titan-iac/services/jenkins/deployment.yaml

# services/jenkins/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: jenkins
  namespace: jenkins
  labels:
    app: jenkins
spec:
  replicas: 1
  selector:
    matchLabels:
      app: jenkins
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: jenkins
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "jenkins"
        vault.hashicorp.com/agent-inject-secret-jenkins-env: "kv/data/atlas/jenkins/jenkins-oidc"
        vault.hashicorp.com/agent-inject-template-jenkins-env: |
          {{ with secret "kv/data/atlas/jenkins/jenkins-oidc" }}
          OIDC_CLIENT_ID={{ .Data.data.clientId }}
          OIDC_CLIENT_SECRET={{ .Data.data.clientSecret }}
          OIDC_AUTH_URL={{ .Data.data.authorizationUrl }}
          OIDC_TOKEN_URL={{ .Data.data.tokenUrl }}
          OIDC_USERINFO_URL={{ .Data.data.userInfoUrl }}
          OIDC_LOGOUT_URL={{ .Data.data.logoutUrl }}
          {{ end }}
          {{ with secret "kv/data/atlas/jenkins/harbor-robot-creds" }}
          HARBOR_ROBOT_USERNAME={{ .Data.data.username }}
          HARBOR_ROBOT_PASSWORD={{ .Data.data.password }}
          {{ end }}
          {{ with secret "kv/data/atlas/jenkins/gitea-pat" }}
          GITEA_PAT_USERNAME={{ .Data.data.username }}
          GITEA_PAT_TOKEN={{ .Data.data.token }}
          {{ end }}
          {{ with secret "kv/data/atlas/jenkins/webhook-tokens" }}
          TITAN_IAC_WEBHOOK_TOKEN={{ .Data.data.titan_iac_quality_gate }}
          GIT_NOTIFY_TOKEN_BSTEIN_DEV_HOME={{ .Data.data.git_notify_bstein_dev_home }}
          {{ end }}
        bstein.dev/restarted-at: "2026-01-20T14:52:41Z"
    spec:
      serviceAccountName: jenkins
      nodeSelector:
        kubernetes.io/arch: arm64
        node-role.kubernetes.io/worker: "true"
      affinity:
        nodeAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 90
              preference:
                matchExpressions:
                  - key: hardware
                    operator: In
                    values: ["rpi5"]
            - weight: 50
              preference:
                matchExpressions:
                  - key: hardware
                    operator: In
                    values: ["rpi4"]
      hostAliases:
        - ip: 38.28.125.112
          hostnames:
            - sso.bstein.dev
      securityContext:
        fsGroup: 1000
      initContainers:
        - name: install-plugins
          image: jenkins/jenkins:2.528.3-jdk21
          imagePullPolicy: IfNotPresent
          command:
            - sh
            - -c
            - |
              set -euo pipefail
              jenkins-plugin-cli --plugin-file /plugins/plugins.txt
          volumeMounts:
            - name: plugins
              mountPath: /plugins/plugins.txt
              subPath: plugins.txt
            - name: plugin-dir
              mountPath: /usr/share/jenkins/ref/plugins
      containers:
        - name: jenkins
          image: jenkins/jenkins:2.528.3-jdk21
          imagePullPolicy: IfNotPresent
          command:
            - /bin/sh
            - -c
            - |
              set -e
              exec env $(cat /vault/secrets/jenkins-env) /usr/bin/tini -- /usr/local/bin/jenkins.sh
          ports:
            - name: http
              containerPort: 8080
            - name: agent-listener
              containerPort: 50000
          env:
            - name: JAVA_OPTS
              value: "-Xms512m -Xmx2048m"
            - name: JENKINS_OPTS
              value: "--webroot=/var/jenkins_cache/war"
            - name: JENKINS_SLAVE_AGENT_PORT
              value: "50000"
            - name: CASC_JENKINS_CONFIG
              value: /config/jcasc
            - name: ENABLE_OIDC
              value: "true"
            - name: OIDC_ISSUER
              value: "https://sso.bstein.dev/realms/atlas"
          resources:
            requests:
              cpu: 750m
              memory: 1536Mi
            limits:
              cpu: 1500m
              memory: 3Gi
          livenessProbe:
            httpGet:
              path: /login
              port: http
            initialDelaySeconds: 30
            periodSeconds: 10
            timeoutSeconds: 5
            failureThreshold: 5
          readinessProbe:
            httpGet:
              path: /login
              port: http
            initialDelaySeconds: 20
            periodSeconds: 10
            timeoutSeconds: 5
            failureThreshold: 3
          startupProbe:
            httpGet:
              path: /login
              port: http
            initialDelaySeconds: 30
            periodSeconds: 10
            failureThreshold: 20
          volumeMounts:
            - name: jenkins-home
              mountPath: /var/jenkins_home
            - name: jenkins-cache
              mountPath: /var/jenkins_cache
            - name: jcasc
              mountPath: /config/jcasc
            - name: init-scripts
              mountPath: /usr/share/jenkins/ref/init.groovy.d
            - name: plugin-dir
              mountPath: /usr/share/jenkins/ref/plugins
            - name: tmp
              mountPath: /tmp
      volumes:
        - name: jenkins-home
          persistentVolumeClaim:
            claimName: jenkins
        - name: jenkins-cache
          persistentVolumeClaim:
            claimName: jenkins-cache-v2
        - name: plugin-dir
          persistentVolumeClaim:
            claimName: jenkins-plugins-v2
        - name: plugins
          configMap:
            name: jenkins-plugins
        - name: jcasc
          configMap:
            name: jenkins-jcasc
        - name: init-scripts
          configMap:
            name: jenkins-init-scripts
        - name: tmp
          emptyDir:
            medium: Memory
jenkins: drop helm, run via raw manifests 2025-12-19 18:31:48 -03:00			`# services/jenkins/deployment.yaml`
			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: jenkins`
			`namespace: jenkins`
			`labels:`
			`app: jenkins`
			`spec:`
			`replicas: 1`
			`selector:`
			`matchLabels:`
			`app: jenkins`
			`strategy:`
			`type: Recreate`
			`template:`
			`metadata:`
			`labels:`
			`app: jenkins`
vault: inject remaining services with wrappers 2026-01-14 17:29:09 -03:00			`annotations:`
			`vault.hashicorp.com/agent-inject: "true"`
			`vault.hashicorp.com/role: "jenkins"`
			`vault.hashicorp.com/agent-inject-secret-jenkins-env: "kv/data/atlas/jenkins/jenkins-oidc"`
			`vault.hashicorp.com/agent-inject-template-jenkins-env: \|`
jenkins: restore multibranch + webhook token 2026-01-20 10:15:33 -03:00			`{{ with secret "kv/data/atlas/jenkins/jenkins-oidc" }}`
jenkins: load vault env via env 2026-01-14 17:57:10 -03:00			`OIDC_CLIENT_ID={{ .Data.data.clientId }}`
			`OIDC_CLIENT_SECRET={{ .Data.data.clientSecret }}`
			`OIDC_AUTH_URL={{ .Data.data.authorizationUrl }}`
			`OIDC_TOKEN_URL={{ .Data.data.tokenUrl }}`
			`OIDC_USERINFO_URL={{ .Data.data.userInfoUrl }}`
			`OIDC_LOGOUT_URL={{ .Data.data.logoutUrl }}`
jenkins: restore multibranch + webhook token 2026-01-20 10:15:33 -03:00			`{{ end }}`
			`{{ with secret "kv/data/atlas/jenkins/harbor-robot-creds" }}`
jenkins: load vault env via env 2026-01-14 17:57:10 -03:00			`HARBOR_ROBOT_USERNAME={{ .Data.data.username }}`
			`HARBOR_ROBOT_PASSWORD={{ .Data.data.password }}`
jenkins: restore multibranch + webhook token 2026-01-20 10:15:33 -03:00			`{{ end }}`
			`{{ with secret "kv/data/atlas/jenkins/gitea-pat" }}`
jenkins: load vault env via env 2026-01-14 17:57:10 -03:00			`GITEA_PAT_USERNAME={{ .Data.data.username }}`
			`GITEA_PAT_TOKEN={{ .Data.data.token }}`
jenkins: restore multibranch + webhook token 2026-01-20 10:15:33 -03:00			`{{ end }}`
			`{{ with secret "kv/data/atlas/jenkins/webhook-tokens" }}`
			`TITAN_IAC_WEBHOOK_TOKEN={{ .Data.data.titan_iac_quality_gate }}`
jenkins: automate notifyCommit token 2026-01-20 11:54:15 -03:00			`GIT_NOTIFY_TOKEN_BSTEIN_DEV_HOME={{ .Data.data.git_notify_bstein_dev_home }}`
jenkins: restore multibranch + webhook token 2026-01-20 10:15:33 -03:00			`{{ end }}`
jenkins: automate notifyCommit token 2026-01-20 11:54:15 -03:00			`bstein.dev/restarted-at: "2026-01-20T14:52:41Z"`
jenkins: drop helm, run via raw manifests 2025-12-19 18:31:48 -03:00			`spec:`
jenkins: add RBAC serviceaccount and use for agents 2025-12-20 18:08:30 -03:00			`serviceAccountName: jenkins`
jenkins: drop helm, run via raw manifests 2025-12-19 18:31:48 -03:00			`nodeSelector:`
			`kubernetes.io/arch: arm64`
			`node-role.kubernetes.io/worker: "true"`
			`affinity:`
			`nodeAffinity:`
			`preferredDuringSchedulingIgnoredDuringExecution:`
			`- weight: 90`
			`preference:`
			`matchExpressions:`
			`- key: hardware`
			`operator: In`
			`values: ["rpi5"]`
			`- weight: 50`
			`preference:`
			`matchExpressions:`
			`- key: hardware`
			`operator: In`
			`values: ["rpi4"]`
			`hostAliases:`
			`- ip: 38.28.125.112`
			`hostnames:`
			`- sso.bstein.dev`
			`securityContext:`
			`fsGroup: 1000`
			`initContainers:`
			`- name: install-plugins`
			`image: jenkins/jenkins:2.528.3-jdk21`
			`imagePullPolicy: IfNotPresent`
			`command:`
			`- sh`
			`- -c`
			`- \|`
			`set -euo pipefail`
			`jenkins-plugin-cli --plugin-file /plugins/plugins.txt`
			`volumeMounts:`
			`- name: plugins`
			`mountPath: /plugins/plugins.txt`
			`subPath: plugins.txt`
			`- name: plugin-dir`
			`mountPath: /usr/share/jenkins/ref/plugins`
			`containers:`
			`- name: jenkins`
			`image: jenkins/jenkins:2.528.3-jdk21`
			`imagePullPolicy: IfNotPresent`
vault: inject remaining services with wrappers 2026-01-14 17:29:09 -03:00			`command:`
			`- /bin/sh`
			`- -c`
			`- \|`
jenkins: load vault env via env 2026-01-14 17:57:10 -03:00			`set -e`
			`exec env $(cat /vault/secrets/jenkins-env) /usr/bin/tini -- /usr/local/bin/jenkins.sh`
jenkins: drop helm, run via raw manifests 2025-12-19 18:31:48 -03:00			`ports:`
			`- name: http`
			`containerPort: 8080`
			`- name: agent-listener`
			`containerPort: 50000`
			`env:`
			`- name: JAVA_OPTS`
			`value: "-Xms512m -Xmx2048m"`
			`- name: JENKINS_OPTS`
			`value: "--webroot=/var/jenkins_cache/war"`
			`- name: JENKINS_SLAVE_AGENT_PORT`
			`value: "50000"`
			`- name: CASC_JENKINS_CONFIG`
			`value: /config/jcasc`
			`- name: ENABLE_OIDC`
			`value: "true"`
			`- name: OIDC_ISSUER`
			`value: "https://sso.bstein.dev/realms/atlas"`
			`resources:`
			`requests:`
			`cpu: 750m`
			`memory: 1536Mi`
			`limits:`
			`cpu: 1500m`
			`memory: 3Gi`
			`livenessProbe:`
			`httpGet:`
			`path: /login`
			`port: http`
			`initialDelaySeconds: 30`
			`periodSeconds: 10`
			`timeoutSeconds: 5`
			`failureThreshold: 5`
			`readinessProbe:`
			`httpGet:`
			`path: /login`
			`port: http`
			`initialDelaySeconds: 20`
			`periodSeconds: 10`
			`timeoutSeconds: 5`
			`failureThreshold: 3`
			`startupProbe:`
			`httpGet:`
			`path: /login`
			`port: http`
			`initialDelaySeconds: 30`
			`periodSeconds: 10`
			`failureThreshold: 20`
			`volumeMounts:`
			`- name: jenkins-home`
			`mountPath: /var/jenkins_home`
			`- name: jenkins-cache`
			`mountPath: /var/jenkins_cache`
			`- name: jcasc`
			`mountPath: /config/jcasc`
			`- name: init-scripts`
			`mountPath: /usr/share/jenkins/ref/init.groovy.d`
			`- name: plugin-dir`
			`mountPath: /usr/share/jenkins/ref/plugins`
			`- name: tmp`
			`mountPath: /tmp`
			`volumes:`
			`- name: jenkins-home`
			`persistentVolumeClaim:`
			`claimName: jenkins`
			`- name: jenkins-cache`
jenkins: move agent workspace off node disk 2026-01-20 17:04:24 -03:00			`persistentVolumeClaim:`
jenkins: rotate cache/plugin pvcs 2026-01-20 17:32:27 -03:00			`claimName: jenkins-cache-v2`
jenkins: drop helm, run via raw manifests 2025-12-19 18:31:48 -03:00			`- name: plugin-dir`
jenkins: move agent workspace off node disk 2026-01-20 17:04:24 -03:00			`persistentVolumeClaim:`
jenkins: rotate cache/plugin pvcs 2026-01-20 17:32:27 -03:00			`claimName: jenkins-plugins-v2`
jenkins: drop helm, run via raw manifests 2025-12-19 18:31:48 -03:00			`- name: plugins`
			`configMap:`
			`name: jenkins-plugins`
			`- name: jcasc`
			`configMap:`
			`name: jenkins-jcasc`
			`- name: init-scripts`
			`configMap:`
			`name: jenkins-init-scripts`
			`- name: tmp`
jenkins: expand pvc sizes and move /tmp to memory 2026-01-20 17:09:23 -03:00			`emptyDir:`
			`medium: Memory`