-
Notifications
You must be signed in to change notification settings - Fork 28
/
Copy pathvalues.yaml
135 lines (120 loc) · 8.02 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
github:
user: "Jenkins Infra Bot (updatecli)"
email: "[email protected]"
token: "UPDATECLI_GITHUB_TOKEN"
branch: "main"
owner: "jenkins-infra"
repository: "azure"
controllers_azurevm_client_end_dates:
ci.jenkins.io:
doc_how_to_get_credential: |
> [!IMPORTANT]
>
> ⚠️ Merging this PR will prevent starting new Azure VM agents until the credential is updated on the controller.
You'll have to update **manually** the top-level credential `azure-jenkins-sponsorship-credentials` on the Jenkins UI.
The new password value, once the PR is merged and deployed, can be retrieved from the Terraform state,
by searching for `module.ci_jenkins_io_sponsorship.azuread_application_password.controller.value`.
Finally, verify both Azure Credential and Azure VM clouds by checking that a click on the "Verify <...>" buttons returns a success,
then restart the controller to ensure that the old credential is not kept in cache.
trusted.ci.jenkins.io:
doc_how_to_get_credential: |
> [!IMPORTANT]
>
> ⚠️ Merging this PR will prevent starting new Azure VM agents until the credential is updated on the controller.
You'll have to update **manually** the top-level credential `azure-jenkins-sponsorship-credentials` on the Jenkins UI.
The new password value, once the PR is merged and deployed, can be retrieved from the Terraform state,
by searching for `module.trusted_ci_jenkins_io.azuread_application_password.controller`.
Finally, verify both Azure Credential and Azure VM clouds by checking that a click on the "Verify <...>" buttons returns a success,
then restart the controller to ensure that the old credential is not kept in cache.
cert.ci.jenkins.io:
doc_how_to_get_credential: |
> [!IMPORTANT]
>
> ⚠️ Merging this PR will prevent starting new Azure VM agents until the credential is updated on the controller.
You'll have to update **manually** the top-level credential `azure-jenkins-sponsorship-credentials` on the Jenkins UI.
The new password value, once the PR is merged and deployed, can be retrieved from the Terraform state,
by searching for `module.cert_ci_jenkins_io.azuread_application_password.controller.value`.
Finally, verify both Azure Credential and Azure VM clouds by checking that a click on the "Verify <...>" buttons returns a success,
then restart the controller to ensure that the old credential is not kept in cache.
infra.ci.jenkins.io:
custom_hcl_key: resource.azuread_application_password.infra_ci_jenkins_io.end_date
doc_how_to_get_credential: |
> [!IMPORTANT]
>
> ⚠️ Merging this PR will prevent starting new Azure VM agents until the credential is updated on the controller.
You'll have to update the credential on infra.ci.jenkins.io's encrypted secrets:
- Update the secret value in jenkins-infra/chart-secrets (or kubernetes-management/secrets), add, commit and push the change
- Trigger a build of the `kubernetes-management` job on infra.ci.jenkins.io to ensure secret value is updated in Kubernetes secrets
- Finally, trigger a controller restart (pod delete, or rollout) to make sure secrets are used to update the Jenkins credential.
The new password value, once the PR is merged and deployed, can be retrieved from the Terraform state,
by searching for `azuread_application_password.infra_ci_jenkins_io.value`.
# Also used by terraform in locals.tf
end_dates:
infra_ci_jenkins_io:
infraci_contributorsjenkinsio_fileshare_serviceprincipal_writer:
end_date: 2025-03-18T00:00:00Z
service: "contributors.jenkins.io"
secret: "CONTRIBUTORS_SERVICE_PRINCIPAL_WRITER_CLIENT_SECRET"
infraci_docsjenkinsio_fileshare_serviceprincipal_writer:
end_date: 2025-04-08T00:00:00Z
service: "docs.jenkins.io"
secret: "DOCS_SERVICE_PRINCIPAL_WRITER_CLIENT_SECRET"
infraci_pluginsjenkinsio_fileshare_serviceprincipal_writer:
end_date: 2025-03-18T00:00:00Z
service: "plugins.jenkins.io"
secret: "INFRACI_PLUGINSJENKINSIO_FILESHARE_SERVICE_PRINCIPAL_WRITER_PASSWORD"
infraci_statsjenkinsio_fileshare_serviceprincipal_writer:
end_date: 2025-03-18T00:00:00Z
service: "stats.jenkins.io"
secret: "STATS_SERVICE_PRINCIPAL_WRITER_CLIENT_SECRET"
trusted_ci_jenkins_io:
trustedci_jenkinsio_fileshare_serviceprincipal_writer:
service: "www.jenkins.io"
doc_how_to_get_credential: |
> [!IMPORTANT]
>
> ⚠️ Merging this PR will prevent the "jenkins.io" deployment job to succeed and update the www.jenkins.io website.
> You'll have to update the top-level credential `trustedci_jenkinsio_fileshare_serviceprincipal_writer` on trusted.ci.jenkins.io UI.
>
> This credential value can be retrieved in the Terraform state from `module.trustedci_jenkinsio_fileshare_serviceprincipal_writer.azuread_application.fileshare_serviceprincipal_writer`.
trustedci_javadocjenkinsio_fileshare_serviceprincipal_writer:
service: "javadoc.jenkins.io"
doc_how_to_get_credential: |
> [!IMPORTANT]
>
> ⚠️ Merging this PR will prevent the "javadoc.jenkins.io" deployment job to succeed and update the www.jenkins.io website.
> You'll have to update the top-level credential `trustedci_javadocjenkinsio_fileshare_serviceprincipal_writer` on trusted.ci.jenkins.io UI.
>
> This credential value can be retrieved in the Terraform state from `module.trustedci_javadocjenkinsio_fileshare_serviceprincipal_writer.azuread_application.fileshare_serviceprincipal_writer`.
publick8s:
cronjob_geoip_data_fileshare_serviceprincipal_writer:
service: "geoip"
doc_how_to_get_credential: |
> [!IMPORTANT]
>
> ⚠️ Merging this PR will prevent the "geoip kubernetes cronjob" to succeed and update the mirrorbits geoip databases.
> You'll have to update the sops secrets `./secrets/config/geoipdata/secrets.yaml`
>
> This credential value can be retrieved in the Terraform state from `module.cronjob_geoip_staging_fileshare_serviceprincipal_writer.azuread_application_password.fileshare_serviceprincipal_writer`.
cronjob_geoip_data_staging_fileshare_serviceprincipal_writer:
service: "geoip_staging"
doc_how_to_get_credential: |
> this is for the staging environment
> ⚠️ Merging this PR will prevent the "geoip kubernetes cronjob" to succeed and update the mirrorbits geoip databases.
> You'll have to update the sops secrets `./secrets/config/geoipdata/staging-secrets.yaml`
>
> This credential value can be retrieved in the Terraform state from `module.cronjob_geoip_data_staging_fileshare_serviceprincipal_writer.azuread_application_password.fileshare_serviceprincipal_writer`.
updatecli_end_dates:
infra.ci.jenkins.io:
custom_hcl_key: resource.azuread_application_password.updatecli_infra_ci_jenkins_io.end_date
doc_how_to_get_credential: |
> [!IMPORTANT]
>
> ⚠️ Merging this PR will prevent updatecli to use `az` until the credential is updated on the controller.
You'll have to update the credential on infra.ci.jenkins.io's encrypted secrets:
- Update the secret value in jenkins-infra/chart-secrets (or kubernetes-management/secrets), add, commit and push the change
- Trigger a build of the `kubernetes-management` job on infra.ci.jenkins.io to ensure secret value is updated in Kubernetes secrets
- Finally, trigger a reload from jcasc or a controller restart (pod delete, or rollout) to make sure secrets are used to update the Jenkins credential.
- test by replaying a build on main `https://infra.ci.jenkins.io/job/updatecli/job/packer-images/job/main/` and check the logs for an azure check (⚠️ do not rely on green result)
The new password value, once the PR is merged and deployed, can be retrieved from the Terraform state,
by searching for `azuread_application_password.updatecli_infra_ci_jenkins_io.value`.