Initial commit is a fork from the stable helm chart for jenkins, in git lab.

.gitignore

+##LDE specific
+.project
+*.iml
+*.idea

.helmignore

+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+ci/

Chart.yaml

+apiVersion: v1
+name: jenkins
+home: https://jenkins.io/
+
+version: 1.13.0
+appVersion: lts
+description: Open source continuous integration server. It supports multiple SCM tools
+  including CVS, Subversion and Git. It can execute Apache Ant and Apache Maven-based
+  projects as well as arbitrary scripts.
+sources:
+- https://github.com/jenkinsci/jenkins
+- https://github.com/jenkinsci/docker-jnlp-slave
+- https://github.com/maorfr/kube-tasks
+- https://github.com/jenkinsci/configuration-as-code-plugin
+maintainers:
+- name: lachie83
+  email: lachlan.evenson@microsoft.com
+- name: viglesiasce
+  email: viglesias@google.com
+- name: maorfr
+  email: maor.friedman@redhat.com
+- name: torstenwalter
+  email: mail@torstenwalter.de
+- name: mogaal
+  email: garridomota@gmail.com
+icon: https://wiki.jenkins-ci.org/download/attachments/2916393/logo.png

OWNERS

+approvers:
+- lachie83
+- viglesiasce
+- maorfr
+- torstenwalter
+- mogaal
+reviewers:
+- lachie83
+- viglesiasce
+- maorfr
+- torstenwalter
+- mogaal

ci/casc-values.yaml

+master:
+  JCasC:
+    enabled: true
+    defaultConfig: true
+  sidecars:
+    configAutoReload:
+      enabled: true
+  healthProbeLivenessInitialDelay: 10
+  healthProbeReadinessInitialDelay: 10
+persistence:
+  enabled: false

ci/default-values.yaml

+# this file is empty to check if defaults within values.yaml work as expected

templates/NOTES.txt

+1. Get your '{{ .Values.master.adminUser }}' user password by running:
+  printf $(kubectl get secret --namespace {{ template "jenkins.namespace" . }} {{ template "jenkins.fullname" . }} -o jsonpath="{.data.jenkins-admin-password}" | base64 --decode);echo
+
+{{- if .Values.master.ingress.hostName }}
+
+2. Visit http://{{ .Values.master.ingress.hostName }}
+{{- else }}
+2. Get the Jenkins URL to visit by running these commands in the same shell:
+{{- if contains "NodePort" .Values.master.serviceType }}
+  export NODE_PORT=$(kubectl get --namespace {{ template "jenkins.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "jenkins.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ template "jenkins.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT/login
+
+{{- else if contains "LoadBalancer" .Values.master.serviceType }}
+  NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+        You can watch the status of by running 'kubectl get svc --namespace {{ template "jenkins.namespace" . }} -w {{ template "jenkins.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ template "jenkins.namespace" . }} {{ template "jenkins.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}")
+{{- if .Values.master.httpsKeyStore.enable }}
+  echo https://$SERVICE_IP:{{ .Values.master.servicePort }}/login
+{{- else }}
+  echo http://$SERVICE_IP:{{ .Values.master.servicePort }}/login
+{{- end }}
+
+{{- else if contains "ClusterIP"  .Values.master.serviceType }}
+  export POD_NAME=$(kubectl get pods --namespace {{ template "jenkins.namespace" . }} -l "app.kubernetes.io/component={{ .Values.master.componentName }}" -l "app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  echo http://127.0.0.1:{{ .Values.master.servicePort }}
+  kubectl --namespace {{ template "jenkins.namespace" . }} port-forward $POD_NAME {{ .Values.master.servicePort }}:{{ .Values.master.servicePort }}
+
+{{- end }}
+{{- end }}
+
+3. Login with the password from step 1 and the username: {{ .Values.master.adminUser }}
+{{ if .Values.master.JCasC.enabled }}
+4. Use Jenkins Configuration as Code by specifying configScripts in your values.yaml file, see documentation: http://{{ .Values.master.ingress.hostName }}/configuration-as-code and examples: https://github.com/jenkinsci/configuration-as-code-plugin/tree/master/demos
+{{- end }}
+
+For more information on running Jenkins on Kubernetes, visit:
+https://cloud.google.com/solutions/jenkins-on-container-engine
+{{- if .Values.master.JCasC.enabled }}
+For more information about Jenkins Configuration as Code, visit:
+https://jenkins.io/projects/jcasc/
+{{- end }}
+
+{{- if .Values.persistence.enabled }}
+{{- else }}
+#################################################################################
+######   WARNING: Persistence is disabled!!! You will lose your data when   #####
+######            the Jenkins pod is terminated.                            #####
+#################################################################################
+{{- end }}
+
+{{- if .Values.master.imageTag }}
+#################################################################################
+######   WARNING: `master.imageTag` will be obsoleted soon!!!               #####
+######            It has been renamed to `master.tag`.                      #####
+#################################################################################
+{{- end }}
+
+{{- if .Values.agent.imageTag }}
+#################################################################################
+######   WARNING: `agent.imageTag` will be obsoleted soon!!!                #####
+######            It has been renamed to `agent.tag`.                       #####
+#################################################################################
+{{- end }}

templates/home-pvc.yaml

+{{- if not (contains "jenkins-home" (quote .Values.persistence.volumes)) }}
+{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+{{- if .Values.persistence.annotations }}
+  annotations:
+{{ toYaml .Values.persistence.annotations | indent 4 }}
+{{- end }}
+  name: {{ template "jenkins.fullname" . }}
+  namespace: {{ template "jenkins.namespace" . }}
+  labels:
+    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+    "helm.sh/chart": "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+    "app.kubernetes.io/instance": "{{ .Release.Name }}"
+    "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+spec:
+  accessModes:
+    - {{ .Values.persistence.accessMode | quote }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size | quote }}
+{{- if .Values.persistence.storageClass }}
+{{- if (eq "-" .Values.persistence.storageClass) }}
+  storageClassName: ""
+{{- else }}
+  storageClassName: "{{ .Values.persistence.storageClass }}"
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

templates/jcasc-config.yaml

+{{- $root := . }}
+{{- if and (.Values.master.JCasC.enabled) (.Values.master.sidecars.configAutoReload.enabled) }}
+{{- range $key, $val := .Values.master.JCasC.configScripts }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "jenkins.fullname" $root }}-jenkins-config-{{ $key }}
+  namespace: {{ template "jenkins.namespace" $root }}
+  labels:
+    "app.kubernetes.io/name": {{ template "jenkins.name" $root}}
+    "helm.sh/chart": {{ $.Chart.Name }}-{{ $.Chart.Version }}
+    "app.kubernetes.io/managed-by": "{{ $.Release.Service }}"
+    "app.kubernetes.io/instance": "{{ $.Release.Name }}"
+    "app.kubernetes.io/component": "{{ $.Values.master.componentName }}"
+    {{ template "jenkins.fullname" $root }}-jenkins-config: "true"
+data:
+  {{ $key }}.yaml: |-
+{{ tpl $val $| indent 4 }}
+{{- end }}
+{{- if .Values.master.JCasC.defaultConfig }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "jenkins.fullname" $root }}-jenkins-jcasc-config
+  namespace: {{ template "jenkins.namespace" $root }}
+  labels:
+    "app.kubernetes.io/name": {{ template "jenkins.name" $root}}
+    "helm.sh/chart": {{ $.Chart.Name }}-{{ $.Chart.Version }}
+    "app.kubernetes.io/managed-by": "{{ $.Release.Service }}"
+    "app.kubernetes.io/instance": "{{ $.Release.Name }}"
+    "app.kubernetes.io/component": "{{ $.Values.master.componentName }}"
+    {{ template "jenkins.fullname" $root }}-jenkins-config: "true"
+data:
+  jcasc-default-config.yaml: |-
+    {{- include "jenkins.casc.defaults" . |nindent 4 }}
+{{- end}}
+{{- end }}

templates/jenkins-agent-svc.yaml

+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "jenkins.fullname" . }}-agent
+  namespace: {{ template "jenkins.namespace" . }}
+  labels:
+    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+    "helm.sh/chart": "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+    "app.kubernetes.io/instance": "{{ .Release.Name }}"
+    "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+{{- if .Values.master.slaveListenerServiceAnnotations }}
+  annotations:
+{{ toYaml .Values.master.slaveListenerServiceAnnotations | indent 4 }}
+{{- end }}
+spec:
+  ports:
+    - port: {{ .Values.master.slaveListenerPort }}
+      targetPort: {{ .Values.master.slaveListenerPort }}
+      {{ if (and (eq .Values.master.slaveListenerServiceType "NodePort") (not (empty .Values.master.slaveListenerPort))) }}
+      nodePort: {{.Values.master.slaveListenerPort}}
+      {{end}}
+      name: slavelistener
+  selector:
+    "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+    "app.kubernetes.io/instance": "{{ .Release.Name }}"
+  type: {{ .Values.master.slaveListenerServiceType }}
+  {{  if eq .Values.master.slaveListenerServiceType "LoadBalancer"  }}
+  {{  if .Values.master.slaveListenerLoadBalancerIP  }}
+  loadBalancerIP: {{  .Values.master.slaveListenerLoadBalancerIP  }}
+  {{end}}
+  {{end}}

templates/jenkins-backup-cronjob.yaml

+{{- if .Values.backup.enabled }}
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: {{ template "jenkins.fullname" . }}-backup
+  namespace: {{ template "jenkins.namespace" . }}
+  labels:
+    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+    "helm.sh/chart": "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+    "app.kubernetes.io/instance": "{{ .Release.Name }}"
+    "app.kubernetes.io/component": "{{ .Values.backup.componentName }}"
+spec:
+  schedule: {{ .Values.backup.schedule | quote }}
+  concurrencyPolicy: Forbid
+  startingDeadlineSeconds: 120
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          {{- if .Values.backup.labels }}
+          labels:
+{{ toYaml .Values.backup.labels | trim | indent 12 }}
+          {{- end }}
+          {{- if .Values.backup.annotations }}
+          annotations:
+{{ toYaml .Values.backup.annotations | trim | indent 12 }}
+          {{- end }}
+        spec:
+          restartPolicy: OnFailure
+          serviceAccountName: {{ template "jenkins.fullname" . }}-backup
+          containers:
+          - name: jenkins-backup
+            image: "{{ .Values.backup.image.repository }}:{{ .Values.backup.image.tag }}"
+            command: ["kube-tasks"]
+            args:
+            - simple-backup
+            - -n
+            - {{ template "jenkins.namespace" . }}
+            - -l
+            - app.kubernetes.io/instance={{ .Release.Name }}
+            - --container
+            - jenkins
+            - --path
+            - {{ .Values.master.jenkinsHome }}
+            - --dst
+            - {{ .Values.backup.destination }}
+            {{- with .Values.backup.extraArgs }}
+{{ toYaml . | indent 12 }}
+            {{- end }}
+            env:
+            {{- with .Values.backup.env }}
+{{ toYaml . | trim | indent 12 }}
+            {{- end }}
+            {{- if .Values.backup.existingSecret }}
+            {{- range $key,$value := .Values.backup.existingSecret }}
+            {{- if $value.awsaccesskey }}
+            - name: AWS_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $key }}
+                  key: {{ $value.awsaccesskey | quote }}
+            {{- end }}
+            {{- if $value.awssecretkey }}
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ $key }}
+                  key: {{ $value.awssecretkey | quote}}
+            {{- end }}
+            {{- if $value.gcpcredentials }}
+            - name: GOOGLE_APPLICATION_CREDENTIALS
+              value: "/var/run/secrets/{{ $key }}/{{ $value.gcpcredentials }}"
+            {{- end }}
+            {{- end }}
+            {{- end }}
+          {{- with .Values.backup.resources }}
+            resources:
+{{ toYaml . | trim | indent 14 }}
+          {{- end }}
+            volumeMounts:
+          {{- if .Values.backup.existingSecret }}
+          {{- range $key,$value := .Values.backup.existingSecret }}
+          {{- if $value.gcpcredentials }}
+            - mountPath: /var/run/secrets/{{ $key }}
+              name: {{ $key }}
+          {{- end }}
+          {{- end }}
+          {{- end }}
+          volumes:
+          {{- if .Values.backup.existingSecret }}
+          {{- range $key,$value := .Values.backup.existingSecret }}
+          {{- if $value.gcpcredentials }}
+          - name:  {{ $key }}
+            secret:
+              secretName:  {{ $key }}
+          {{- end }}
+          {{- end }}
+          {{- end }}
+          affinity:
+            podAffinity:
+              preferredDuringSchedulingIgnoredDuringExecution:
+              - weight: 100
+                podAffinityTerm:
+                  topologyKey: "kubernetes.io/hostname"
+                  labelSelector:
+                    matchExpressions:
+                    - key: app
+                      operator: In
+                      values:
+                      - {{ template "jenkins.fullname" . }}
+                    - key: release
+                      operator: In
+                      values:
+                      - {{ .Release.Name }}
+      {{- with .Values.tolerations }}
+        tolerations:
+{{ toYaml . | indent 10 }}
+      {{- end }}
+{{- end }}

templates/jenkins-backup-rbac.yaml

+{{- if .Values.backup.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "jenkins.fullname" . }}-backup
+  namespace: {{ template "jenkins.namespace" . }}
+  labels:
+    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+    "helm.sh/chart": "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+    "app.kubernetes.io/instance": "{{ .Release.Name }}"
+    "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "jenkins.fullname" . }}-backup
+  namespace: {{ template "jenkins.namespace" . }}
+  labels:
+    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+    "helm.sh/chart": "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+    "app.kubernetes.io/instance": "{{ .Release.Name }}"
+    "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+rules:
+- apiGroups: [""]
+  resources: ["pods", "pods/log"]
+  verbs: ["get", "list"]
+- apiGroups: [""]
+  resources: ["pods/exec"]
+  verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "jenkins.fullname" . }}-backup
+  namespace: {{ template "jenkins.namespace" . }}
+  labels:
+    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+    "helm.sh/chart": "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+    "app.kubernetes.io/instance": "{{ .Release.Name }}"
+    "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "jenkins.fullname" . }}-backup
+subjects:
+- kind: ServiceAccount
+  name: {{ template "jenkins.fullname" . }}-backup
+  namespace: {{ template "jenkins.namespace" . }}
+{{- end }}

templates/jenkins-master-alerting-rules.yaml

+{{- if and .Values.master.prometheus.enabled .Values.master.prometheus.alertingrules }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: {{ template "jenkins.fullname" . }}
+  namespace: {{ template "jenkins.namespace" . }}
+  labels:
+    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+    "helm.sh/chart": "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+    "app.kubernetes.io/instance": "{{ .Release.Name }}"
+    "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+    {{- range $key, $val := .Values.master.prometheus.alertingRulesAdditionalLabels }}
+    {{ $key }}: {{ $val | quote }}
+    {{- end}}
+spec:
+  groups:
+{{ toYaml .Values.master.prometheus.alertingrules | indent 2 }}
+{{- end }}

templates/jenkins-master-backendconfig.yaml

+{{- if .Values.master.backendconfig.enabled }}
+apiVersion: {{ .Values.master.backendconfig.apiVersion }}
+kind: BackendConfig
+metadata:
+  name: {{ .Values.master.backendconfig.name }}
+  namespace: {{ template "jenkins.namespace" . }}
+  labels:
+    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+    "helm.sh/chart": "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+    "app.kubernetes.io/instance": "{{ .Release.Name }}"
+    "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+{{- if .Values.master.backendconfig.labels }}
+{{ toYaml .Values.master.backendconfig.labels | indent 4 }}
+{{- end }}
+{{- if .Values.master.backendconfig.annotations }}
+  annotations:
+{{ toYaml .Values.master.backendconfig.annotations | indent 4 }}
+{{- end }}
+spec:
+{{ toYaml .Values.master.backendconfig.spec | indent 2 }}
+{{- end }}

templates/jenkins-master-ingress.yaml

+{{- if .Values.master.ingress.enabled }}
+apiVersion: {{ .Values.master.ingress.apiVersion }}
+kind: Ingress
+metadata:
+  namespace: {{ template "jenkins.namespace" . }}
+  labels:
+    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+    "helm.sh/chart": "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+    "app.kubernetes.io/instance": "{{ .Release.Name }}"
+    "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+{{- if .Values.master.ingress.labels }}
+{{ toYaml .Values.master.ingress.labels | indent 4 }}
+{{- end }}
+{{- if .Values.master.ingress.annotations }}
+  annotations:
+{{ toYaml .Values.master.ingress.annotations | indent 4 }}
+{{- end }}
+  name: {{ template "jenkins.fullname" . }}
+spec:
+  rules:
+  - http:
+      paths:
+      - backend:
+          serviceName: {{ template "jenkins.fullname" . }}
+          servicePort: {{ .Values.master.servicePort }}
+{{- if .Values.master.ingress.path }}
+        path: {{ .Values.master.ingress.path }}
+{{- end -}}
+{{- if .Values.master.ingress.hostName }}
+    host: {{ .Values.master.ingress.hostName | quote }}
+{{- end }}
+{{- if .Values.master.ingress.tls }}
+  tls:
+{{ toYaml .Values.master.ingress.tls | indent 4 }}
+{{- end -}}
+{{- end }}

templates/jenkins-master-networkpolicy.yaml

+{{- if .Values.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: {{ .Values.networkPolicy.apiVersion }}
+metadata:
+  name: "{{ .Release.Name }}-{{ .Values.master.componentName }}"
+  namespace: {{ template "jenkins.namespace" . }}
+  labels:
+    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+    "helm.sh/chart": "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+    "app.kubernetes.io/instance": "{{ .Release.Name }}"
+    "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+spec:
+  podSelector:
+    matchLabels:
+      "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+      "app.kubernetes.io/instance": "{{ .Release.Name }}"
+  ingress:
+    # Allow web access to the UI
+    - ports:
+      - port: {{ .Values.master.targetPort }}
+    # Allow inbound connections from slave
+    - from:
+      {{- if .Values.networkPolicy.internalAgents.allowed }}
+      - podSelector:
+          matchLabels:
+            "jenkins/{{ .Release.Name }}-{{ .Values.agent.componentName }}": "true"
+        {{- if .Values.networkPolicy.internalAgents.namespaceLabels }}
+        namespaceSelector:
+          matchLabels:
+            {{- range $k,$v:= .Values.networkPolicy.internalAgents.namespaceLabels }}
+            {{ $k }}: {{ $v }}
+            {{- end }}
+        {{- end }}    
+      {{- end }}
+      {{- if .Values.networkPolicy.externalAgents }}      
+      - ipBlock:
+          cidr: {{ required "ipCIDR is required if you wish to allow external agents to connect to Master." .Values.networkPolicy.externalAgents.ipCIDR }}
+          {{- if .Values.networkPolicy.externalAgents.except }}
+          except:
+          {{- range .Values.networkPolicy.externalAgents.except }}
+          - {{ . }} 
+          {{- end }}
+          {{- end }}
+      {{- end }}              
+      ports:
+      - port: {{ .Values.master.slaveListenerPort }}
+{{- if .Values.agent.enabled }}
+---
+kind: NetworkPolicy
+apiVersion: {{ .Values.networkPolicy.apiVersion }}
+metadata:
+  name: "{{ .Release.Name }}-{{ .Values.agent.componentName }}"
+  namespace: {{ template "jenkins.namespace" . }}
+  labels:
+    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+    "helm.sh/chart": "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+    "app.kubernetes.io/instance": "{{ .Release.Name }}"
+    "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+spec:
+  podSelector:
+    matchLabels:
+      # DefaultDeny
+      "jenkins/{{ .Release.Name }}-{{ .Values.agent.componentName }}": "true"
+{{- end }}
+{{- end }}

templates/jenkins-master-route.yaml

+{{- if .Values.master.route.enabled }}
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  namespace: {{ template "jenkins.namespace" . }}
+  labels:
+    app: {{ template "jenkins.fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+    component: "{{ .Release.Name }}-{{ .Values.master.componentName }}"
+{{- if .Values.master.route.labels }}
+{{ toYaml .Values.master.route.labels | indent 4 }}
+{{- end }}
+{{- if .Values.master.route.annotations }}
+  annotations:
+{{ toYaml .Values.master.route.annotations | indent 4 }}
+{{- end }}
+  name: {{ template "jenkins.fullname" . }}
+spec:
+  host: {{ .Values.master.route.path }}
+  port:
+    targetPort: http
+  tls:
+    insecureEdgeTerminationPolicy: Redirect
+    termination: edge
+  to:
+    kind: Service
+    name: {{ template "jenkins.fullname" . }}
+    weight: 100
+  wildcardPolicy: None
+{{- end }}

templates/jenkins-master-servicemonitor.yaml

+{{- if and .Values.master.prometheus.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+
+metadata:
+  name: {{ template "jenkins.fullname" . }}
+{{- if .Values.master.prometheus.serviceMonitorNamespace }}
+  namespace: {{ .Values.master.prometheus.serviceMonitorNamespace }}
+{{- else }}
+  namespace: {{ template "jenkins.namespace" . }}
+{{- end }}
+  labels:
+    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+    "helm.sh/chart": "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+    "app.kubernetes.io/instance": "{{ .Release.Name }}"
+    "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+    {{- range $key, $val := .Values.master.prometheus.serviceMonitorAdditionalLabels }}
+    {{ $key }}: {{ $val | quote }}
+    {{- end}}
+
+spec:
+  endpoints:
+  - interval: {{ .Values.master.prometheus.scrapeInterval }}
+    port: http
+    path: {{ .Values.master.jenkinsUriPrefix }}{{ .Values.master.prometheus.scrapeEndpoint }}
+  jobLabel: {{ template "jenkins.fullname" . }}
+  namespaceSelector:
+    matchNames:
+    - "{{ template "jenkins.namespace" $ }}"
+  selector:
+    matchLabels:
+      "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+      "helm.sh/chart": "{{ .Chart.Name }}-{{ .Chart.Version }}"
+      "app.kubernetes.io/instance": "{{ .Release.Name }}"
+      "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+{{- end }}

templates/jenkins-master-svc.yaml

+apiVersion: v1
+kind: Service
+metadata:
+  name: {{template "jenkins.fullname" . }}
+  namespace: {{ template "jenkins.namespace" . }}
+  labels:
+    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+    "helm.sh/chart": "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+    "app.kubernetes.io/instance": "{{ .Release.Name }}"
+    "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+    {{- if .Values.master.serviceLabels }}
+{{ toYaml .Values.master.serviceLabels | indent 4 }}
+    {{- end }}
+{{- if .Values.master.serviceAnnotations }}
+  annotations:
+{{ toYaml .Values.master.serviceAnnotations | indent 4 }}
+{{- end }}
+spec:
+  ports:
+    - port: {{.Values.master.servicePort}}
+      name: http
+      targetPort: {{ .Values.master.targetPort }}
+      {{if (and (eq .Values.master.serviceType "NodePort") (not (empty .Values.master.nodePort)))}}
+      nodePort: {{.Values.master.nodePort}}
+      {{end}}
+{{- range $index, $port := .Values.master.extraPorts }}
+    - port: {{ $port.port }}
+      name: {{ $port.name }}
+      targetPort: {{ $port.port }}
+{{- end }}
+  selector:
+    "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+    "app.kubernetes.io/instance": "{{ .Release.Name }}"
+  type: {{.Values.master.serviceType}}
+  {{if eq .Values.master.serviceType "LoadBalancer"}}
+{{- if .Values.master.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+{{ toYaml .Values.master.loadBalancerSourceRanges | indent 4 }}
+{{- end }}
+  {{if .Values.master.loadBalancerIP}}
+  loadBalancerIP: {{.Values.master.loadBalancerIP}}
+  {{end}}
+  {{end}}

templates/jobs.yaml

+{{- if .Values.master.jobs }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "jenkins.fullname" . }}-jobs
+  namespace: {{ template "jenkins.namespace" . }}
+  labels:
+    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+    "helm.sh/chart": "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+    "app.kubernetes.io/instance": "{{ .Release.Name }}"
+    "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+data:
+{{ toYaml .Values.master.jobs | indent 2 }}
+{{- end -}}

templates/rbac.yaml

+{{ if .Values.rbac.create }}
+{{- $serviceName := include "jenkins.fullname" . -}}
+
+# This role is used to allow Jenkins scheduling of agents via Kubernetes plugin.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $serviceName }}-schedule-agents
+  namespace: {{ template "jenkins.master.slaveKubernetesNamespace" . }}
+  labels:
+    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+    "helm.sh/chart": "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+    "app.kubernetes.io/instance": "{{ .Release.Name }}"
+    "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+rules:
+- apiGroups: [""]
+  resources: ["pods", "pods/exec", "pods/log", "persistentvolumeclaims", "events"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["pods", "pods/exec", "persistentvolumeclaims"]
+  verbs: ["create", "delete", "deletecollection", "patch", "update"]
+
+---
+
+# We bind the role to the Jenkins service account. The role binding is created in the namespace
+# where the agents are supposed to run.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $serviceName }}-schedule-agents
+  namespace: {{ template "jenkins.master.slaveKubernetesNamespace" . }}
+  labels:
+    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+    "helm.sh/chart": "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+    "app.kubernetes.io/instance": "{{ .Release.Name }}"
+    "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $serviceName }}-schedule-agents
+subjects:
+- kind: ServiceAccount
+  name: {{ template "jenkins.serviceAccountName" .}}
+  namespace: {{ template "jenkins.namespace" . }}
+
+---
+
+{{- if .Values.rbac.readSecrets }}
+# This is needed if you want to use https://jenkinsci.github.io/kubernetes-credentials-provider-plugin/
+# as it needs permissions to get/watch/list Secrets
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "jenkins.fullname" . }}-read-secrets
+  namespace: {{ template "jenkins.namespace" . }}
+  labels:
+    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+    "helm.sh/chart": "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+    "app.kubernetes.io/instance": "{{ .Release.Name }}"
+    "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "watch", "list"]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $serviceName }}-read-secrets
+  namespace: {{ template "jenkins.namespace" . }}
+  labels:
+    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+    "helm.sh/chart": "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+    "app.kubernetes.io/instance": "{{ .Release.Name }}"
+    "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "jenkins.fullname" . }}-read-secrets
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "jenkins.serviceAccountName" . }}
+    namespace: {{ template "jenkins.namespace" . }}
+
+---
+{{- end}}
+
+{{- if .Values.master.sidecars.configAutoReload.enabled }}
+# The sidecar container which is responsible for reloading configuration changes
+# needs permissions to watch ConfigMaps
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "jenkins.fullname" . }}-casc-reload
+  namespace: {{ template "jenkins.namespace" . }}
+  labels:
+    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+    "helm.sh/chart": "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+    "app.kubernetes.io/instance": "{{ .Release.Name }}"
+    "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+rules:
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["get", "watch", "list"]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $serviceName }}-watch-configmaps
+  namespace: {{ template "jenkins.namespace" . }}
+  labels:
+    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+    "helm.sh/chart": "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+    "app.kubernetes.io/instance": "{{ .Release.Name }}"
+    "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "jenkins.fullname" . }}-casc-reload
+subjects:
+- kind: ServiceAccount
+  name: {{ template "jenkins.serviceAccountName" . }}
+  namespace: {{ template "jenkins.namespace" . }}
+
+{{- end}}
+
+{{ end }}

templates/secret-https-jks.yaml

+{{- if and .Values.master.httpsKeyStore.enable ( not  .Values.master.httpsKeyStore.jenkinsHttpsJksSecretName ) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "jenkins.fullname" . }}-https-jks
+  namespace: {{ template "jenkins.namespace" . }}
+  labels:
+    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+    "helm.sh/chart": "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+    "app.kubernetes.io/instance": "{{ .Release.Name }}"
+    "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+type: Opaque
+data:
+  jenkins-jks-file: |
+{{ .Values.master.httpsKeyStore.jenkinsKeyStoreBase64Encoded | indent 4 }}
+  https-jks-password: {{ .Values.master.httpsKeyStore.password | b64enc }}
+{{- end }}

templates/secret.yaml

+{{- if .Values.master.useSecurity -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "jenkins.fullname" . }}
+  namespace: {{ template "jenkins.namespace" . }}
+  labels:
+    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+    "helm.sh/chart": "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+    "app.kubernetes.io/instance": "{{ .Release.Name }}"
+    "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+type: Opaque
+data:
+  {{ if .Values.master.adminPassword -}}
+  jenkins-admin-password: {{ .Values.master.adminPassword | b64enc | quote }}
+  {{ else -}}
+  jenkins-admin-password: {{ randAlphaNum 10 | b64enc | quote }}
+  {{ end -}}
+  jenkins-admin-user: {{ .Values.master.adminUser | b64enc | quote }}
+{{- end }}

templates/service-account-agent.yaml

+{{ if .Values.serviceAccountAgent.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "jenkins.serviceAccountAgentName" . }}
+  namespace: {{ template "jenkins.master.slaveKubernetesNamespace" . }}
+{{- if .Values.serviceAccountAgent.annotations }}
+  annotations:
+{{ toYaml .Values.serviceAccountAgent.annotations | indent 4 }}
+{{ end }}
+  labels:
+    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+    "helm.sh/chart": "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+    "app.kubernetes.io/instance": "{{ .Release.Name }}"
+    "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+{{ end }}

templates/service-account.yaml

+{{ if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "jenkins.serviceAccountName" . }}
+  namespace: {{ template "jenkins.namespace" . }}
+{{- if .Values.serviceAccount.annotations }}
+  annotations:
+{{ toYaml .Values.serviceAccount.annotations | indent 4 }}
+{{ end }}
+  labels:
+    "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
+    "helm.sh/chart": "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
+    "app.kubernetes.io/instance": "{{ .Release.Name }}"
+    "app.kubernetes.io/component": "{{ .Values.master.componentName }}"
+{{ end }}

templates/tests/jenkins-test.yaml

+{{- if .Values.master.testEnabled }}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ .Release.Name }}-ui-test-{{ randAlphaNum 5 | lower }}"
+  namespace: {{ template "jenkins.namespace" . }}
+  annotations:
+    "helm.sh/hook": test-success
+spec:
+  {{- if .Values.master.nodeSelector }}
+  nodeSelector:
+{{ toYaml .Values.master.nodeSelector | indent 4 }}
+  {{- end }}
+  {{- if .Values.master.tolerations }}
+  tolerations:
+{{ toYaml .Values.master.tolerations | indent 4 }}
+  {{- end }}
+  initContainers:
+    - name: "test-framework"
+      image: "dduportal/bats:0.4.0"
+      command:
+      - "bash"
+      - "-c"
+      - |
+        set -ex
+        # copy bats to tools dir
+        cp -R /usr/local/libexec/ /tools/bats/
+      volumeMounts:
+      - mountPath: /tools
+        name: tools
+  containers:
+    - name: {{ .Release.Name }}-ui-test
+{{- if .Values.master.imageTag }}
+      image: {{ .Values.master.image }}:{{ .Values.master.imageTag }}
+{{- else }}
+      image: {{ .Values.master.image }}:{{ .Values.master.tag }}
+{{- end }}
+      command: ["/tools/bats/bats", "-t", "/tests/run.sh"]
+      volumeMounts:
+      - mountPath: /tests
+        name: tests
+        readOnly: true
+      - mountPath: /tools
+        name: tools
+  volumes:
+  - name: tests
+    configMap:
+      name: {{ template "jenkins.fullname" . }}-tests
+  - name: tools
+    emptyDir: {}
+  restartPolicy: Never
+{{- end }}

templates/tests/test-config.yaml

+{{- if .Values.master.testEnabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "jenkins.fullname" . }}-tests
+  namespace: {{ template "jenkins.namespace" . }}
+data:
+  run.sh: |-
+    @test "Testing Jenkins UI is accessible" {
+      curl --retry 48 --retry-delay 10 {{ template "jenkins.fullname" . }}:{{ .Values.master.servicePort }}{{ default "" .Values.master.jenkinsUriPrefix }}/login
+    }
+{{- end }}