Jenkins
CI/CD сервер с динамическими Kubernetes Pod агентами, JCasC (Configuration as Code), 43 предустановленных плагина. При addon_vault: true автоматически настраивается интеграция с HashiCorp Vault.
Быстрый старт
# group_vars/all/addons.yml
addon_jenkins: true
jenkins_ingress_host: "jenkins.example.com"
jenkins_ingress_tls: true
Секрет в vault.yml:
vault_jenkins_admin_password: "secure-password"
make addon-jenkins
Параметры
| Переменная | Умолч. | Описание |
|---|---|---|
jenkins_admin_user |
admin |
Логин администратора |
jenkins_ingress_host |
jenkins.example.com |
Hostname |
jenkins_ingress_tls |
true |
TLS через cert-manager |
jenkins_storage_size |
20Gi |
PVC для Jenkins Home |
jenkins_agent_enabled |
true |
Dynamic k8s pod agents |
jenkins_metrics_enabled |
true |
Prometheus metrics endpoint |
Предустановленные плагины (43)
Core/Pipeline: kubernetes, workflow-aggregator, pipeline-stage-view, pipeline-utility-steps, job-dsl, configuration-as-code
SCM: git, github, gitlab-plugin, gitea-plugin, bitbucket, ssh-agent
Secrets: credentials-binding, hashicorp-vault-plugin, kubernetes-credentials
Security: matrix-auth, role-strategy, ldap
Docker: docker-workflow, docker-plugin
Build: maven-plugin, gradle, nodejs, ansible
Quality: junit, htmlpublisher, sonar, warnings-ng, jacoco, cobertura
Artifacts: nexus-artifact-uploader, artifactory, publish-over-ssh
Notifications: email-ext, slack, telegram-notifications, mattermost
Utils: ws-cleanup, copyartifact, build-name-setter, throttle-concurrents, build-timeout, parameterized-trigger
UI: blueocean, ansicolor, timestamper
Declarative Pipeline
pipeline {
agent {
kubernetes {
yaml """
apiVersion: v1
kind: Pod
spec:
containers:
- name: maven
image: maven:3.9-eclipse-temurin-17
command: ['cat']
tty: true
- name: docker
image: docker:dind
securityContext:
privileged: true
"""
}
}
stages {
stage('Build') {
steps {
container('maven') {
sh 'mvn clean package -DskipTests'
}
}
}
stage('Docker Build') {
steps {
container('docker') {
sh 'docker build -t myapp:${BUILD_NUMBER} .'
sh 'docker push harbor.example.com/library/myapp:${BUILD_NUMBER}'
}
}
}
stage('Test') {
steps {
container('maven') {
sh 'mvn test'
}
post {
always {
junit 'target/surefire-reports/*.xml'
}
}
}
}
}
}
HashiCorp Vault интеграция
При addon_vault: true JCasC автоматически настраивает Vault URL в Jenkins.
Создай AppRole Credentials вручную: Jenkins → Manage Credentials → Add → Vault App Role Credential
- ID:
vault-approle - Role ID + Secret ID из Vault
Использование в Pipeline:
withVault(configuration: [
vaultUrl: 'http://vault.vault.svc.cluster.local:8200',
vaultCredentialId: 'vault-approle'
], vaultSecrets: [
[path: 'secret/myapp', secretValues: [
[envVar: 'DB_PASSWORD', vaultKey: 'db_password'],
[envVar: 'API_KEY', vaultKey: 'api_key']
]]
]) {
sh 'echo "DB: $DB_PASSWORD"'
}
Kubernetes Credentials
withKubeConfig([credentialsId: 'k8s-sa-token']) {
sh 'kubectl get pods'
}
Gitea webhook
В настройках репозитория Gitea → Webhooks:
- URL:
https://jenkins.example.com/gitea-webhook/post - Secret: токен из Jenkins Credentials
Настройка email уведомлений через SMTP Relay
post {
failure {
emailext(
subject: "Build FAILED: ${env.JOB_NAME} #${env.BUILD_NUMBER}",
body: "${env.BUILD_URL}",
to: "team@example.com"
)
}
}
SMTP настройки: Jenkins → Manage → Configure System → Extended E-mail Notification:
- SMTP server:
smtp-relay.smtp-relay.svc.cluster.local - Port:
25
Диагностика
kubectl logs -n jenkins statefulset/jenkins -f
kubectl get pods -n jenkins