Merge branch 'main' into discourse-gatekeeper/migrate

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,56 @@
+name: Bug Report
+description: File a bug report
+labels: ["Type: Bug", "Status: Triage"]
+body:
+  - type: markdown
+    attributes:
+      value: >
+        Thanks for taking the time to fill out this bug report! Before submitting your issue, please make
+        sure you are using the latest version of the charm. If not, please switch to this image prior to 
+        posting your report to make sure it's not already solved.
+  - type: textarea
+    id: bug-description
+    attributes:
+      label: Bug Description
+      description: >
+        If applicable, add screenshots to help explain the problem you are facing.
+    validations:
+      required: true
+  - type: textarea
+    id: reproduction
+    attributes:
+      label: To Reproduce
+      description: >
+        Please provide a step-by-step instruction of how to reproduce the behavior.
+      placeholder: |
+        1. `juju deploy ...`
+        2. `juju relate ...`
+        3. `juju status --relations`
+    validations:
+      required: true
+  - type: textarea
+    id: environment
+    attributes:
+      label: Environment
+      description: >
+        We need to know a bit more about the context in which you run the charm.
+        - Are you running Juju locally, on lxd, in multipass or on some other platform?
+        - What track and channel you deployed the charm from (i.e. `latest/edge` or similar).
+        - Version of any applicable components, like the juju snap, the model controller, lxd, microk8s, and/or multipass.
+    validations:
+      required: true
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant log output
+      description: >
+        Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks.
+        Fetch the logs using `juju debug-log --replay` and `kubectl logs ...`. Additional details available in the juju docs 
+        at https://juju.is/docs/olm/juju-logs
+      render: shell
+    validations:
+      required: true
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional context

.github/ISSUE_TEMPLATE/enhancement_proposal.yml

@@ -0,0 +1,17 @@
+name: Enhancement Proposal
+description: File an enhancement proposal
+labels: ["Type: Enhancement", "Status: Triage"]
+body:
+  - type: markdown
+    attributes:
+      value: >
+        Thanks for taking the time to fill out this enhancement proposal! Before submitting your issue, please make
+        sure there isn't already a prior issue concerning this. If there is, please join that discussion instead.
+  - type: textarea
+    id: enhancement-proposal
+    attributes:
+      label: Enhancement Proposal
+      description: >
+        Describe the enhancement you would like to see in as much detail as needed.      
+    validations:
+      required: true

.github/workflows/bot_pr_approval.yaml

@@ -0,0 +1,9 @@
+name: Provide approval for bot PRs
+
+on:
+  pull_request:
+
+jobs:
+  bot_pr_approval:
+    uses: canonical/operator-workflows/.github/workflows/bot_pr_approval.yaml@main
+    secrets: inherit

.github/workflows/integration_test.yaml

@@ -11,9 +11,12 @@ jobs:
       channel: 1.28-strict/stable
       extra-arguments: |
         --kube-config ${GITHUB_WORKSPACE}/kube-config
-      modules: '["test_jenkins.py", "test_k8s_agent.py", "test_machine_agent.py", "test_plugins.py", "test_proxy.py", "test_cos.py"]'
+      modules: '["test_auth_proxy.py", "test_cos.py", "test_ingress.py", "test_jenkins.py", "test_k8s_agent.py", "test_machine_agent.py", "test_plugins.py", "test_proxy.py", "test_upgrade.py", "test_external_agent.py"]'
       pre-run-script: |
         -c "sudo microk8s config > ${GITHUB_WORKSPACE}/kube-config
         chmod +x tests/integration/pre_run_script.sh
         ./tests/integration/pre_run_script.sh"
       juju-channel: 3.1/stable
+      self-hosted-runner: true
+      self-hosted-runner-label: "xlarge"
+      microk8s-addons: "dns ingress rbac storage metallb:10.15.119.2-10.15.119.4"

.licenserc.yaml

@@ -34,4 +34,6 @@ header:
     - 'trivy.yaml'
     - 'zap_rules.tsv'
     - 'lib/**'
+    - tests/integration/files/dex.yaml
+    - tests/integration/files/identity-bundle-edge-patched.yaml
   comment: on-failure

.trivyignore

@@ -1,21 +1,17 @@
 # Jenkins CVEs
 CVE-2016-1000027
-CVE-2023-20863
-CVE-2023-24998
-CVE-2023-27898
-CVE-2023-27899
-CVE-2023-27900
-CVE-2023-27901
-CVE-2023-35141
-CVE-2023-2976
-CVE-2023-39151
-CVE-2023-34034
-CVE-2023-43495
-CVE-2023-43496
-CVE-2023-36478
+CVE-2024-22259
+CVE-2024-22257
+# Jenkins Plugin Manager CVEs
 CVE-2023-5072
-# Jenkins plugin manager CVEs
-CVE-2022-45688
-CVE-2023-20862
-CVE-2022-1471
 GHSA-4jq9-2xhw-jpx7
+CVE-2024-23898
+CVE-2024-25710
+CVE-2024-26308
+CVE-2024-22201
+CVE-2024-22243
+# Fixed in 5.3.33
+CVE-2024-22259
+# Fixed in 5.7.12
+CVE-2024-22257
+CVE-2024-22262

README.md

@@ -25,7 +25,7 @@ fixes and constructive feedback.
 * [Get support](https://discourse.charmhub.io/)
 * [Join our online chat](https://chat.charmhub.io/charmhub/channels/charm-dev)
 * [Contribute](https://charmhub.io/jenkins-k8s/docs/contributing)
-* [Getting Started](https://charmhub.io/jenkins-k8s/docs/getting-started)
+* [Getting Started](https://charmhub.io/jenkins-k8s/docs/tutorial-getting-started)
 Thinking about using the Jenkins-k8s Operator for your next project? 
 [Get in touch](https://chat.charmhub.io/charmhub/channels/charm-dev)!
 

actions.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Canonical Ltd.
+# Copyright 2024 Canonical Ltd.
 # See LICENSE file for licensing details.
 
 get-admin-password:

charmcraft.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Canonical Ltd.
+# Copyright 2024 Canonical Ltd.
 # See LICENSE file for licensing details.
 
 type: charm

config.yaml

@@ -1,4 +1,4 @@
-# Copyright 2023 Canonical Ltd.
+# Copyright 2024 Canonical Ltd.
 # See LICENSE file for licensing details.
 
 options:
@@ -8,12 +8,13 @@ options:
       Preferred UTC time range in 24 hour format for restarting Jenkins. If empty, restart will
       take place whenever Jenkins needs to restart. Jenkins will need to restart on the following
       occasion. Plugins that are not part of `allowed-plugins` configuration option are detected.
-      For example, 03-05 will allow Jenkins restart to take place from 3AM UTC to 5AM UTC. 
+      For example, 03-05 will allow Jenkins restart to take place from 3AM UTC to 5AM UTC.
       Awaits for running job completion for 5 minutes.
     default: ""
   allowed-plugins:
     type: string
     description: >
       Comma-separated list of allowed plugin short names. If empty, any plugin can be installed.
       Plugins installed by the user and their dependencies will be removed automatically if not on
-      the list. Included plugins are not automatically installed. 
+      the list. Included plugins are not automatically installed.
+    default: "bazaar,blueocean,dependency-check-jenkins-plugin,docker-build-publish,git,kubernetes,ldap,matrix-combinations-parameter,oic-auth,openid,pipeline-groovy-lib,postbuildscript,rebuild,reverse-proxy-auth-plugin,ssh-agent,thinBackup,pipeline-model-definition"

docs/how-to/configure-jenkins-memory-usage.md

@@ -0,0 +1,13 @@
+# How to control heap memory of the jenkins-k8s-operator charm
+The [jenkins-k8s-operator](https://github.com/canonical/jenkins-k8s-operator) charm uses [juju constraints](https://juju.is/docs/juju/constraint) to limit the amount of memory a charm can use. To deploy the charm with constraints, use the `--constraints "<key>=<value>"` option when running `juju deploy`:
+```bash
+juju deploy jenkins-k8s --channel=latest/edge --constraints "mem=2048M"
+```
+To change this value after deployment, use the `set-constraints` command.
+```bash
+juju set-constraints jenkins-k8s "mem=4096M"
+```
+Other types of constraints (like cores, disk, etc.) can also be applied. Note that this value affects the shared maximum memory between the `charm` container and `jenkins` container.
+
+# Considerations when applying memory constraints
+Constraints set this way directly influence the amount of heap memory available to the JVM, with a ratio `JVM heap / Container Memory limit` of 0.5. For example, a `jenkins-k8s-operator` charm deployed with `--constraints "mem=1024M"` would set a maximum heap memory size of 512Mb. Too little heap memory can result in the controller getting restarted due to Out-of-memory(OOM) error. Make sure to adapt the memory constraints based on your workload.

docs/how-to/integrate-with-external-agents.md

@@ -0,0 +1,20 @@
+# How to integrate with external agent charms
+
+We consider any agent charm to be `external` when they don't have layer 3 connectivity with the `jenkins-k8s` charm. To integrate with those agent charms, we'll leverage the `jenkins-k8s` charm's `agent-discovery-ingress` integration.
+
+The `agent-discovery-ingress` integration can be used with any charm that supports the `:ingress` interface. One example is the [traefik-k8s](https://charmhub.io/traefik-k8s) charm.
+```bash
+juju integrate jenkins-k8s:agent-discovery-ingress traefik-k8s:ingress
+```
+
+Agents considered `external` have to be integrated using a cross-model integration. To integrate with such agent, simply integrate with the ingress provider charm as mentioned above and then integrate with the agent charm's offer endpoint.
+```bash
+juju integrate jenkins-k8s:agent-discovery-ingress traefik-k8s:ingress
+juju integrate jenkins-k8s:agent <offer-endpoint>
+```
+
+# Networking considerations
+The charm assumes that:
+1. There are connectivity between the juju controller of the `jenkins-k8s` charm and the juju controller of the agent charm trying to connect with the `jenkins-k8s` charm.
+2. The agent can resolve the ingress hostname provided by the `jenkins-k8s` charm and the resulting IP address is reachable, and there are firewall rules in place to allow HTTP traffic.
+3. In case a reverse proxy is present, it is also expected that the HTTP connection coming from the agent charm is allowed to be upgraded into a Websocket connection. The reverse proxy should also be configured with a suitable idle timeout for websocket connections to avoid intermittent agent disconnection.

docs/how-to/integrate-with-iam.md

@@ -36,4 +36,4 @@ juju integrate jenkins-k8s:ingress traefik-public
 juju integrate oathkeeper jenkins-k8s:auth-proxy
 ```
 
-Now Jenkins will be reachable at https://[public_ip]/[model_name]-jenkins-k8s, where `public_ip` is the load balancer IP assigned to the traefik charm and `model_name`, the model where Jenkins is deployed.
+Now Jenkins will be reachable at https://[public_ip]/[model_name]-jenkins-k8s, where `public_ip` is the load balancer IP assigned to the traefik charm and `model_name`, the model where Jenkins is deployed.

docs/how-to/resize-jenkins-storage.md

@@ -0,0 +1,62 @@
+# How to resize the jenkins-home storage volume
+The default size of the jenkins-home storage volume for a fresh installation is 1GB. While this works for most scenarios, operators might need to have more storage for installing plugins, storing artifacts, and runninng builds/checking out SCMs on the built-in node.
+
+A low disk-space on the built-in node will cause the node to go offline, blocking jenkins from running jobs.
+
+## Create a backup
+From [Backing-up/Restoring Jenkins](https://www.jenkins.io/doc/book/system-administration/backing-up/), This script backs up the most essential files as mentioned in the article:
+* The `master.key` file.
+* Job-related files in the `./jobs`, `./builds` and `./workspace` folders.
+* Plugins (`.hpi` and `.jpi` files) in the `./plugins` folder
+
+```bash
+#!/bin/bash
+export JENKINS_HOME=/var/lib/jenkins
+export JENKINS_BACKUP=/mnt/backup
+
+echo "running backup as $(whoami) in $(pwd)"
+mkdir -p $JENKINS_BACKUP
+cp $JENKINS_HOME/secrets/master.key $JENKINS_BACKUP
+cp -r $JENKINS_HOME/*.xml $JENKINS_BACKUP
+cp -r $JENKINS_HOME/jobs $JENKINS_BACKUP
+cp -r $JENKINS_HOME/builds $JENKINS_BACKUP
+cp -r $JENKINS_HOME/workspace $JENKINS_BACKUP
+mkdir -p $JENKINS_BACKUP/plugins
+cp -r $JENKINS_HOME/plugins/*.hpi $JENKINS_BACKUP/plugins
+cp -r $JENKINS_HOME/plugins/*.jpi $JENKINS_BACKUP/plugins
+
+chown -R 2000:2000 $JENKINS_BACKUP
+tar zcvf jenkins_backup.tar.gz --directory=/mnt backup
+```
+1. Transfer the backup script above to the running unit of the Jenkins-k8s charm and run it
+```bash
+juju scp --container jenkins ./backup.sh jenkins-k8s/0:/backup.sh
+juju ssh  --container jenkins jenkins-k8s/0 /bin/bash
+bash /backup.sh
+```
+2. Retrieve the compressed backup file
+```bash
+juju scp --container jenkins jenkins-k8s/0:/backup/jenkins_backup.tar.gz jenkins_backup.tar.gz
+```
+3. With the data backed-up, we can remove the jenkins-k8s application.
+```bash
+juju remove-application jenkins-k8s
+```
+
+## Restore the backup on a new charm instance
+1. When the application has been deleted, create a new application with the `--storage` flag. In this example we'll deploy the charm with a storage of 10GB
+```bash
+juju deploy jenkins-k8s --storage jenkins-home=10GB
+```
+2. Wait for the charm to be ready, then restore the backup on the new unit.
+```bash
+juju scp --container jenkins ./jenkins_backup.tar.gz jenkins-k8s/0:/jenkins_backup.tar.gz
+tar zxvf jenkins_backup.tar.gz
+chown -R 2000:2000 /backup
+cp -R /backup/* /var/lib/jenkins
+rm -rf /backup /jenkins_backup.tar.gz
+```
+3. Finally restart pebble
+```bash
+pebble restart jenkins
+```

generate-src-docs.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright 2023 Canonical Ltd.
+# Copyright 2024 Canonical Ltd.
 # See LICENSE file for licensing details.
 
 lazydocs --no-watermark --output-path src-docs src/*

jenkins_rock/rockcraft.yaml

@@ -1,21 +1,26 @@
-# Copyright 2023 Canonical Ltd.
+# Copyright 2024 Canonical Ltd.
 # See LICENSE file for licensing details.
 
 name: jenkins
 summary: Jenkins rock
 description: Jenkins OCI image for the Jenkins charm
 version: "1.0"
-base: ubuntu:22.04
-build-base: ubuntu:22.04
+base: ubuntu@22.04
+build-base: ubuntu@22.04
 license: Apache-2.0
 platforms:
   amd64:
 services:
   jenkins:
-    override: merge
-    summary: The Jenkins server.
-    command: java -Djava.awt.headless=true -jar /srv/jenkins/jenkins.war
+    override: replace
+    summary: jenkins
     startup: enabled
+    command: java -Djava.awt.headless=true -Djava.util.logging.config.file=/var/lib/jenkins/logging.properties -jar /srv/jenkins/jenkins.war
+    environment:
+      JENKINS_HOME: /var/lib/jenkins
+    user: jenkins
+    group: jenkins
+
 parts:
   add-user:
     plugin: nil
@@ -40,7 +45,7 @@ parts:
       - default-jre-headless
       - git
     build-environment:
-      - JENKINS_VERSION: 2.414.1
+      - JENKINS_VERSION: 2.440.2
       - JENKINS_PLUGIN_MANAGER_VERSION: 2.12.13
     override-build: |
       mkdir -p ${CRAFT_PART_INSTALL}/{srv/jenkins/,etc/default/jenkins/}