CI / CD & IaC

Jenkins

DCDR

Per-cluster Jenkins LTS controller — pipeline runner for the platform.

Quick facts

Image
Default LTS (custom plugin-baked image on the roadmap)
Auth
Local admin (escape-hatch); OIDC against Keycloak planned

What it is

Standard Helm chart install. Future work: bake a custom controller image with plugins.txt pre-installed using the same podman + ctr import pattern used for redis-applier.

Architecture

Per-cluster single-replica Jenkins controller. Default LTS image — no custom plugins-baked image yet (that's a TODO; would follow the same podman + ctr import pattern used for redis-applier). Persistent JENKINS_HOME on a Longhorn PVC.

Earlier the platform had VM-based Jenkins (jenkins-dc / jenkins-dr) with rsync staging + MinIO snapshot backups (ADR-0006). Both VMs were decommissioned 2026-05-05 in favour of the in-cluster RKE2 Jenkins; the snapshot/promote pattern doesn't apply anymore.

Configuration

Source: clusters/<cluster>/manifests/jenkins/. Standard Jenkins helm-chart-style raw manifests. casc.yaml (configuration-as-code) is loaded from a ConfigMap at startup and drives admin user setup, security realm, and global tools.

Auth today: local admin (escape-hatch password at ~/cloud-init/jenkins-escape-hatch-password, chmod 600). Keycloak OIDC integration is planned via the Keycloak realm's jenkins client (not yet wired).

Build secrets reference the Nexus jenkinsbot credential (password at ~/cloud-init/nexus-jenkinsbot-password) so Jenkins can push artefacts to Nexus.

Operations

Failover

Each cluster has an independent Jenkins. Pipelines run on whichever cluster they were created in. There is no automated cross-cluster pipeline replication — the OSS chart has no concept of it. If DC's Jenkins dies, DR's Jenkins is reachable but has no shared job history.

No DC-primary/DR-backup edge backend wired today; same situation as Nexus / RedisInsight (Plan-09 follow-up).

References