jenkinsci · brokenpip3 · Mar 26, 2023 · Mar 26, 2023 · Apr 6, 2023 · Apr 6, 2023
@@ -14,7 +14,7 @@ Kubernetes native operator which fully manages Jenkins on Kubernetes
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| cert-manager.startupapicheck.enabled | bool | `false` |  |
+| cert-manager | object | `{"installCRDs":false,"startupapicheck":{"enabled":false}}` | -> Certmanager subchart part This startupapicheck is a Helm post-install hook that waits for the webhook endpoints to become available. The installCRDs is necessary to install the certificate CRDs necessary for the webhook. If you want the webhook enabled these 2 options needs to be "true" |
 | jenkins.annotations | object | `{}` |  |
 | jenkins.apiVersion | string | `"jenkins.io/v1alpha2"` |  |
 | jenkins.authorizationStrategy | string | `"createUser"` |  |

@@ -1,24 +1,48 @@
 {{- if .Values.webhook.enabled }}
+#---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: sleep-until-certificate-{{ .Values.webhook.certificate.name }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    helm.sh/hook: post-install
+    helm.sh/hook-weight: "1"
+    helm.sh/hook-delete-policy: hook-succeeded
+spec:
+  template:
+    spec:
+      restartPolicy: Never
+      containers:
+      - name: sleep-until-certificate
+        image: "alpine:3"
+        command: ["/bin/sleep", "15"]
+---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-weight: "2"
   name: jenkins-{{ .Values.webhook.certificate.name }}
   namespace: {{ .Release.Namespace }}
 spec:
   duration: {{ .Values.webhook.certificate.duration }}
   renewBefore: {{ .Values.webhook.certificate.renewbefore }}
   secretName: jenkins-{{ .Values.webhook.certificate.name }}
   dnsNames:
-  - jenkins-webhook-service.{{ .Release.Namespace }}.svc 
-  - jenkins-webhook-service.{{ .Release.Namespace }}.svc.cluster.local 
+  - jenkins-webhook-service.{{ .Release.Namespace }}.svc
+  - jenkins-webhook-service.{{ .Release.Namespace }}.svc.cluster.local
   issuerRef:
     kind: Issuer
     name: selfsigned
-
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-weight: "2"
   name: selfsigned
   namespace: {{ .Release.Namespace }}
 spec:
@@ -28,7 +52,9 @@ spec:
 apiVersion: v1
 kind: Secret
 metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-weight: "1"
   name: jenkins-{{ .Values.webhook.certificate.name }}
 type: opaque
-
-{{- end }}
+{{- end }}
@@ -1,9 +1,13 @@
 {{- if .Values.webhook.enabled }}
+{{- if not (lookup "admissionregistration.k8s.io/v1" "ValidatingWebhookConfiguration" .Release.Namespace "{{ .Release.Name }}-webhook" ) }}
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
   name: {{ .Release.Name }}-webhook
   annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-weight: "3"
+    helm.sh/hook-delete-policy: hook-failed
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/jenkins-{{ .Values.webhook.certificate.name }}
 webhooks:
 - admissionReviewVersions:
@@ -34,6 +38,9 @@ webhooks:
 apiVersion: v1
 kind: Service
 metadata:
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-weight: "3"
   name: jenkins-webhook-service
   namespace: {{ .Release.Namespace }}
 spec:
@@ -44,4 +51,5 @@ spec:
     app.kubernetes.io/name: {{ include "jenkins-operator.name" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
 ---
-{{- end }}
+{{- end }}
+{{- end }}
@@ -321,10 +321,16 @@ webhook:
     # time after which the certificate will be automatically renewed
     renewbefore: 360h
   # enable or disable the validation webhook
+  # if enabled please check the certmanager part of the values
   enabled: false
 
+# ---> Certmanager subchart part
+
 # This startupapicheck is a Helm post-install hook that waits for the webhook
-# endpoints to become available.
+# endpoints to become available. The installCRDs is necessary to install
+# the certificate CRDs necessary for the webhook.
+# If you want the webhook enabled these 2 options needs to be "true"
 cert-manager:
+  installCRDs: false
   startupapicheck:
     enabled: false
@@ -11,7 +11,7 @@ API_VERSION_NEXT=v1alpha3
 ALL_IN_ONE_DEPLOY_FILE_PREFIX=all-in-one
 GEN_CRD_API=gen-crd-api-reference-docs
 IMAGE_PULL_MODE=local
-HELM_VERSION=3.1.2
+HELM_VERSION=3.11.1
 CLUSTER_DOMAIN=cluster.local
 LATEST_LTS_VERSION=2.387.1
 KIND_CLUSTER_NAME=jenkins
@@ -35,9 +35,6 @@ diag() {
   run verify "there is 1 deployment named 'default-jenkins-operator'"
   assert_success
 
-  run verify "there is 1 pod named 'default-jenkins-operator-'"
-  assert_success
-
   run try "at most 20 times every 10s to get pods named 'default-jenkins-operator-' and verify that '.status.containerStatuses[?(@.name==\"jenkins-operator\")].ready' is 'true'"
   assert_success
 }
@@ -98,6 +95,22 @@ diag() {
   assert_success
 }
 
+#bats test_tags=phase:helm
+@test "1.9 Helm: check Jenkins crd" {
+  [[ ! -f "chart/jenkins-operator/deploy.tmp" ]] && skip "Jenkins helm chart have not been deployed correctly"
+  run verify "there is 1 crd named 'jenkins.jenkins.io'"
+  assert_success
+  # Test the conditional cert manager installation
+  run verify "there is 0 crd named 'cert-manager.io'"
+  assert_success
+}
+
 @test "1.9 Helm: Clean" {
+  run ${HELM} uninstall default
+  assert_success
+  # Wait for the complete removal
+  sleep 30
+  run verify "there is 0 pvc named 'jenkins backup'"
+  assert_success
   rm "chart/jenkins-operator/deploy.tmp"
 }
@@ -0,0 +1,53 @@
+setup() {
+  load 'test_helper'
+  _common_setup
+}
+
+#bats test_tags=phase:helm
+@test "2.1 Install helm chart with options" {
+  run ${HELM} dependency update chart/jenkins-operator
+  assert_success
+  ${HELM} status options && skip "Helm release 'options' already exists"
+  run ${HELM} install options \
+    --set jenkins.namespace=${DETIK_CLIENT_NAMESPACE} \
+    --set namespace=${DETIK_CLIENT_NAMESPACE} \
+    --set operator.image=${OPERATOR_IMAGE} \
+    --set webhook.enabled=true \
+    --set cert-manager.installCRDs=true \
+    --set cert-manager.startupapicheck.enabled=true \
+    chart/jenkins-operator
+  assert_success
+  assert ${HELM} status options
+  touch "chart/jenkins-operator/deploy.tmp"
+}
+
+#bats test_tags=phase:helm
+@test "2.2 Helm: check Jenkins operator pods status" {
+  [[ ! -f "chart/jenkins-operator/deploy.tmp" ]] && skip "Jenkins helm chart have not been deployed correctly"
+
+  run verify "there is 1 deployment named 'options-jenkins-operator'"
+  assert_success
+
+  run verify "there is 1 pod named 'options-jenkins-operator-'"
+  assert_success
+
+  run try "at most 20 times every 10s to get pods named 'options-jenkins-operator-' and verify that '.status.containerStatuses[?(@.name==\"jenkins-operator\")].ready' is 'true'"
+  assert_success
+}
+
+#bats test_tags=phase:helm
+@test "2.3 Helm: check Jenkins Pod status" {
+  [[ ! -f "chart/jenkins-operator/deploy.tmp" ]] && skip "Jenkins helm chart have not been deployed correctly"
+
+  run try "at most 20 times every 10s to get pods named 'jenkins-jenkins' and verify that '.status.containerStatuses[?(@.name==\"jenkins-master\")].ready' is 'true'"
+  assert_success
+
+  run try "at most 20 times every 5s to get pods named 'jenkins-jenkins' and verify that '.status.containerStatuses[?(@.name==\"jenkins-master\")].ready' is 'true'"
+  assert_success
+}
+
+@test "2.9 Helm: Clean" {
+  run ${HELM} uninstall options
+  assert_success
+  rm "chart/jenkins-operator/deploy.tmp"
+}
@@ -106,6 +106,8 @@ var _ = Describe("Jenkins Controller with security validator", func() {
 				"--set-string", fmt.Sprintf("operator.image=%s", *imageName),
 				"--set", fmt.Sprintf("jenkins.securityValidator=%t", true),
 				"--set", fmt.Sprintf("jenkins.enabled=%t", false),
+				"--set", fmt.Sprintf("cert-manager.installCRDs=%t", true),
+				"--set", fmt.Sprintf("cert-manager.startupapicheck.enabled=%t", true),
 				"--set", fmt.Sprintf("webhook.enabled=%t", true), "--install")
 			output, err := cmd.CombinedOutput()
 			Expect(err).NotTo(HaveOccurred(), string(output))
@@ -127,6 +129,8 @@ var _ = Describe("Jenkins Controller with security validator", func() {
 				"--set-string", fmt.Sprintf("jenkins.namespace=%s", namespace.Name),
 				"--set-string", fmt.Sprintf("operator.image=%s", *imageName),
 				"--set", fmt.Sprintf("webhook.enabled=%t", true),
+				"--set", fmt.Sprintf("cert-manager.installCRDs=%t", true),
+				"--set", fmt.Sprintf("cert-manager.startupapicheck.enabled=%t", true),
 				"--set", fmt.Sprintf("jenkins.enabled=%t", false), "--install")
 			output, err := cmd.CombinedOutput()
 			Expect(err).NotTo(HaveOccurred(), string(output))