Skip to content

Jenkins Helm Chart

The Jenkins Helm Chart is a Kubernetes package that installs a Jenkins server designed to spawn agents as Kubernetes pods using the Jenkins Kubernetes plugin^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md].

Installation and Management

Adding the Repository

Before installation, the Jenkins repository must be added and updated locally^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md]: 

[Helm](<./helm.md>) repo add jenkins https://charts.jenkins.io
[Helm](<./helm.md>) repo update

Basic Operations

  • Installation: Use helm install [RELEASE_NAME] jenkins/jenkins^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md].
  • Uninstallation: Use helm uninstall [RELEASE_NAME] to remove all Kubernetes components associated with the chart^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md].
  • Upgrading: Use helm upgrade [RELEASE_NAME] jenkins/jenkins^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md].

Key Configuration Areas

Configuration as Code (JCasC)

The chart utilizes [[jenkins-configuration-as-code-jcasc|Jenkins Configuration as Code (JCasC)]] for setup^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md]. Configuration is passed via Helm values under controller.JCasC.

  • Auto-Reload: Setting controller.sidecars.configAutoReload.enabled to true enables a sidecar container that automatically reloads configuration changes without requiring a Pod restart^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md].
  • Conflict Warning: Default configuration files contain values that cannot be overridden via configScripts. For example, Jenkins URL and Admin Email must be set via controller.jenkinsUrl and controller.jenkinsAdminEmail respectively, rather than through JCasC scripts^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md].

Persistence

Jenkins data is stored under /var/jenkins_home^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md]. The chart uses a dynamically managed Persistent Volume Claim (PVC) by default^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md].

  • Existing Claim: To use a pre-existing PVC, set persistence.existingClaim to the PVC name^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md].
  • Storage Class: Set persistence.storageClass to define a specific storage class^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md].
  • Performance Issue: Certain volume/filesystem combinations may experience long attach times (10+ minutes) due to fsGroup permission changes. This can be mitigated by overriding the Pod security context to use supplementalGroups instead^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md].

Security and Access Control

The chart configures a default securityRealm and authorizationStrategy that creates a single admin user^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md]. For production environments, this should be adjusted to use LDAP, OIDC, or global matrix authorization^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md].

Secrets for identity providers (e.g., LDAP, OIDC) can be injected into the controller via controller.additionalSecrets or controller.additionalExistingSecrets and referenced within the JCasC configuration^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md].

Custom Images

For production, it is recommended to build a custom Jenkins image with required plugins pre-installed to avoid connectivity issues to the Jenkins update site during startup^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md]. When using a custom image, controller.installPlugins should be set to false^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md].

Agents

Agents run as pods within the Kubernetes cluster^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md]. * Volumes: Volumes can be injected into agent pods using the agent.volumes configuration, supporting types like ConfigMap, Secret, PVC, etc^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md]. * Pod Templates: Custom Pod templates can be defined via agent.podTemplates for specific agent requirements (e.g., Python, Maven)^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md]. * Additional Agents: The additionalAgents value allows for the configuration of multiple Pod templates that inherit defaults from the main agent configuration^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md].

Backup and Restore

The chart supports backup functionality via a CronJob^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md].

Backup to Cloud Storage

The chart includes an example workflow for backing up to Google Cloud Storage (GCS)^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md]. The process involves: 1. Creating a GCS bucket and Service Account with roles/storage.admin^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md]. 2. Storing the Service Account key in a Kubernetes Secret^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md]. 3. Configuring the backup section in values.yaml with the schedule and destination^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md].

A similar approach applies to AWS S3, though the AWS_REGION environment variable may need to be set if the bucket is not in eu-central-1^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md].

Restore Procedure

Restoration involves copying data from cloud storage back to the Jenkins Pod's /var/jenkins_home directory using a Kubernetes Job (e.g., utilizing the skbn tool)^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md]. This requires specific RBAC permissions (ServiceAccount, ClusterRole, ClusterRoleBinding) to allow the job to interact with Pod volumes^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md].

Migration Guide

Major version upgrades may require manual intervention due to breaking changes^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md].

Migration to 3.0.0

  • Terminology: The master terminology was renamed to controller in values.yaml^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md].
  • Architecture: Jenkins switched from a Deployment to a StatefulSet^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md].
  • Helm Version: Requires Helm 3^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md].
  • Configuration: XML configuration options were removed; migration to JCasC is required^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md].

Migration to 2.0.0

  • Configuration: JCasC became the default. Manual configurations may be reset to defaults if not migrated to JCasC definitions^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md].
  • Security: The container no longer runs as root by default. Permissions on existing volumes may need manual adjustment (chown -R 1000:1000)^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md].

Sources

^[400-devops-06-kubernetes-devops-helm-helm-jenkins-readme.md]