-
Notifications
You must be signed in to change notification settings - Fork 16.9k
[stable/jenkins] Add support for idleMinutes and serviceAccount #13263
[stable/jenkins] Add support for idleMinutes and serviceAccount #13263
Conversation
Hi @jbussdieker. Thanks for your PR. I'm waiting for a helm member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/assign @torstenwalter |
Thnks for the PR. What do you think about managing the service account used by the Jenkins agents in a similar way as the service account for Jenkins itself? https://helm.sh/docs/chart_best_practices/#using-rbac-resources So having an option to create it etc. |
That's a good idea. I'll incorporate https://helm.sh/docs/chart_best_practices/#using-rbac-resources into this PR. |
Actually now that I think about it the agent should default to not creating rbac even if Typically users won't want to set a service account for the build agents unless they are using Jenkins to manage and deploy to the cluster hosting Jenkins so the default rules to create is a bit of a grey area. What might make sense is to the have On a side note I have noticed that since Jenkins will be the one launching and assigning the service account to the agents, the permissions on the agent service account need to be equal to or less privileged than the master's service account. I'll think about it more as I work with the chart. Thanks for the feedback! |
@jbussdieker I agree that it's unclear how rbac for the service account of Jenkins agents should look like. Especially since there are many diffrent ways how people are using it.
Helm best practices suggest to split between service account and rbac setup:
That's what we do for the Jenkins master. Even if we don't know how to setup rbac we could still manage the creation of the service account. e.g. introducing something like:
And use a template like:
When creating the service account we could also ensure that it is done in the correct namespace if |
90f2c48
to
d63b5ba
Compare
35fd2e5
to
140080f
Compare
@torstenwalter thanks that makes sense. |
Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com>
Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com>
Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com>
Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com>
Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com>
140080f
to
b78adee
Compare
/ok-to-test |
*/}} | ||
{{- define "jenkins.serviceAccountAgentName" -}} | ||
{{- if .Values.serviceAccountAgent.create -}} | ||
{{ default (include "jenkins.fullname" .) .Values.serviceAccountAgent.name }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we have a problem here. If neither Values.serviceAccount.name
nor .Values.serviceAccountAgent.name
is set then we are trying two service accounts with the same name.
jenkins.serviceAccountName:
{{ default (include "jenkins.fullname" .) .Values.serviceAccount.name }}
jenkins.serviceAccountAgentName
{{ default (include "jenkins.fullname" .) .Values.serviceAccountAgent.name }}
We could add the "-agent" suffix:
{{ default (printf "%s-%s" (include "jenkins.fullname" .) "agent") .Values.serviceAccountAgent.name }}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. I thought there might have been a collision somewhere but I was hung up on there being two different bindings to default but that's not an issue.
…ying their names Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com>
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jbussdieker, torstenwalter The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@jbussdieker Thank you for this improvement! |
* spinnaker-additional-configmaps: (158 commits) [stable/spinnaker] Bump chart version [stable/spinnaker] Allow to use existing additionalConfigMaps objects [stable/instana-agent] Add instana-agent chart to stable (helm#12799) [stable/spring-cloud-data-flow] apiGroup extension does not have permissions over Jobs (helm#12174) Fluentd - Add option to add environment variables from secrets (helm#12565) Fluentd - Allow ingress path to be configurable (helm#12561) [stable/openebs]: update NDM image tag to 0.3.5 (helm#13282) stable/phabricator: update to 2019.16.0 (helm#13307) [stable/jenkins] Add support for idleMinutes and serviceAccount (helm#13263) [stable/gocd] Bump up k8 elastic agent to latest and bump up GoCD to v19.3.0 (helm#13301) [stable/atlantis] Add `--default-tf-version=` and `--allow-fork-prs` flag (helm#13299) stackdriver-exporter: allow google service account (helm#13214) SC-4435 Do not start the container if particular token is not provided (helm#13304) [stable/spring-cloud-data-flow] Update to new SCDF version 2.0.2 (helm#12951) allow to set COCKROACH_ENGINE_MAX_SYNC_DURATION (helm#13244) Use same JENKINS_URL no matter if slaves use different namespace (helm#12564) stable/concourse: separate worker, web deployments (helm#12920) [ci] Upgrade to chart-testing v2.3.3 (helm#13294) fixes incompatibility with 1.11 (helm#13261) Detect current network and netmask (helm#13250) ... # Conflicts: # stable/spinnaker/Chart.yaml
…m#13263) * [stable/jenkins] Add support for idleMinutes and serviceAccount Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com> * Modify agent service account feature to follow best practices Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com> * Conditionally set namespace for agent service account Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com> * Add missing period Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com> * Bump version again Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com> * Fix name collision when creating both service accounts but not specifying their names Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com>
…m#13263) * [stable/jenkins] Add support for idleMinutes and serviceAccount Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com> * Modify agent service account feature to follow best practices Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com> * Conditionally set namespace for agent service account Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com> * Add missing period Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com> * Bump version again Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com> * Fix name collision when creating both service accounts but not specifying their names Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com>
…m#13263) * [stable/jenkins] Add support for idleMinutes and serviceAccount Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com> * Modify agent service account feature to follow best practices Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com> * Conditionally set namespace for agent service account Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com> * Add missing period Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com> * Bump version again Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com> * Fix name collision when creating both service accounts but not specifying their names Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com>
…m#13263) * [stable/jenkins] Add support for idleMinutes and serviceAccount Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com> * Modify agent service account feature to follow best practices Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com> * Conditionally set namespace for agent service account Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com> * Add missing period Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com> * Bump version again Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com> * Fix name collision when creating both service accounts but not specifying their names Signed-off-by: Joshua Bussdieker <jbussdieker@gmail.com>
What this PR does / why we need it:
This PR allows setting the idleMinutes and serviceAccount attributes used for provisioning build agents.
Which issue this PR fixes
Special notes for your reviewer:
Checklist
[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]