From 0e0e5f3f836decf5bd80975fe0e8d1d584729b6c Mon Sep 17 00:00:00 2001 From: nold Date: Sun, 20 Nov 2022 10:34:59 +0100 Subject: [PATCH] add(gocd) --- projects/gocd/project.yml | 21 ++ projects/gocd/values/gocd.yaml | 468 +++++++++++++++++++++++++++++++++ 2 files changed, 489 insertions(+) create mode 100644 projects/gocd/project.yml create mode 100644 projects/gocd/values/gocd.yaml diff --git a/projects/gocd/project.yml b/projects/gocd/project.yml new file mode 100644 index 00000000..607fda0f --- /dev/null +++ b/projects/gocd/project.yml @@ -0,0 +1,21 @@ +config: + description: goCD - ci/cd + #networkPolicy: + # groups: + # - internet + # rules: + # - allow-runner + # - allow-minio + + #labels: + # environment: external + +apps: + - name: gocd + repoURL: https://gocd.github.io/helm-chart + chart: gocd + targetRevision: 2.0.0 + #secrets: + #- name: drone-env + # keys: + # - DRONE_GITEA_SERVER diff --git a/projects/gocd/values/gocd.yaml b/projects/gocd/values/gocd.yaml new file mode 100644 index 00000000..b66cfdc9 --- /dev/null +++ b/projects/gocd/values/gocd.yaml @@ -0,0 +1,468 @@ +# Default values for gocd. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +rbac: + # Specifies whether rbac resources must be created. + create: true + # The API version to use while creating the rbac resources. Use `kubectl api-versions | grep rbac` to find which abi versions are supported for your cluster. + apiVersion: v1 + # Create a cluster role binding with the existing role, do not create a new one. If left blank, a new cluster role is created. + roleRef: + +serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template + # If create is false and a name is not specified, the default service account is used for the cluster role binding. + name: + annotations: + # eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here + +server: + # server.enabled is the toggle to run GoCD Server. Change to false for Agent Only Deployment. + enabled: true + + # server.deployment.labels is the labels for the GoCD Server Deployment + deployment: + labels: {} + # server.pod.labels is the labels for the GoCD Server Pods + pod: + labels: {} + # server.annotations is the annotations for the GoCD Server Deployment and Pod spec. + annotations: + deployment: + # iam.amazonaws.com/role: arn:aws:iam::xxx:role/my-custom-role + pod: + # iam.amazonaws.com/role: arn:aws:iam::xxx:role/my-custom-role + # Specify security settings for GoCD Server Pod + securityContext: + # Specify the container user for the GoCD server pod + runAsUser: 1000 + # Specify the container group for the GoCD server pod + runAsGroup: 0 + # Specify the container supplementary group for the GoCD server pod + fsGroup: 0 + # Specify the policy for checking volume permissions + fsGroupChangePolicy: "OnRootMismatch" + # server.shouldPreconfigure is used to invoke a script to pre configure the elastic agent profile and the plugin settings in the GoCD server. + # Note: If this value is set to true, then, the serviceAccount.name is configured for the GoCD server pod. The service account token is mounted as a secret and is used in the lifecycle hook. + # Note: An attempt to preconfigure the GoCD server is made. There are cases where the pre-configuration can fail and the GoCD server starts with an empty config. + shouldPreconfigure: false + preconfigureCommand: + - "/bin/bash" + - "/preconfigure_server.sh" + # server.preStop - array of commands to use in the server pre-stop lifecycle hook + # preStop: + # - "/bin/bash" + # - "/backup_and_stop.sh" + # server.terminationGracePeriodSeconds is the optional duration in seconds the gocd server pod needs to terminate gracefully. + # Note: SIGTERM is issued immediately after the pod deletion request is sent. If the pod doesn't terminate, k8s waits for terminationGracePeriodSeconds before issuing SIGKILL. + # terminationGracePeriodSeconds: 60 + # server.priorityClassName is an optional setting to allow the server pod to be prioritized over other pods. The value here must match a priotyClass that exists on the cluster + # priorityClassName: high-priority + image: + # server.image.repository is the GoCD Server image name + repository: "gocd/gocd-server" + # server.image.tag is the GoCD Server image's tag + tag: + # server.image.pullPolicy is the GoCD Server image's pull policy + pullPolicy: "IfNotPresent" + # Specify an array of imagePullSecrets to pull from private registries + # You need to manually create secrets in the namespace + # See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + pullSecrets: [] +# - name: registryKeySecretName + + ## Configure GoCD server resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # requests: + # memory: 512Mi + # cpu: 300m + # limits: + # cpu: 100m + # memory: 1024Mi + + # Sidecar containers that runs alongside GoCD server. + # https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/ + sidecarContainers: [] + # - name: sidecar-container + # image: sidecar-image:latest + # volumeMounts: + # - name: goserver-vol + # mountPath: /godata + + # specify init containers, e.g. to prepopulate home directories etc + initContainers: [] + # - name: download-kubectl + # image: "ellerbrock/alpine-bash-curl-ssl:latest" + # imagePullPolicy: "IfNotPresent" + # volumeMounts: + # - name: kubectl + # mountPath: /download + # workingDir: /download + # command: ["/bin/bash"] + # args: + # - "-c" + # - 'curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl && chmod +x ./kubectl' + + # specify restart policy for server + restartPolicy: Always + + ## Additional GoCD server pod labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + nodeSelector: {} + + ## Affinity for assigning pods to specific nodes + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + affinity: {} + + ## Tolerations for allowing pods to be scheduled on nodes with matching taints + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: {} + + healthCheck: + # server.healthCheck.initialDelaySeconds is the initial delays in seconds to start the health checks + initialDelaySeconds: 90 + # server.healthCheck.periodSeconds is the health check interval duration + periodSeconds: 15 + # server.healthCheck.failureThreshold is the number of unsuccessful attempts made to the GoCD server health check endpoint before the container is restarted (for liveness) or marked as unready (for readiness) + failureThreshold: 10 + env: + # server.env.goServerJvmOpts is a list of JVM options, which needs to be provided to the GoCD Server, typically prefixed with -D unless otherwise stated. + # Example: "-Xmx4096mb -Dfoo=bar" + goServerJvmOpts: + # server.env.extraEnvVars is the list of environment variables passed to GoCD Server + extraEnvVars: + - name: GOCD_PLUGIN_INSTALL_kubernetes-elastic-agents + value: https://github.com/gocd/kubernetes-elastic-agents/releases/download/v3.8.2-350/kubernetes-elastic-agent-3.8.2-350.jar + - name: GOCD_PLUGIN_INSTALL_docker-registry-artifact-plugin + value: https://github.com/gocd/docker-registry-artifact-plugin/releases/download/v1.3.1-329/docker-registry-artifact-plugin-1.3.1-329.jar + - name: GOCD_PLUGIN_INSTALL_github-oauth-authorization-plugin + value: https://github.com/gocd-contrib/github-oauth-authorization-plugin/releases/download/v3.3.1-211/github-oauth-authorization-plugin-3.3.1-211.jar + - name: GOCD_PLUGIN_INSTALL_gocd-yaml-config-plugin + value: https://github.com/gocd-contrib/github-oauth-authorization-plugin/releases/download/v3.3.1-211/github-oauth-authorization-plugin-3.3.1-211.jar + - name: GOCD_PLUGIN_INSTALL_gocd-git-path-material-plugin + value: https://github.com/TWChennai/gocd-git-path-material-plugin/releases/download/v2.2.2-262/gocd-git-path-material-plugin-2.2.2-262.jar + - name: GOCD_PLUGIN_INSTALL_gocd-vault-secret-plugin + value: https://github.com/gocd/gocd-vault-secret-plugin/releases/download/v1.2.1-171/gocd-vault-secret-plugin-1.2.1-171.jar + - name: GOCD_PLUGIN_INSTALL_gocd-kubernetes-based-secrets-plugin + value: https://github.com/gocd/gocd-kubernetes-based-secrets-plugin/releases/download/v1.2.1-147/gocd-kubernetes-based-secrets-plugin-1.2.1-147.jar + + service: + # server.service.type is the GoCD Server service type + type: "ClusterIP" + # server.service.httpPort is the GoCD Server HTTP port + httpPort: 8153 + # Provide the nodeHttpPort if you want the service to be exposed on specific ports. Without this, random node ports will be assigned. + # server.service.nodeHttpPort is the GoCD Server Service Node HTTP port + nodeHttpPort: + annotations: + ## When using LoadBalancer service type, use the following AWS certificate from ACM + ## https://aws.amazon.com/documentation/acm/ + # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:eu-west-1:123456789:certificate/abc123-abc123-abc123-abc123" + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "https" + # service.beta.kubernetes.io/aws-load-balancer-backend-port: "https" + ## When using LoadBalancer service type, whitelist these source IP ranges + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ + # loadBalancerSourceRanges: + # - 192.168.1.10/32 + ingress: + # server.ingress.enabled is the toggle to enable/disable GoCD Server Ingress + enabled: true + + # Override the default ingress class selection + # ingressClassName: nginx + + # server.ingress.hosts is used to create an Ingress record. + hosts: + - gocd.dc + annotations: + cert-manager.io/cluster-issuer: vault-issuer + traefik.ingress.kubernetes.io/router.tls: 'true' + path: / + pathType: + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + tls: + - secretName: ci-gocd-tls + hosts: + - gocd.dc + + persistence: + # server.persistence.enabled is the toggle for server volume persistence. + enabled: true + accessMode: "ReadWriteOnce" + # The storage space that should be claimed from the persistent volume + size: 2Gi + # If defined, storageClassName: + # If set to "-", storageClassName: "", which disables dynamic provisioning + # If undefined (the default) or set to null, no storageClassName spec is + # set, choosing 'standard' storage class available with the default provisioner (gcd-pd on GKE, hostpath on minikube, etc). + +# storageClass: "-" + + # A manually managed Persistent Volume and Claim + # If defined, PVC must be created manually before volume will be bound + existingClaim: + # To choose a suitable persistent volume from available static persistent volumes, selectors are used. + pvSelector: +# matchLabels: +# volume-type: ssd + name: + # server.persistence.name.dockerEntryPoint name of the volume mounted at /docker-entrypoint.d/ on the server + dockerEntryPoint: goserver-vol + # "" for the volume root + subpath: + # godata is where the config, db, plugins are stored + godata: godata + # homego can be used for storing and mounting secrets + homego: homego + # custom entrypoint scripts that should be run before starting the GoCD server inside the container. + dockerEntryPoint: scripts + # server.persistence.extraVolumes additional server volumes + extraVolumes: [] + # - name: gocd-server-init-scripts + # configMap: + # name: gocd-server-init-scripts + # defaultMode: 0755 + # - name: github-key + # secret: + # secretName: github-key + # defaultMode: 0744 + + # server.persistence.extraVolumeMounts additional server volumeMounts + extraVolumeMounts: [] + # - name: github-key + # mountPath: /etc/config/keys/ + # readOnly: true + # - name: gocd-server-init-scripts + # mountPath: /docker-entrypoint.d/ + + # server.hostAliases allows the modification of the hosts file inside a container + hostAliases: + # - ip: "192.168.1.10" + # hostnames: + # - "example.com" + # - "www.example.com" + + security: + ssh: + # server.security.ssh.enabled is the toggle to enable/disable mounting of ssh secret on GoCD server pods + enabled: false + # server.security.ssh.secretName specifies the name of the k8s secret object that contains the ssh key and known hosts + secretName: gocd-server-ssh + # server.security.ssh.defaultMode specifies the permission of the files in ~/.ssh directory + defaultMode: + +agent: + # specifies overrides for agent specific service account creation + serviceAccount: + # specifies whether the top level service account (also used by the server) should be reused as the service account for gocd agents + reuseTopLevelServiceAccount: false + # if reuseTopLevelServiceAccount is false, this field specifies the name of an existing service account to be associated with gocd agents + # If field is empty, the service account "default" will be used. + name: + + # agent.deployment.labels is the labels for the GoCD Agent Deployment + deployment: + labels: {} + # agent.pod.labels is the labels for the GoCD Agent Pods + pod: + labels: {} + + # agent.annotations is the annotations for the GoCD Agent Deployment and Pod Spec + annotations: + deployment: + # iam.amazonaws.com/role: arn:aws:iam::xxx:role/my-custom-role + pod: + # iam.amazonaws.com/role: arn:aws:iam::xxx:role/my-custom-role + + # Specify security settings for GoCD Agent Pod + securityContext: + # Specify the container user for all the GoCD agent pods + runAsUser: 1000 + # Specify the container group for all the GoCD agent pods + runAsGroup: 1000 + # Specify the container supplementary group for all the GoCD agent pods + fsGroup: 1000 + # Specify the policy for checking volume permissions + fsGroupChangePolicy: "OnRootMismatch" + # agent.replicaCount is the GoCD Agent replicas Count. Specify the number of GoCD agents to run + replicaCount: 1 + # agent.preStop - array of command and arguments to run in the agent pre-stop lifecycle hook + # preStop: + # - "/bin/bash" + # - "/disable_and_stop.sh" + # agent.postStart - array of command and arguments to run in agent post-start lifecycle hook + # postStart: + # - "/bin/bash" + # - "/agent_startup.sh" + # agent.deployStrategy is the strategy explained in detail at https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + # agent.terminationGracePeriodSeconds is the optional duration in seconds the gocd agent pods need to terminate gracefully. + # Note: SIGTERM is issued immediately after the pod deletion request is sent. If the pod doesn't terminate, k8s waits for terminationGracePeriodSeconds before issuing SIGKILL. + # terminationGracePeriodSeconds: 60 + deployStrategy: {} + image: + # agent.image.repository is the GoCD Agent image name + repository: "gocd/gocd-agent-alpine-3.16" + # agent.image.tag is the GoCD Agent image's tag + tag: + # agent.image.pullPolicy is the GoCD Agent image's pull policy + pullPolicy: "IfNotPresent" + # Specify an array of imagePullSecrets to pull from private registries + # You need to manually create secrets in the namespace + # See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + pullSecrets: [] +# - name: registryKeySecretName + env: + # agent.env.goServerUrl is the GoCD Server Url + goServerUrl: gocd.gocd.svc.cluster.local + # agent.env.agentAutoRegisterKey is the GoCD Agent auto-register key + agentAutoRegisterKey: + # agent.env.agentAutoRegisterResources is the GoCD Agent auto-register resources + agentAutoRegisterResources: + # agent.env.agentAutoRegisterEnvironments is the GoCD Agent auto-register Environments + agentAutoRegisterEnvironments: + # agent.env.agentAutoRegisterHostname is the GoCD Agent auto-register hostname + agentAutoRegisterHostname: + # agent.env.goAgentJvmOpts is the GoCD Agent JVM options + goAgentJvmOpts: + # agent.env.goAgentBootstrapperArgs is the GoCD Agent bootstrapper args + goAgentBootstrapperArgs: + # agent.env.goAgentBootstrapperJvmArgs is the GoCD Agent bootstrapper JVM args + goAgentBootstrapperJvmArgs: + # agent.env.extraEnvVars is the list of environment variables passed to GoCD Agent + extraEnvVars: + persistence: + # agent.persistence.enabled is the toggle for agent volume persistence. Change to true if a persistent volume is available and configured manually. + enabled: false + accessMode: "ReadWriteOnce" + size: 1Gi + # If defined, storageClassName: + # If set to "-", storageClassName: "", which disables dynamic provisioning + # If undefined (the default) or set to null, no storageClassName spec is + # set, choosing 'standard' storage class available with the default provisioner (gcd-pd on GKE, hostpath on minikube, etc). + +# storageClass: "-" + + # A manually managed Persistent Volume and Claim + # If defined, PVC must be created manually before volume will be bound + existingClaim: + pvSelector: +# matchLabels: +# app: godata-gocd-agent + name: + # agent.persistence.name.dockerEntryPoint name of the volume mounted at /docker-entrypoint.d/ on the agent + dockerEntryPoint: goagent-vol + # "" for the volume root + subpath: + homego: homego + dockerEntryPoint: scripts + # agent.persistence.extraVolumes additional agent volumes + extraVolumes: [] + # - name: gocd-agent-init-scripts + # configMap: + # name: gocd-agent-init-scripts + # defaultMode: 0755 + # - name: github-key + # secret: + # secretName: github-key + # defaultMode: 0744 + + # agent.persistence.extraVolumeMounts additional agent volumeMounts + extraVolumeMounts: [] + # - name: github-key + # mountPath: /etc/config/keys/ + # readOnly: true + # - name: gocd-agent-init-scripts + # mountPath: /docker-entrypoint.d/ + + # specify init containers, e.g. to prepopulate home directories etc + initContainers: [] + # - name: download-kubectl + # image: "ellerbrock/alpine-bash-curl-ssl:latest" + # imagePullPolicy: "IfNotPresent" + # volumeMounts: + # - name: kubectl + # mountPath: /download + # workingDir: /download + # command: ["/bin/bash"] + # args: + # - "-c" + # - 'curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl && chmod +x ./kubectl' + + # specify restart policy for agents + restartPolicy: Always + + # agent.privileged is needed for running Docker-in-Docker (DinD) agents + privileged: false + + healthCheck: + # agent.healthCheck.enable is the toggle for GoCD agent health checks + enabled: false + # agent.healthCheck.initialDelaySeconds is the initial delays in seconds to start the health checks + initialDelaySeconds: 60 + # agent.healthCheck.periodSeconds is the health check interval duration + periodSeconds: 60 + # agent.healthCheck.failureThreshold is the health check failure threshold of GoCD agent + failureThreshold: 60 + + security: + ssh: + # agent.security.ssh.enabled is the toggle to enable/disable mounting of ssh secret on GoCD agent pods + enabled: false + # agent.security.ssh.secretName specifies the name of the k8s secret object that contains the ssh key and known hosts + secretName: gocd-agent-ssh + # agent.security.ssh.defaultMode specifies the permission of the files in ~/.ssh directory + defaultMode: + + ## Configure GoCD agent resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # requests: + # memory: 512Mi + # cpu: 300m + # limits: + # cpu: 100m + # memory: 1024Mi + + # agent.hostAliases allows the modification of the hosts file inside a container + hostAliases: + # - ip: "192.168.1.10" + # hostnames: + # - "example.com" + # - "www.example.com" + + ## Additional GoCD agent pod labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + nodeSelector: {} + + ## Affinity for assigning pods to specific nodes + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + affinity: {} + + ## Tolerations for allowing pods to be scheduled on nodes with matching taints + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: {} + +tests: + # Whether or not to create test resources for use in Helm chart testing. + # Without the resources being created the tests will not work; however the installation is cleaner. + enabled: false + # A BATS image to supply test runner, see https://hub.docker.com/r/bats/bats/tags + batsImage: "bats/bats:1.8.2" + # A image containing bash, curl and busybox|coreutils for executing tests, see https://github.com/containeroo/alpine-toolbox/releases + curlImage: "ghcr.io/containeroo/alpine-toolbox:2.0.20" + # Specify an array of imagePullSecrets to pull from private registries + # You need to manually create secrets in the namespace + # See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imagePullSecrets: [] +# - name: registryKeySecretName