public_git
/
kubernetes-operator
mirror of https://github.com/jenkinsci/kubernetes-operator.git
1
0
Fork 0
Code Issues Releases Wiki Activity

feat: add option to restrict seed job agent to only run builds that match the node label 

Fixes #1014
This commit is contained in:
Eric Lavigne 2024-11-25 20:45:49 -05:00
parent d919a2a11c
commit 9a5534e870
8 changed files with 50 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
api/v1alpha2/jenkins_types.go
View File

@ -22,6 +22,10 @@ type JenkinsSpec struct {
// +optional // +optional
SeedJobAgentImage string `json:"seedJobAgentImage,omitempty"` SeedJobAgentImage string `json:"seedJobAgentImage,omitempty"`
// SeedJobRestrictJobsToLabel defines whether to set restrict node to label setting on the agent
// +optional
SeedJobRestrictJobsToLabel bool `json:"seedJobRestrictJobsToLabel,omitempty"`
// ValidateSecurityWarnings enables or disables validating potential security warnings in Jenkins plugins via admission webhooks. // ValidateSecurityWarnings enables or disables validating potential security warnings in Jenkins plugins via admission webhooks.
//+optional //+optional
ValidateSecurityWarnings bool `json:"validateSecurityWarnings,omitempty"` ValidateSecurityWarnings bool `json:"validateSecurityWarnings,omitempty"`

1
chart/jenkins-operator/README.md
View File

@ -88,6 +88,7 @@ Kubernetes native operator which fully manages Jenkins on Kubernetes
| jenkins.securityContext.fsGroup | int | `1000` | | | jenkins.securityContext.fsGroup | int | `1000` | |
| jenkins.securityContext.runAsUser | int | `1000` | | | jenkins.securityContext.runAsUser | int | `1000` | |
| jenkins.seedJobAgentImage | string | `""` | | | jenkins.seedJobAgentImage | string | `""` | |
| jenkins.seedJobRestrictJobsToLabel | boolean | `false` | |
| jenkins.seedJobs | list | `[]` | | | jenkins.seedJobs | list | `[]` | |
| jenkins.serviceAccount.annotations | object | `{}` | | | jenkins.serviceAccount.annotations | object | `{}` | |
| jenkins.terminationGracePeriodSeconds | int | `30` | | | jenkins.terminationGracePeriodSeconds | int | `30` | |

4
chart/jenkins-operator/crds/jenkins-crd.yaml
View File

@ -3131,6 +3131,10 @@ spec:
by the seed job agent. If not defined jenkins/inbound-agent:4.9-1 by the seed job agent. If not defined jenkins/inbound-agent:4.9-1
will be used. will be used.
type: string type: string
seedJobRestrictJobsToLabel:
description: SeedJobRestrictJobsToLabel defines whether the seed job agent
will be restricted to only running jobs with the seed job label.
type: boolean
seedJobs: seedJobs:
description: 'SeedJobs defines list of Jenkins Seed Job configurations description: 'SeedJobs defines list of Jenkins Seed Job configurations
More info: https://jenkinsci.github.io/kubernetes-operator/docs/getting-started/latest/configuration#configure-seed-jobs-and-pipelines' More info: https://jenkinsci.github.io/kubernetes-operator/docs/getting-started/latest/configuration#configure-seed-jobs-and-pipelines'

3
chart/jenkins-operator/templates/jenkins.yaml
View File

@ -171,4 +171,7 @@ spec:
{{- if .Values.jenkins.seedJobAgentImage }} {{- if .Values.jenkins.seedJobAgentImage }}
seedJobAgentImage: {{ .Values.jenkins.seedJobAgentImage }} seedJobAgentImage: {{ .Values.jenkins.seedJobAgentImage }}
{{- end }} {{- end }}
{{- if .Values.jenkins.seedJobRestrictJobsToLabel }}
seedJobRestrictJobsToLabel: {{ .Values.jenkins.seedJobRestrictJobsToLabel }}
{{- end }}
{{- end }} {{- end }}

3
chart/jenkins-operator/values.yaml
View File

@ -145,6 +145,9 @@ jenkins:
# SeedJobAgentImage defines the image that will be used by the seed job agent. If not defined jenkins/inbound-agent:3248.v65ecb_254c298-6 will be used. # SeedJobAgentImage defines the image that will be used by the seed job agent. If not defined jenkins/inbound-agent:3248.v65ecb_254c298-6 will be used.
seedJobAgentImage: "" seedJobAgentImage: ""
# SeedJobRestrictJobsToLabel defines whether the seed job agent will be restricted to only running jobs with the seed job label.
seedJobRestrictJobsToLabel: false
# Resource limit/request for Jenkins # Resource limit/request for Jenkins
# See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ for details # See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ for details
resources: resources:

4
config/crd/bases/jenkins.io_jenkins.yaml
View File

@ -3135,6 +3135,10 @@ spec:
by the seed job agent. If not defined jenkins/inbound-agent:4.9-1 by the seed job agent. If not defined jenkins/inbound-agent:4.9-1
will be used. will be used.
type: string type: string
seedJobRestrictJobsToLabel:
description: SeedJobRestrictJobsToLabel defines whether the seed job agent
will be restricted to only running jobs with the seed job label.
type: boolean
seedJobs: seedJobs:
description: 'SeedJobs defines list of Jenkins Seed Job configurations description: 'SeedJobs defines list of Jenkins Seed Job configurations
More info: https://jenkinsci.github.io/kubernetes-operator/docs/getting-started/latest/configuration#configure-seed-jobs-and-pipelines' More info: https://jenkinsci.github.io/kubernetes-operator/docs/getting-started/latest/configuration#configure-seed-jobs-and-pipelines'

4
deploy/crds/jenkins.io_jenkins_crd.yaml
View File

@ -3131,6 +3131,10 @@ spec:
by the seed job agent. If not defined jenkins/inbound-agent:4.9-1 by the seed job agent. If not defined jenkins/inbound-agent:4.9-1
will be used. will be used.
type: string type: string
seedJobRestrictJobsToLabel:
description: SeedJobRestrictJobsToLabel defines whether the seed job agent
will be restricted to only running jobs with the seed job label.
type: boolean
seedJobs: seedJobs:
description: 'SeedJobs defines list of Jenkins Seed Job configurations description: 'SeedJobs defines list of Jenkins Seed Job configurations
More info: https://jenkinsci.github.io/kubernetes-operator/docs/getting-started/latest/configuration#configure-seed-jobs-and-pipelines' More info: https://jenkinsci.github.io/kubernetes-operator/docs/getting-started/latest/configuration#configure-seed-jobs-and-pipelines'

30
pkg/configuration/user/seedjobs/seedjobs.go
View File

@ -8,6 +8,7 @@ import (
"reflect" "reflect"
"text/template" "text/template"
"github.com/go-logr/logr"
"github.com/jenkinsci/kubernetes-operator/api/v1alpha2" "github.com/jenkinsci/kubernetes-operator/api/v1alpha2"
"github.com/jenkinsci/kubernetes-operator/internal/render" "github.com/jenkinsci/kubernetes-operator/internal/render"
jenkinsclient "github.com/jenkinsci/kubernetes-operator/pkg/client" jenkinsclient "github.com/jenkinsci/kubernetes-operator/pkg/client"
@ -17,8 +18,6 @@ import (
"github.com/jenkinsci/kubernetes-operator/pkg/groovy" "github.com/jenkinsci/kubernetes-operator/pkg/groovy"
"github.com/jenkinsci/kubernetes-operator/pkg/log" "github.com/jenkinsci/kubernetes-operator/pkg/log"
"github.com/jenkinsci/kubernetes-operator/pkg/notifications/reason" "github.com/jenkinsci/kubernetes-operator/pkg/notifications/reason"
"github.com/go-logr/logr"
stackerr "github.com/pkg/errors" stackerr "github.com/pkg/errors"
appsv1 "k8s.io/api/apps/v1" appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"
@ -48,7 +47,8 @@ const (
// DefaultAgentImage is the default image used for the seed-job agent // DefaultAgentImage is the default image used for the seed-job agent
defaultAgentImage = "jenkins/inbound-agent:3248.v65ecb_254c298-6" defaultAgentImage = "jenkins/inbound-agent:3248.v65ecb_254c298-6"
creatingGroovyScriptName = "seed-job-groovy-script.groovy" creatingGroovyScriptName = "seed-job-groovy-script.groovy"
agentModeGroovyScriptName = "seed-job-agent-mode-groovy-script.groovy"
homeVolumeName = "home" homeVolumeName = "home"
homeVolumePath = "/home/jenkins/agent" homeVolumePath = "/home/jenkins/agent"
@ -57,6 +57,18 @@ const (
workspaceVolumePath = "/home/jenkins/workspace" workspaceVolumePath = "/home/jenkins/workspace"
) )
var seedAgentSetModeScriptTemplate = template.Must(template.New(agentModeGroovyScriptName).Parse(`
import hudson.model.*
import jenkins.model.*
import hudson.slaves.*
import hudson.slaves.EnvironmentVariablesNodeProperty.Entry
import jenkins.model.Jenkins;
Jenkins jenkins = Jenkins.instance
def agent = jenkins.getNode("{{.AgentName}}")
agent.setMode(Node.Mode.EXCLUSIVE)
`))
var seedJobGroovyScriptTemplate = template.Must(template.New(creatingGroovyScriptName).Parse(` var seedJobGroovyScriptTemplate = template.Must(template.New(creatingGroovyScriptName).Parse(`
import hudson.model.FreeStyleProject; import hudson.model.FreeStyleProject;
import hudson.plugins.git.GitSCM; import hudson.plugins.git.GitSCM;
@ -381,6 +393,18 @@ func (s *seedJobs) createAgent(jenkinsClient jenkinsclient.Jenkins, k8sClient cl
return stackerr.WithStack(err) return stackerr.WithStack(err)
} }
if s.Configuration.Jenkins.Spec.SeedJobRestrictJobsToLabel {
data := struct{ AgentName string }{AgentName: agentName}
setAgentModeScript, err := render.Render(seedAgentSetModeScriptTemplate, data)
if err != nil {
return err
}
_, err = jenkinsClient.ExecuteScript(setAgentModeScript)
if err != nil {
return err
}
}
secret, err := jenkinsClient.GetNodeSecret(agentName) secret, err := jenkinsClient.GetNodeSecret(agentName)
if err != nil { if err != nil {
return err return err