Support Custom Jenkins and SCM-Manager Images

argocd/cluster-resources/apps/jenkins/templates/values.ftl.yaml

@@ -1,12 +1,24 @@
 dockerClientVersion: ${config.jenkins.internalDockerClientVersion}
 
 controller:
+<#if config.jenkins.jenkinsImage?has_content>
+  <#assign DockerImageParser=statics['com.cloudogu.gitops.utils.DockerImageParser']>
+  <#assign jenkinsImage = DockerImageParser.parse(config.jenkins.jenkinsImage)>
+  image:
+    registry: ${jenkinsImage.registry}
+    repository: ${jenkinsImage.repository}
+    tag: "${jenkinsImage.tag}"
+<#else>
   image:
     registry: ghcr.io
     repository: cloudogu/jenkins-helm
     # The image corresponds to the helm version,
     # because it contains the default plugins for this particular chart version
     tag: "${config.jenkins.helm.version}"
+</#if>
+<#if config.registry.createImagePullSecrets == true>
+  imagePullSecretName: proxy-registry
+</#if>
   installPlugins: false
 
   # to prevent the jenkins-ui-test pod being created
@@ -28,7 +40,7 @@ controller:
       - secretName: jenkins-tls
         hosts:
           - ${config.jenkins.ingress}
-</#if>  
+</#if>
 </#if>
   # Don't use controller for builds
   numExecutors: 0

argocd/cluster-resources/apps/scm-manager/templates/values.ftl.yaml

@@ -5,7 +5,7 @@ persistence:
 livenessProbe:
   initialDelaySeconds: 120
 
-fullnameOverride : ${releaseName}
+fullnameOverride: ${releaseName}
 
 extraEnv: |
   - name: SCM_WEBAPP_INITIALUSER
@@ -23,11 +23,23 @@ ingress:
   hosts:
     - ${host}
 <#if config.features.certManager.active == true>
-  annotations:
-    cert-manager.io/cluster-issuer: ${config.features.certManager.issuer}
-  tls:
-    - secretName: scm-manager-tls
-      hosts:
-        - ${host}
+annotations:
+  cert-manager.io/cluster-issuer: ${config.features.certManager.issuer}
+tls:
+  - secretName: scm-manager-tls
+    hosts:
+      - ${host}
 </#if>
+</#if>
+<#if config.scm.scmManager.scmmImage?has_content || config.registry.createImagePullSecrets == true>
+image:
+  <#if config.scm.scmManager.scmmImage?has_content>
+  <#assign DockerImageParser=statics['com.cloudogu.gitops.utils.DockerImageParser']>
+  <#assign scmmImage = DockerImageParser.parse(config.scm.scmManager.scmmImage)>
+  repository: ${scmmImage.registryAndRepositoryAsString}
+  tag: ${scmmImage.tag}
+  </#if>
+  <#if config.registry.createImagePullSecrets == true>
+  pullSecret: proxy-registry
+  </#if>
 </#if>

docs/Configuration.md

@@ -53,6 +53,7 @@ All options can be set via a [config file](./configuration.schema.json). Most op
 | `--jenkins-password` | `jenkins.password` | String | `rY4jL2niDLKN` | Mandatory when jenkins-url is set |
 | `--jenkins-metrics-username` | `jenkins.metricsUsername` | String | `metrics` | Mandatory when jenkins-url is set and monitoring enabled |
 | `--jenkins-metrics-password` | `jenkins.metricsPassword` | String | `metrics` | Mandatory when jenkins-url is set and monitoring enabled |
+| `--jenkins-image` | `jenkins.jenkinsImage` | String | `` | Sets image for Jenkins |
 | `--maven-central-mirror` | `jenkins.mavenCentralMirror` | String | `` | URL for maven mirror, used by applications built in Jenkins |
 | `--jenkins-additional-envs` | `jenkins.additionalEnvs` | Map | `[:]` | Set additional environments to Jenkins |
 | - | `jenkins.helm.values` | Map | `[:]` | Helm values of the chart, allows overriding defaults and setting values that are not exposed as explicit configuration |
@@ -95,6 +96,7 @@ All options can be set via a [config file](./configuration.schema.json). Most op
 | - | `scm.scmManager.helm.chart` | String | `-` | Name of the Helm chart |
 | - | `scm.scmManager.helm.repoURL` | String | `-` | Repository url from which the Helm chart should be obtained |
 | - | `scm.scmManager.helm.version` | String | `-` | The version of the Helm chart to be installed |
+| `--scmm-image` | `scm.scmManager.scmmImage` | String | `-` | Sets image for SCM-Manager |
 | `--scmm-skip-restart` | `scm.scmManager.skipRestart` | Boolean | `-` | Skips restarting SCM-Manager after plugin installation. Use with caution! If the plugins are not installed up front, the installation will likely fail. The intended use case for this is after the first installation, for config changes only. Do not use on first installation or upgrades.' |
 | `--scmm-skip-plugins` | `scm.scmManager.skipPlugins` | Boolean | `-` | Skips plugin installation. Use with caution! If the plugins are not installed up front, the installation will likely fail. The intended use case for this is after the first installation, for config changes only. Do not use on first installation or upgrades. |
 | - | `scm.scmManager.gitOpsUsername` | String | `-` | Username for the Gitops User |

docs/Developers.md

@@ -409,8 +409,9 @@ Don't disconnect from the internet yet, because
   In this case when the first PVC gets provisioned.
 * SCMM needs to download the plugins from the internet
 * Helm repo updates need access to the internet
-* But also because we would have to replace the images for registry, scmm, jenkins (several images!) and argocd in the
-  source code, as there are no parameters to do so.
+* Argo CD images are not configurable yet and may still be pulled on demand.
+* Jenkins and SCM-Manager images can be pointed at the prepared registry via `jenkins.jenkinsImage` and
+  `scm.scmManager.scmmImage`; see `scripts/dev/gop_airgapped_config.yaml`.
 
 So, start the installation and once Argo CD is running, go offline.
 ```bash

docs/configuration.schema.json

@@ -663,6 +663,10 @@
           "$ref" : "#/$defs/HelmConfigWithValues-nullable",
           "description" : "Common Config parameters for the Helm package manager: Name of Chart (chart), URl of Helm-Repository (repoURL) and Chart Version (version). Note: These config is intended to obtain the chart from a different source (e.g. in air-gapped envs), not to use a different version of a helm chart. Using a different helm chart or version to the one used in the GOP version will likely cause errors."
         },
+        "jenkinsImage" : {
+          "type" : [ "string", "null" ],
+          "description" : "Sets image for Jenkins"
+        },
         "mavenCentralMirror" : {
           "type" : [ "string", "null" ],
           "description" : "URL for maven mirror, used by applications built in Jenkins"
@@ -892,6 +896,10 @@
               "type" : [ "string", "null" ],
               "description" : "Mandatory when scmm-url is set"
             },
+            "scmmImage" : {
+              "type" : [ "string", "null" ],
+              "description" : "Sets image for SCM-Manager"
+            },
             "skipPlugins" : {
               "type" : [ "boolean", "null" ],
               "description" : "Skips plugin installation. Use with caution! If the plugins are not installed up front, the installation will likely fail. The intended use case for this is after the first installation, for config changes only. Do not use on first installation or upgrades."
@@ -922,4 +930,4 @@
     }
   },
   "additionalProperties" : false
-}
+}

scripts/dev/gop_airgapped_config.yaml

@@ -1,6 +1,11 @@
 application:
   baseUrl: "http://localhost"
   insecure: true
+jenkins:
+  jenkinsImage: "k3d-agreg:5000/library/jenkins-helm:5.9.18"
+scm:
+  scmManager:
+    scmmImage: "k3d-agreg:5000/library/scm-manager:3.11.6"
 features:
   argocd:
     active: true

scripts/dev/gop_airgapped_config.yaml.tpl

@@ -1,6 +1,11 @@
 application:
   baseUrl: "http://localhost"
   insecure: true
+jenkins:
+  jenkinsImage: "<address>/library/jenkins-helm:5.9.18"
+scm:
+  scmManager:
+    scmmImage: "<address>/library/scm-manager:3.11.6"
 features:
   argocd:
     active: true

scripts/dev/mirror_images_to_registry.sh

@@ -19,6 +19,11 @@ PROMETHEUS_OPERATOR_CONFIG_RELOADER="docker://quay.io/prometheus-operator/promet
 GRAFANA_IMAGE="docker://docker.io/grafana/grafana:12.3.0"
 K8S_SIDECAR="docker://quay.io/kiwigrid/k8s-sidecar:2.1.2"
 
+JENKINS_IMAGE_TAG="5.9.18"
+SCM_MANAGER_IMAGE_TAG="3.11.6"
+JENKINS_IMAGE="docker://ghcr.io/cloudogu/jenkins-helm:${JENKINS_IMAGE_TAG}"
+SCM_MANAGER_IMAGE="docker://docker.io/scmmanager/scm-manager:${SCM_MANAGER_IMAGE_TAG}"
+
 CERT_MANAGER_CONTROLLER="docker://quay.io/jetstack/cert-manager-controller:v1.16.1"
 CERT_MANAGER_CA_INJECTOR="docker://quay.io/jetstack/cert-manager-cainjector:v1.16.1"
 CERT_MANAGER_WEBHOOK="docker://quay.io/jetstack/cert-manager-webhook:v1.16.1"
@@ -38,26 +43,34 @@ if [[ -n $HARBOR ]]; then
 
     operations=("Proxy" "Registry")
     readOnlyUser='RegistryRead'
+    declare -A projectIds
 
     for operation in "${operations[@]}"; do
 
         # Convert the operation to lowercase for the project name and email
         lower_operation=$(echo "$operation" | tr '[:upper:]' '[:lower:]')
 
         echo "creating project ${lower_operation}"
-        projectId=$(curl -is --fail "$REGISTRY_BASE_URL/api/v2.0/projects" -X POST -u admin:Harbor12345 -H 'Content-Type: application/json' --data-raw "{\"project_name\":\"$lower_operation\",\"metadata\":{\"public\":\"false\"},\"storage_limit\":-1,\"registry_id\":null}" | grep -i 'Location:' | awk '{print $2}' | awk -F '/' '{print $NF}' | tr -d '[:space:]')
+        projectResponse=$(curl -is "$REGISTRY_BASE_URL/api/v2.0/projects" -X POST -u admin:Harbor12345 -H 'Content-Type: application/json' --data-raw "{\"project_name\":\"$lower_operation\",\"metadata\":{\"public\":\"false\"},\"storage_limit\":-1,\"registry_id\":null}" || true)
+        projectId=$(echo "$projectResponse" | grep -i 'Location:' | awk '{print $2}' | awk -F '/' '{print $NF}' | tr -d '[:space:]' || true)
+
+        if [[ -z "$projectId" ]]; then
+            projectId=$(curl -s --fail "$REGISTRY_BASE_URL/api/v2.0/projects/${lower_operation}" -u admin:Harbor12345 | sed -n 's/.*"project_id":\([0-9]*\).*/\1/p')
+        fi
+
+        projectIds[$lower_operation]=$projectId
 
         echo creating user ${operation} with PW ${operation}12345
-        curl -s  --fail "$REGISTRY_BASE_URL/api/v2.0/users" -X POST -u admin:Harbor12345 -H 'Content-Type: application/json' --data-raw "{\"username\":\"$operation\",\"email\":\"$operation@example.com\",\"realname\":\"$operation example\",\"password\":\"${operation}12345\",\"comment\":null}"
+        curl -s "$REGISTRY_BASE_URL/api/v2.0/users" -X POST -u admin:Harbor12345 -H 'Content-Type: application/json' --data-raw "{\"username\":\"$operation\",\"email\":\"$operation@example.com\",\"realname\":\"$operation example\",\"password\":\"${operation}12345\",\"comment\":null}" || true
 
         echo "Adding member ${operation} to project ${lower_operation}; ID=${projectId}"
-        curl --fail "$REGISTRY_BASE_URL/api/v2.0/projects/${projectId}/members" -X POST -u admin:Harbor12345 -H 'Content-Type: application/json' --data-raw "{\"role_id\":4,\"member_user\":{\"username\":\"$operation\"}}"
+        curl "$REGISTRY_BASE_URL/api/v2.0/projects/${projectId}/members" -X POST -u admin:Harbor12345 -H 'Content-Type: application/json' --data-raw "{\"role_id\":4,\"member_user\":{\"username\":\"$operation\"}}" || true
     done
 
     echo "creating user ${readOnlyUser} with PW ${readOnlyUser}12345"
-    curl -s  --fail "$REGISTRY_BASE_URL/api/v2.0/users" -X POST -u admin:Harbor12345 -H 'Content-Type: application/json' --data-raw "{\"username\":\"$readOnlyUser\",\"email\":\"$readOnlyUser@example.com\",\"realname\":\"$readOnlyUser example\",\"password\":\"${readOnlyUser}12345\",\"comment\":null}"
-    echo "Adding member ${readOnlyUser} to project proxy; ID=${projectId}"
-    curl  --fail "$REGISTRY_BASE_URL/api/v2.0/projects/${projectId}/members" -X POST -u admin:Harbor12345 -H 'Content-Type: application/json' --data-raw "{\"role_id\":5,\"member_user\":{\"username\":\"${readOnlyUser}\"}}"
+    curl -s "$REGISTRY_BASE_URL/api/v2.0/users" -X POST -u admin:Harbor12345 -H 'Content-Type: application/json' --data-raw "{\"username\":\"$readOnlyUser\",\"email\":\"$readOnlyUser@example.com\",\"realname\":\"$readOnlyUser example\",\"password\":\"${readOnlyUser}12345\",\"comment\":null}" || true
+    echo "Adding member ${readOnlyUser} to project proxy; ID=${projectIds[proxy]}"
+    curl "$REGISTRY_BASE_URL/api/v2.0/projects/${projectIds[proxy]}/members" -X POST -u admin:Harbor12345 -H 'Content-Type: application/json' --data-raw "{\"role_id\":5,\"member_user\":{\"username\":\"${readOnlyUser}\"}}" || true
 
     # sleep 5 seconds just to make sure the registry is ready
     sleep 5
@@ -74,6 +87,10 @@ if [[ -n $HARBOR ]]; then
     skopeo copy $GRAFANA_IMAGE --dest-creds Proxy:Proxy12345 --dest-tls-verify=false $REGISTRY_DOCKER_BASE_URL/proxy/grafana
     skopeo copy $K8S_SIDECAR --dest-creds Proxy:Proxy12345 --dest-tls-verify=false $REGISTRY_DOCKER_BASE_URL/proxy/k8s-sidecar
 
+    # Core tools
+    skopeo copy $JENKINS_IMAGE --dest-creds Proxy:Proxy12345 --dest-tls-verify=false $REGISTRY_DOCKER_BASE_URL/proxy/jenkins-helm:${JENKINS_IMAGE_TAG}
+    skopeo copy $SCM_MANAGER_IMAGE --dest-creds Proxy:Proxy12345 --dest-tls-verify=false $REGISTRY_DOCKER_BASE_URL/proxy/scm-manager:${SCM_MANAGER_IMAGE_TAG}
+
     # Cert Manager images
     skopeo copy $CERT_MANAGER_CONTROLLER --dest-creds Proxy:Proxy12345 --dest-tls-verify=false $REGISTRY_DOCKER_BASE_URL/proxy/cert-manager-controller
     skopeo copy $CERT_MANAGER_CA_INJECTOR --dest-creds Proxy:Proxy12345 --dest-tls-verify=false $REGISTRY_DOCKER_BASE_URL/proxy/cert-manager-cainjector
@@ -101,6 +118,10 @@ skopeo copy $PROMETHEUS_OPERATOR_CONFIG_RELOADER --dest-creds admin:Harbor12345
 skopeo copy $GRAFANA_IMAGE --dest-creds admin:Harbor12345 --dest-tls-verify=false $REGISTRY_DOCKER_BASE_URL/library/grafana
 skopeo copy $K8S_SIDECAR --dest-creds admin:Harbor12345 --dest-tls-verify=false $REGISTRY_DOCKER_BASE_URL/library/k8s-sidecar
 
+# Core tools
+skopeo copy $JENKINS_IMAGE --dest-creds admin:Harbor12345 --dest-tls-verify=false $REGISTRY_DOCKER_BASE_URL/library/jenkins-helm:${JENKINS_IMAGE_TAG}
+skopeo copy $SCM_MANAGER_IMAGE --dest-creds admin:Harbor12345 --dest-tls-verify=false $REGISTRY_DOCKER_BASE_URL/library/scm-manager:${SCM_MANAGER_IMAGE_TAG}
+
 # Cert Manager images
 skopeo copy $CERT_MANAGER_CONTROLLER --dest-creds admin:Harbor12345 --dest-tls-verify=false $REGISTRY_DOCKER_BASE_URL/library/cert-manager-controller
 skopeo copy $CERT_MANAGER_CA_INJECTOR --dest-creds admin:Harbor12345 --dest-tls-verify=false $REGISTRY_DOCKER_BASE_URL/library/cert-manager-cainjector

scripts/dev/prepare_two_registries.sh

@@ -68,6 +68,10 @@ registry:
   createImagePullSecrets: true
 jenkins:
   active: true
+  jenkinsImage: "localhost:30000/proxy/jenkins-helm:5.9.18"
+scm:
+  scmManager:
+    scmmImage: "localhost:30000/proxy/scm-manager:3.11.6"
 application:
   baseUrl: "http://localhost"
   insecure: true

src/main/groovy/com/cloudogu/gitops/config/Config.groovy

@@ -340,6 +340,10 @@ class Config {
 		@JsonPropertyDescription(JENKINS_METRICS_PASSWORD_DESCRIPTION)
 		String metricsPassword = "metrics"
 
+		@Option(names = ['--jenkins-image'], description = JENKINS_IMAGE_DESCRIPTION)
+		@JsonPropertyDescription(JENKINS_IMAGE_DESCRIPTION)
+		String jenkinsImage = ''
+
 		@Option(names = ['--maven-central-mirror'], description = MAVEN_CENTRAL_MIRROR_DESCRIPTION)
 		@JsonPropertyDescription(MAVEN_CENTRAL_MIRROR_DESCRIPTION)
 		String mavenCentralMirror = ''

src/main/groovy/com/cloudogu/gitops/config/ConfigConstants.groovy

@@ -65,6 +65,7 @@ interface ConfigConstants {
 	String JENKINS_PASSWORD_DESCRIPTION = 'Mandatory when jenkins-url is set'
 	String JENKINS_METRICS_USERNAME_DESCRIPTION = 'Mandatory when jenkins-url is set and monitoring enabled'
 	String JENKINS_METRICS_PASSWORD_DESCRIPTION = 'Mandatory when jenkins-url is set and monitoring enabled'
+	String JENKINS_IMAGE_DESCRIPTION = 'Sets image for Jenkins'
 	String MAVEN_CENTRAL_MIRROR_DESCRIPTION = 'URL for maven mirror, used by applications built in Jenkins'
 	String JENKINS_ADDITIONAL_ENVS_DESCRIPTION = 'Set additional environments to Jenkins'
 	String JENKINS_NAMESPACE = 'Optional defines the kubernetes namespace for Jenkins.'

src/main/groovy/com/cloudogu/gitops/config/scm/ScmTenantSchema.groovy

@@ -85,8 +85,8 @@ class ScmTenantSchema {
 		static final String SCMM_URL_DESCRIPTION = 'The host of your external scm-manager'
 		static final String SCMM_USERNAME_DESCRIPTION = 'Mandatory when scmm-url is set'
 		static final String SCMM_PASSWORD_DESCRIPTION = 'Mandatory when scmm-url is set'
-		static final String SCMM_ROOT_PATH_DESCRIPTION = 'Sets the root path for the Git Repositories. In SCM-Manager it is always "repo"'
 		static final String SCMM_NAMESPACE_DESCRIPTION = 'Namespace where SCM-Manager should run'
+		static final String SCMM_IMAGE = 'Sets image for SCM-Manager'
 
 		Boolean internal = true
 
@@ -113,6 +113,10 @@ class ScmTenantSchema {
 			version: '3.11.6',
 			values: [:])
 
+		@Option(names = ['--scmm-image'], description = SCMM_IMAGE)
+		@JsonPropertyDescription(SCMM_IMAGE)
+		String scmmImage = ''
+
 		/* When installing from via Docker we have to distinguish scmm.url (which is a local IP address) from
 		   the SCMM URL used by jenkins.
 

src/main/groovy/com/cloudogu/gitops/tools/core/Jenkins.groovy

@@ -10,6 +10,7 @@ import com.cloudogu.gitops.infrastructure.jenkins.PrometheusConfigurator
 import com.cloudogu.gitops.infrastructure.jenkins.UserManager
 import com.cloudogu.gitops.infrastructure.kubernetes.api.K8sClient
 import com.cloudogu.gitops.tools.common.Tool
+import com.cloudogu.gitops.tools.common.ToolWithImage
 import com.cloudogu.gitops.utils.AirGappedUtils
 import com.cloudogu.gitops.utils.CommandExecutor
 import com.cloudogu.gitops.utils.FileSystemUtils
@@ -23,7 +24,7 @@ import groovy.util.logging.Slf4j
 @Slf4j
 @Singleton
 @Order(20)
-class Jenkins extends Tool {
+class Jenkins extends Tool implements ToolWithImage {
 
 	static final String HELM_VALUES_PATH = "argocd/cluster-resources/apps/jenkins/templates/values.ftl.yaml"
 	String namespace
@@ -71,6 +72,16 @@ class Jenkins extends Tool {
 		return config.jenkins.active
 	}
 
+	@Override
+	Config getConfig() {
+		return config
+	}
+
+	@Override
+	K8sClient getK8sClient() {
+		return k8sClient
+	}
+
 	@Override
 	void enable() {
 

src/main/groovy/com/cloudogu/gitops/tools/core/scmmanager/ScmManager.groovy

@@ -5,7 +5,9 @@ import com.cloudogu.gitops.config.Config
 import com.cloudogu.gitops.config.scm.util.ScmProviderType
 import com.cloudogu.gitops.infrastructure.deployment.Deployer
 import com.cloudogu.gitops.infrastructure.git.providers.scmmanager.ScmManagerProvider
+import com.cloudogu.gitops.infrastructure.kubernetes.api.K8sClient
 import com.cloudogu.gitops.tools.common.Tool
+import com.cloudogu.gitops.tools.common.ToolWithImage
 
 import io.micronaut.core.annotation.Order
 
@@ -15,20 +17,23 @@ import groovy.util.logging.Slf4j
 @Slf4j
 @Singleton
 @Order(10)
-class ScmManager extends Tool {
+class ScmManager extends Tool implements ToolWithImage {
 
 	String namespace
 
 	private final Config config
 	private final GitHandler gitHandler
 	private final Deployer deployer
+	K8sClient k8sClient
 
 	ScmManager(Config config,
-	           GitHandler gitHandler,
-	           Deployer deployer) {
+		GitHandler gitHandler,
+		Deployer deployer,
+		K8sClient k8sClient) {
 		this.config = config
 		this.gitHandler = gitHandler
 		this.deployer = deployer
+		this.k8sClient = k8sClient
 
 		if (isInternalScmManagerConfigured()) {
 			this.namespace = prefixedNamespace()
@@ -41,6 +46,16 @@ class ScmManager extends Tool {
 		isInternalScmManagerConfigured()
 	}
 
+	@Override
+	Config getConfig() {
+		return config
+	}
+
+	@Override
+	K8sClient getK8sClient() {
+		return k8sClient
+	}
+
 	@Override
 	void enable() {
 		log.info("Starting internal SCM-Manager setup.")

src/main/groovy/com/cloudogu/gitops/tools/core/scmmanager/ScmManagerSetup.groovy

@@ -13,6 +13,9 @@ import com.cloudogu.gitops.utils.TemplatingEngine
 import java.nio.file.Path
 import groovy.util.logging.Slf4j
 
+import freemarker.template.Configuration
+import freemarker.template.DefaultObjectWrapperBuilder
+
 @Slf4j
 class ScmManagerSetup {
 
@@ -89,7 +92,8 @@ class ScmManagerSetup {
 		                                    username   : this.scmManager.scmmConfig.credentials.username,
 		                                    password   : this.scmManager.scmmConfig.credentials.password,
 		                                    helm       : this.scmManager.scmmConfig.helm,
-		                                    releaseName: releaseName]
+		                                    releaseName: releaseName,
+		                                    statics    : new DefaultObjectWrapperBuilder(Configuration.VERSION_2_3_32).build().getStaticModels()]
 
 		Map templatedMap = TemplatingEngine.templateToMap(HELM_VALUES_PATH, templateVars)
 		Map values = this.scmManager.scmmConfig.helm.values as Map ?: [:]