requires version '1.15.5' but plugin 'kubernetes:1.14.8' requires '1.14.8' for plugin 'kubernetes'
2019-06-04T02:00:39.985Z        WARN    controller-jenkins      plugins/plugin.go:73    Plugin 'kubernetes:1.14.8' requires version '1.14.8' but plugin 'kubernetes:1.15.5' requires '1.15.5' for plugin 'kubernetes'
2019-06-04T02:00:39.985Z        WARN    controller-jenkins      jenkins/jenkins_controller.go:154       Validation of base configuration failed, please correct Jenkins CR      {"cr": "example"}

So is there any mechanism in jenkins operator for upgrading already installed plugins.

Test stage of builds, fails..

Getting errors, when running the 'Build jenkins operator' job:

make test
test
can't load package: package /home/jenkins/workspace/build-jenkins-operator/src/github.com/jenkinsci/kubernetes-operator/cmd/manager: cannot find package "/home/jenkins/workspace/build-jenkins-operator/src/github.com/jenkinsci/kubernetes-operator/cmd/manager" in any of:
/usr/lib/go/src//home/jenkins/workspace/build-jenkins-operator/src/github.com/jenkinsci/kubernetes-operator/cmd/manager (from $GOROOT)
/go/src//home/jenkins/workspace/build-jenkins-operator/src/github.com/jenkinsci/kubernetes-operator/cmd/manager (from $GOPATH)
can't load package: package /home/jenkins/workspace/build-jenkins-operator/src/github.com/jenkinsci/kubernetes-operator/internal/errors: cannot find package "/home/jenkins/workspace/build-jenkins-operator/src/github.com/jenkinsci/kubernetes-operator/internal/errors" in any of:
/usr/lib/go/src//home/jenkins/workspace/build-jenkins-operator/src/github.com/jenkinsci/kubernetes-operator/internal/errors (from $GOROOT)
/go/src//home/jenkins/workspace/build-jenkins-operator/src/github.com/jenkinsci/kubernetes-operator/internal/errors (from $GOPATH)
can't load package: package /home/jenkins/workspace/build-jenkins-operator/src/github.com/jenkinsci/kubernetes-operator/internal/time: cannot find package "/home/jenkins/workspace/build-jenkins-operator/src/github.com/jenkinsci/kubernetes-operator/internal/time" in any of:
/usr/lib/go/src//home/jenkins/workspace/build-jenkins-operator/src/github.com/jenkinsci/kubernetes-operator/internal/time (from $GOROOT)
/go/src//home/jenkins/workspace/build-jenkins-operator/src/github.com/jenkinsci/kubernetes-operator/internal/time (from $GOPATH)

Any ideas I need to check?

Feature Request: Support installing additional plugins

Copied/moved from VirtusLab#5

I see that you can override basePlugins in the CR yaml by specifying spec.master.plugins with something like this:

apiVersion: virtuslab.com/v1alpha1
kind: Jenkins
metadata:
  name: example
spec:
  master:
   image: jenkins/jenkins:lts
   plugins:
     configuration-as-code:1.4:
     - configuration-as-code-support:1.4
...

However, this either uses the default plugins OR the ones specified:
https://github.com/VirtusLab/jenkins-operator/blob/a275ed62d5a3e01ef5ed5e333ce6860b84a8f05f/pkg/controller/jenkins/jenkins_controller.go#L221-L224

As far as I understand, we have two options if we want to install additional plugins or update plugins:

Override spec.master.plugins with a complete list of plugins and dependencies. This makes it difficult to maintain if jenkins-operator has a new release that uses a new set of base plugins.
Write custom .groovy scripts that install the needed plugins. I believe this is the current recommendation in the README.

Let me know if there is another option I'm missing.

My feature request is to add a new option spec.master.additionalPlugins that would just be merged into the default set of plugins. This would make managing plugins a little bit simpler compared to either option I listed, since only the updated or new plugins would need to be specified.

Operator does not restart jenkins when plugin dependency version is changes

Steps to reproduce:

start a Jenkins with a plugin configuration that has dependencies
change version of a one of the plugin's dependency
observe jenkins was not restarted and is still running old version

help: configure parameters for pipelines with job

Hey, thx again for the work on the operator.

I try to get the operator running together with a github app.
this is running basically with parameters to start the builds.

My problem now is, that i need to add the parameters (with its default values) manually to the pipeline. Are the seed jobs able to do that automatically for me?
The seed job for the pipeline i am trying to do that looks like that:

Any hint on how to configure the pipelines parameters programatically?

#!/usr/bin/env groovy

pipelineJob('devops-deploy-pr') {
    displayName('devops: deploy pr')

    logRotator {
        numToKeep(10)
        daysToKeep(30)
    }

    configure { project ->
        project / 'properties' / 'org.jenkinsci.plugins.workflow.job.properties.DurabilityHintJobProperty' {
            hint('PERFORMANCE_OPTIMIZED')
        }
    }

    definition {
        cpsScm {
            scm {
                git {
                    remote {
                        url('[email protected]:.../....git')
                        credentials('ssh-key-jenkins-github-devops')
                    }
                    branches('*/...')
                }
            }
            scriptPath('cicd/pipelines/....groovy')
        }
    }
}

Docker Build inside Jenkins Build Agent

I'm probably missing something obvious... I'm trying to build a docker image in a build agent, but keep getting the following error:

+ docker build -t my-jenkins:latest -f jenkins-docker/Dockerfile .
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

Everything I've read online so far point to starting Jenkins with -v /var/run/docker.sock:/var/run/docker.sock, but I'm not sure how that works with the operator/k8s implementation. I've tried various things in the jenkins instance CR, such as:

spec:
  master:
    volumes:
    - name: nfs
      persistentVolumeClaim:
        claimName: nfs
    - name: dockersock
      hostPath:
        path: /var/run/docker.sock

If I'm going down the right trail, how should I set Jenkins to start with the proper docker.sock config? If not, how should I build docker images inside Jenkins?

For reference, here's my current pipeline config:

#!/usr/bin/env groovy

def label = "docker-jenkins-${UUID.randomUUID().toString()}"
def home = "/home/jenkins"
def workspace = "${home}/workspace/build-docker-jenkins"
def workdir = "${workspace}/src/localhost/docker-jenkins/"

def ecrRepoName = "my-jenkins"
def tag = "$ecrRepoName:latest"

podTemplate(label: label,
        containers: [
                containerTemplate(name: 'jnlp', image: 'jenkins/jnlp-slave:alpine'),
                containerTemplate(name: 'docker', image: 'docker:dind', command: 'cat', ttyEnabled: true, privileged: true),
        ]) {

    node(label) {
        dir(workdir) {
            stage('Checkout') {
                timeout(time: 3, unit: 'MINUTES') {
                    checkout scm
                }
            }

            stage('Docker Build') {
                container('docker') {
                    echo "Building docker image..."
                    sh "docker build -t $tag -f jenkins-docker/Dockerfile ."
                }
            }
        }
    }
}

All INFO logging of user configuration changes

Currently the operator logs does not show when the user config change was detected (CR,Secret or ConfigMap).

This is confusing for the user when unsuccessful config change attempts show up in logs
(e.g. cr plugin config fail) and then after correction there is no indication of the change in the internal state of the operator or the jenkins (at least from the logs).

It would be very helpful if we could get INFO log on a detected change of a CR, Secret or ConfigMap

Need better documentation

Im trying to install google-login plugin. However, i don't understand where the settings should be provided after installing the plugin. When jenkins restarts, the plugin is there, but the settings are gone.

Seedjobs example of how to use with Github PR's ?

Do we have an example of this?

mkdir: cannot create directory ‘/var/jenkins/home/plugins/github-oauth.lock’: File exists

Got error when adding github-oauth plugin on startup:

    image: jenkins/jenkins:lts
    plugins:
      github-oauth:0.31:
      - github-oauth:0.31

Cleaning up locks
+ echo 'Installing plugins required by Operator - end'
+ echo 'Installing plugins required by user - begin'
+ echo 'Installing required plugins for '\''github-oauth:0.31'\'''
+ /var/jenkins/home/scripts/install-plugins.sh github-oauth:0.31 github-oauth:0.31
Installing plugins required by Operator - end
Installing plugins required by user - begin
Installing required plugins for 'github-oauth:0.31'
Creating initial locks...
mkdir: cannot create directory ‘/var/jenkins/home/plugins/github-oauth.lock’: File exists

Implement nodeSelectors

I would want to limit job (and master) spawning to a select group of nodes. I there a way to do that now?

Jenkins operator on Google Kubernetes engine?

Hello everybody,
Just curious if anybody had succeeded implementing this on google kubernetes engine? My tests there fails on i/o timeout, even with the changes on 'initialDelaySeconds' and 'failureThreshold' to 120 and 12 respectively.
By the way, I have also tried testing this on Docker for Windows, it fails also on creating the jenkins instance, repeating the 'Creating...' then 'running'..then 'terminating'...sequences.
Any ideas?

Feature request: configure additional environment variables for master pod from secrets

I'd like to pass a secret value to script / SACS config - for example, OATH2 client secret, etc - see example at https://github.com/jenkinsci/configuration-as-code-plugin/blob/5479188627778acca60b56e318bd899bf18ae131/demos/kubernetes-secrets/README.md

Would be nice if in Jenkins.master I could configure additional environment variables ([]core.v1. EnvVar) for the master container

Feature Request: Add kubernetes-credentials-provider plugin to OperatorPlugins

The kubernetes-credentials-provider plugin would not only be convenient to use for users, but also for the operator itself.

It could be used to fix this issue with the operator. Instead of the configure-seed-job having to provided the private key as a build parameter, it could be auto-added to Jenkins using the plugin mentioned.

Feature Request: Add support for specifying the ServiceType for Jenkins Service

It would be nice to be able to configure the ServiceType Jenkins. Currently it is hardcoded to NodePort or ClusterIP depending on whether or not it is running in Minikube.

For example in GCP, one could set the ServiceType to LoadBalancer to expose Jenkins externally.

Development instructions don't result in successful build

➭ make minikube-run EXTRA_ARGS='--minikube --local'
+ minikube-start
host: Running
kubelet: Running
apiserver: Running
kubectl: Correctly Configured: pointing to minikube-vm at 192.168.99.102
+ deepcopy-gen
operator-sdk generate k8s
INFO[0000] Running deepcopy code-generation for Custom Resource group versions: [jenkins:[v1alpha1 v1alpha2], ]
F0715 20:35:41.620683   26233 deepcopy.go:922] Hit an unsupported type invalid type for *invalid type
goroutine 1 [running]:
k8s.io/klog.stacks(0xc0002be100, 0xc00051c240, 0x66, 0xb6)
	pkg/mod/k8s.io/[email protected]/klog.go:855 +0xb1
k8s.io/klog.(*loggingT).output(0x3ffc080, 0xc000000003, 0xc000341810, 0x3e3ba04, 0xb, 0x39a, 0x0)
	pkg/mod/k8s.io/[email protected]/klog.go:806 +0x2d9
k8s.io/klog.(*loggingT).printf(0x3ffc080, 0x3, 0x29b1ac6, 0x21, 0xc00065aca0, 0x2, 0x2)
	pkg/mod/k8s.io/[email protected]/klog.go:705 +0x14e
k8s.io/klog.Fatalf(...)
	pkg/mod/k8s.io/[email protected]/klog.go:1256
k8s.io/gengo/examples/deepcopy-gen/generators.(*genDeepCopy).doPointer(0xc000597a80, 0xc000360840, 0xc0006bbcc0)
	pkg/mod/k8s.io/[email protected]/examples/deepcopy-gen/generators/deepcopy.go:922 +0x3c1
k8s.io/gengo/examples/deepcopy-gen/generators.(*genDeepCopy).generateFor(0xc000597a80, 0xc000360840, 0xc0006bbcc0)
	pkg/mod/k8s.io/[email protected]/examples/deepcopy-gen/generators/deepcopy.go:695 +0xc5
k8s.io/gengo/examples/deepcopy-gen/generators.(*genDeepCopy).doStruct(0xc000597a80, 0xc0003606e0, 0xc0006bbcc0)
	pkg/mod/k8s.io/[email protected]/examples/deepcopy-gen/generators/deepcopy.go:865 +0x472
k8s.io/gengo/examples/deepcopy-gen/generators.(*genDeepCopy).generateFor(0xc000597a80, 0xc0003606e0, 0xc0006bbcc0)
	pkg/mod/k8s.io/[email protected]/examples/deepcopy-gen/generators/deepcopy.go:695 +0xc5
k8s.io/gengo/examples/deepcopy-gen/generators.(*genDeepCopy).GenerateType(0xc000597a80, 0xc0006bce40, 0xc0003606e0, 0x2c99d40, 0xc00052f780, 0x0, 0x29995d9)
	pkg/mod/k8s.io/[email protected]/examples/deepcopy-gen/generators/deepcopy.go:608 +0xe86
k8s.io/gengo/generator.(*Context).executeBody(0xc0006bce40, 0x2c968c0, 0xc0006d8c00, 0x2d0f5a0, 0xc000597a80, 0x60, 0x10)
	pkg/mod/k8s.io/[email protected]/generator/execute.go:304 +0x11d
k8s.io/gengo/generator.(*Context).ExecutePackage(0xc0006bcc60, 0xc000132d80, 0x17, 0x2ce7ae0, 0xc000597980, 0x0, 0x0)
	pkg/mod/k8s.io/[email protected]/generator/execute.go:265 +0xbf7
k8s.io/gengo/generator.(*Context).ExecutePackages(0xc0006bcc60, 0xc000132d80, 0x17, 0xc00061a4e0, 0x1, 0x1, 0x0, 0xc000132f00)
	pkg/mod/k8s.io/[email protected]/generator/execute.go:51 +0xc5
k8s.io/gengo/args.(*GeneratorArgs).Execute(0xc0004adae0, 0xc00065b810, 0x296a2c4, 0x6, 0x2a5f9d8, 0xc000132cc0, 0x1b)
	pkg/mod/k8s.io/[email protected]/args/args.go:194 +0x2d7
github.com/operator-framework/operator-sdk/cmd/operator-sdk/internal/genutil.deepcopyGen(0xc00043dd00, 0x3a, 0xc000149480, 0x2, 0x2, 0x18, 0xc00065b9b0)
	src/github.com/operator-framework/operator-sdk/cmd/operator-sdk/internal/genutil/k8s.go:94 +0x4d2
github.com/operator-framework/operator-sdk/cmd/operator-sdk/internal/genutil.K8sCodegen.func1(0xc00043dd00, 0x3a, 0xc00043dd00, 0x3a)
	src/github.com/operator-framework/operator-sdk/cmd/operator-sdk/internal/genutil/k8s.go:53 +0x50
github.com/operator-framework/operator-sdk/cmd/operator-sdk/internal/genutil.generateWithHeaderFile(0xc0001494a0, 0x0, 0x0)
	src/github.com/operator-framework/operator-sdk/cmd/operator-sdk/internal/genutil/genutil.go:104 +0x178
github.com/operator-framework/operator-sdk/cmd/operator-sdk/internal/genutil.K8sCodegen(0xc00015ca00, 0x0)
	src/github.com/operator-framework/operator-sdk/cmd/operator-sdk/internal/genutil/k8s.go:54 +0x4a5
github.com/operator-framework/operator-sdk/cmd/operator-sdk/generate.k8sFunc(0xc00015ca00, 0x401fc80, 0x0, 0x0, 0x0, 0x0)
	src/github.com/operator-framework/operator-sdk/cmd/operator-sdk/generate/k8s.go:56 +0x156
github.com/spf13/cobra.(*Command).execute(0xc00015ca00, 0x401fc80, 0x0, 0x0, 0xc00015ca00, 0x401fc80)
	pkg/mod/github.com/spf13/[email protected]/command.go:762 +0x465
github.com/spf13/cobra.(*Command).ExecuteC(0xc000463400, 0x2c9b2e0, 0xc000380e00, 0x0)
	pkg/mod/github.com/spf13/[email protected]/command.go:852 +0x2ec
github.com/spf13/cobra.(*Command).Execute(...)
	pkg/mod/github.com/spf13/[email protected]/command.go:800
main.main()
	src/github.com/operator-framework/operator-sdk/cmd/operator-sdk/main.go:85 +0x50f
make: *** [deepcopy-gen] Error 255

Jenkins master pod name is misleading

jenkins-operator- is a bit misleading name for a jenkins master, it looks like there is no master running

I propose dropping the infix -operator- and make it simply: jenkins-<cr-name>

Possible to create seed job without repo?

Hi, can I add a seed job via the Jenkins config map like CASC?

We want to use a ephemeral jenkins as a testing ground for a shared library and spawning a test job that uses the library without the need to put seed jobs in a repo would be nice.

Add ability to pass imagePullSecrets parameter

Hi!
I would like to use my own image from private registry with preinstalled plugins and tools.
Looks like it's not possible or undocumented. Please fix and provide ability to pull images from private registries using imagePullSecrets statement. Thanks.

No pods created after deleting and re-deploying

After cleanup an initial deployment, I tried to deploy it again but there are no pods created.

There are also no events in kubernetes indicating that something happens

$ kubectl.exe get ev -n jx
No resources found.

Reproduction Steps*

Initial deployment according to guidelines but to custom namespace jx

Removing deplyoment

Delete namespace jx

$ kubectl.exe delete ns jx
namespace "jx" deleted

Delete crd

$ kubectl.exe delete crd jenkins.jenkins.io
customresourcedefinition.apiextensions.k8s.io "jenkins.jenkins.io" deleted

Redeploy

$ kubectl create namespace jx
namespace "jx" created

$ kubectl.exe create -f deploy/crds/jenkinsio_v1alpha1_jenkins_crd.yaml -n jx
customresourcedefinition.apiextensions.k8s.io "jenkins.jenkins.io" created

$ kubectl.exe create -f deploy/crds/jenkinsio_v1alpha1_jenkins_cr.yaml -n jx
jenkins.jenkins.io "example" created

Now I can see

$ kubectl.exe get jenkins -n jx
NAME      AGE
example   1m

However there were no pods and no services created

$ kubectl.exe get pods -w

$ kubectl.exe get svc -w

Version Info

kubernetes-operator: v0.0.5

$ kubectl.exe version
Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.3", GitCommit:"2bba0127d85d5a46ab4b778548be28623b32d0b0", GitTreeState:"clean", BuildDate:"2018-05-21T09:17:39Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"windows/amd64"}
Server Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.6", GitCommit:"b1d75deca493a24a2f87eb1efde1a569e52fc8d9", GitTreeState:"clean", BuildDate:"2018-12-16T04:30:10Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}

Cryptic error messages in configuration job logs about expected hash

This message require more context for the user to know if it is safe to ignore.

...
[Pipeline] stage
[Pipeline] { (Synchronizing files)
[Pipeline] echo
Expected hash '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=', actual hash '47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=', path '/var/jenkins/user-configuration-secrets'
[Pipeline] echo
Expected hash 'cFkG2OxG7TLN4C607Q729y7SQz0Qf0JHmD1eEGhTSJ4=', actual hash 'h71uCPs+DsUKtvphzUJ2vvEaRSjj6udPZ+G1bztQdis=', path '/var/jenkins/user-configuration'
[Pipeline] sleep
...

Error from server (AlreadyExists): error when creating "deploy/crds/jenkinsio_v1alpha1_jenkins_cr.yaml": jenkins.jenkins.io "example" already exists

I was playing around and to start over, I've deleted the pods and wanted to recreate the deplyoment which fails

Error from server (AlreadyExists): error when creating "deploy/crds/jenkinsio_v1alpha1_jenkins_cr.yaml": jenkins.jenkins.io "example" already exists

Steps to reproduce

After deleting the pod ...

$ kubectl.exe delete pod jenkins-operator-example
pod "jenkins-operator-example" deleted

... there is only the service left

$ kubectl.exe get all --all-namespaces | grep oper
jx   service/jenkins-operator-example    ClusterIP   10.43.235.193   <none>   8080/TCP,50000/TCP  49m

However I cannot deploy

$ kubectl.exe create -f deploy/crds/jenkinsio_v1alpha1_jenkins_cr.yaml -n jx
Error from server (AlreadyExists): error when creating "deploy/crds/jenkinsio_v1alpha1_jenkins_cr.yaml": jenkins.jenkins.io "example" already exists

Workaround

I can delete first the resource and re-add it

$ kubectl.exe delete crd jenkins.jenkins.io
customresourcedefinition.apiextensions.k8s.io "jenkins.jenkins.io" deleted
$ kubectl.exe create -f deploy/crds/jenkinsio_v1alpha1_jenkins_crd.yaml -n jx
customresourcedefinition.apiextensions.k8s.io "jenkins.jenkins.io" created

after this the error has gone

$ kubectl.exe create -f deploy/crds/jenkinsio_v1alpha1_jenkins_cr.yaml -n jx
jenkins.jenkins.io "example" created