values.yaml

# Default values for jenkins.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value

## Overrides for generated resource names
# See templates/_helpers.tpl
# -- Override the resource name prefix
# @default -- `Chart.Name`
nameOverride:
# -- Override the full resource names
# @default -- `jenkins-(release-name)` or `jenkins` if the release-name is `jenkins`
fullnameOverride:
# -- Override the deployment namespace
# @default -- `Release.Namespace`
namespaceOverride:

# For FQDN resolving of the controller service. Change this value to match your existing configuration.
# ref: https://github.com/kubernetes/dns/blob/master/docs/specification.md
# -- Override the cluster name for FQDN resolving
clusterZone: "cluster.local"

# -- The URL of the Kubernetes API server
kubernetesURL: "https://kubernetes.default"

# -- The Jenkins credentials to access the Kubernetes API server. For the default cluster it is not needed.
credentialsId:

# -- Enables rendering of the helm.sh/chart label to the annotations
renderHelmLabels: true

controller:
  # -- Used for label app.kubernetes.io/component
  componentName: "jenkins-controller"
  image:
    # -- Controller image registry
    registry: "docker.io"
    # -- Controller image repository
    repository: "jenkins/jenkins"

    # -- Controller image tag override; i.e., tag: "2.440.1-jdk17"
    tag:

    # -- Controller image tag label
    tagLabel: jdk17
    # -- Controller image pull policy
    pullPolicy: "Always"
  # -- Controller image pull secret
  imagePullSecretName:
  # -- Lifecycle specification for controller-container
  lifecycle: {}
  #  postStart:
  #    exec:
  #      command:
  #      - "uname"
  #      - "-a"

  # -- Disable use of remember me
  disableRememberMe: false

  # -- Set Number of executors
  numExecutors: 0

  # -- Sets the executor mode of the Jenkins node. Possible values are "NORMAL" or "EXCLUSIVE"
  executorMode: "NORMAL"

  # -- Append Jenkins labels to the controller
  customJenkinsLabels: []

  hostNetworking: false

  # When enabling LDAP or another non-Jenkins identity source, the built-in admin account will no longer exist.
  # If you disable the non-Jenkins identity store and instead use the Jenkins internal one,
  # you should revert controller.admin.username to your preferred admin user:
  admin:

    # -- Admin username created as a secret if `controller.admin.createSecret` is true
    username: "admin"
    # -- Admin password created as a secret if `controller.admin.createSecret` is true
    # @default -- <random password>
    password: "password"

    # -- The key in the existing admin secret containing the username
    userKey: jenkins-admin-user
    # -- The key in the existing admin secret containing the password
    passwordKey: jenkins-admin-password

    # The default configuration uses this secret to configure an admin user
    # If you don't need that user or use a different security realm, then you can disable it
    # -- Create secret for admin user
    createSecret: true

    # -- The name of an existing secret containing the admin credentials
    existingSecret: ""
  # -- Email address for the administrator of the Jenkins instance
  jenkinsAdminEmail:

  # This value should not be changed unless you use your custom image of jenkins or any derived from.
  # If you want to use Cloudbees Jenkins Distribution docker, you should set jenkinsHome: "/var/cloudbees-jenkins-distribution"
  # -- Custom Jenkins home path
  jenkinsHome: "/var/jenkins_home"

  # This value should not be changed unless you use your custom image of jenkins or any derived from.
  # If you want to use Cloudbees Jenkins Distribution docker, you should set jenkinsRef: "/usr/share/cloudbees-jenkins-distribution/ref"
  # -- Custom Jenkins reference path
  jenkinsRef: "/usr/share/jenkins/ref"

  # Path to the jenkins war file which is used by jenkins-plugin-cli.
  jenkinsWar: "/usr/share/jenkins/jenkins.war"
  # Override the default arguments passed to the war
  # overrideArgs:
  #   - --httpPort=8080

  # -- Resource allocation (Requests and Limits)
  resources:
    requests:
      cpu: "50m"
      memory: "256Mi"
    limits:
      cpu: "2000m"
      memory: "4096Mi"

  # Share process namespace to allow sidecar containers to interact with processes in other containers in the same pod
  shareProcessNamespace: false

  # Overrides the init container default values
  # -- Resources allocation (Requests and Limits) for Init Container
  initContainerResources: {}
  # initContainerResources:
  #   requests:
  #     cpu: "50m"
  #     memory: "256Mi"
  #   limits:
  #     cpu: "2000m"
  #     memory: "4096Mi"
  # -- Environment variable sources for Init Container
  initContainerEnvFrom: []

  # useful for i.e., http_proxy
  # -- Environment variables for Init Container
  initContainerEnv: []
  # initContainerEnv:
  #   - name: http_proxy
  #     value: "http://192.168.64.1:3128"

  # -- Environment variable sources for Jenkins Container
  containerEnvFrom: []

  # -- Environment variables for Jenkins Container
  containerEnv: []
  #   - name: http_proxy
  #     value: "http://192.168.64.1:3128"

  # Set min/max heap here if needed with "-Xms512m -Xmx512m"
  # -- Append to `JAVA_OPTS` env var
  javaOpts:
  # -- Append to `JENKINS_OPTS` env var
  jenkinsOpts:

  # If you are using the ingress definitions provided by this chart via the `controller.ingress` block,
  # the configured hostname will be the ingress hostname starting with `https://`
  # or `http://` depending on the `tls` configuration.
  # The Protocol can be overwritten by specifying `controller.jenkinsUrlProtocol`.
  # -- Set protocol for Jenkins URL; `https` if `controller.ingress.tls`, `http` otherwise
  jenkinsUrlProtocol:

  # -- Set Jenkins URL if you are not using the ingress definitions provided by the chart
  jenkinsUrl:

  # If you set this prefix and use ingress controller, then you might want to set the ingress path below
  # I.e., "/jenkins"
  # -- Root URI Jenkins will be served on
  jenkinsUriPrefix:

  # -- Enable pod security context (must be `true` if podSecurityContextOverride, runAsUser or fsGroup are set)
  usePodSecurityContext: true

  # Note that `runAsUser`, `fsGroup`, and `securityContextCapabilities` are
  # being deprecated and replaced by `podSecurityContextOverride`.
  # Set runAsUser to 1000 to let Jenkins run as non-root user 'jenkins', which exists in 'jenkins/jenkins' docker image.
  # When configuring runAsUser to a different value than 0 also set fsGroup to the same value:
  # -- Deprecated in favor of `controller.podSecurityContextOverride`. uid that jenkins runs with.
  runAsUser: 1000

  # -- Deprecated in favor of `controller.podSecurityContextOverride`. uid that will be used for persistent volume.
  fsGroup: 1000

  # If you have PodSecurityPolicies that require dropping of capabilities as suggested by CIS K8s benchmark, put them here
  # securityContextCapabilities:
  #  drop:
  #    - NET_RAW
  securityContextCapabilities: {}

  # In the case of mounting an ext4 filesystem, it might be desirable to use `supplementalGroups` instead of `fsGroup` in
  # the `securityContext` block: https://github.com/kubernetes/kubernetes/issues/67014#issuecomment-589915496
  # podSecurityContextOverride:
  #   runAsUser: 1000
  #   runAsNonRoot: true
  #   supplementalGroups: [1000]
  #   capabilities: {}
  # -- Completely overwrites the contents of the pod security context, ignoring the values provided for `runAsUser`, `fsGroup`, and `securityContextCapabilities`
  podSecurityContextOverride: ~

  # -- Allow controlling the securityContext for the jenkins container
  containerSecurityContext:
    runAsUser: 1000
    runAsGroup: 1000
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false

  # For minikube, set this to NodePort, elsewhere uses LoadBalancer
  # Use ClusterIP if your setup includes ingress controller
  # -- k8s service type
  serviceType: ClusterIP

  # -- k8s service clusterIP. Only used if serviceType is ClusterIP
  clusterIp:
  # -- k8s service port
  servicePort: 8080
  # -- k8s target port
  targetPort: 8080
  # -- k8s node port. Only used if serviceType is NodePort
  nodePort:

  # Use Local to preserve the client source IP and avoids a second hop for LoadBalancer and NodePort type services,
  # but risks potentially imbalanced traffic spreading.
  serviceExternalTrafficPolicy:

  # -- Jenkins controller service annotations
  serviceAnnotations: {}
  # -- Jenkins controller custom labels for the StatefulSet
  statefulSetLabels: {}
  #   foo: bar
  #   bar: foo
  # -- Labels for the Jenkins controller-service
  serviceLabels: {}
  #   service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https

  # Put labels on Jenkins controller pod
  # -- Custom Pod labels (an object with `label-key: label-value` pairs)
  podLabels: {}

  # Enable Kubernetes Startup, Liveness and Readiness Probes
  # if Startup Probe is supported, enable it too
  # ~ 2 minutes to allow Jenkins to restart when upgrading plugins. Set ReadinessTimeout to be shorter than LivenessTimeout.
  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes
  # -- Enable Kubernetes Probes configuration configured in `controller.probes`
  healthProbes: true

  probes:
    startupProbe:
      # -- Set the failure threshold for the startup probe
      failureThreshold: 12
      httpGet:
        # -- Set the Pod's HTTP path for the startup probe
        path: '{{ default "" .Values.controller.jenkinsUriPrefix }}/login'
        # -- Set the Pod's HTTP port to use for the startup probe
        port: http
      # -- Set the time interval between two startup probes executions in seconds
      periodSeconds: 10
      # -- Set the timeout for the startup probe in seconds
      timeoutSeconds: 5

    livenessProbe:
      # -- Set the failure threshold for the liveness probe
      failureThreshold: 5
      httpGet:
        # -- Set the Pod's HTTP path for the liveness probe
        path: '{{ default "" .Values.controller.jenkinsUriPrefix }}/login'
        # -- Set the Pod's HTTP port to use for the liveness probe
        port: http
      # -- Set the time interval between two liveness probes executions in seconds
      periodSeconds: 10
      # -- Set the timeout for the liveness probe in seconds
      timeoutSeconds: 5

      # If Startup Probe is not supported on your Kubernetes cluster, you might want to use "initialDelaySeconds" instead.
      # It delays the initial liveness probe while Jenkins is starting
      # -- Set the initial delay for the liveness probe in seconds
      initialDelaySeconds:

    readinessProbe:
      # -- Set the failure threshold for the readiness probe
      failureThreshold: 3
      httpGet:
        # -- Set the Pod's HTTP path for the liveness probe
        path: '{{ default "" .Values.controller.jenkinsUriPrefix }}/login'
        # -- Set the Pod's HTTP port to use for the readiness probe
        port: http
      # -- Set the time interval between two readiness probes executions in seconds
      periodSeconds: 10
      # -- Set the timeout for the readiness probe in seconds
      timeoutSeconds: 5

      # If Startup Probe is not supported on your Kubernetes cluster, you might want to use "initialDelaySeconds" instead.
      # It delays the initial readiness probe while Jenkins is starting
      # -- Set the initial delay for the readiness probe in seconds
      initialDelaySeconds:

  # PodDisruptionBudget config
  podDisruptionBudget:
    # ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/

    # -- Enable Kubernetes Pod Disruption Budget configuration
    enabled: false

    # For Kubernetes v1.5+, use 'policy/v1beta1'
    # For Kubernetes v1.21+, use 'policy/v1'
    # -- Policy API version
    apiVersion: "policy/v1beta1"

    annotations: {}
    labels: {}
    # -- Number of pods that can be unavailable. Either an absolute number or a percentage
    maxUnavailable: "0"

  # -- Create Agent listener service
  agentListenerEnabled: true
  # -- Listening port for agents
  agentListenerPort: 50000
  # -- Host port to listen for agents
  agentListenerHostPort:
  # -- Node port to listen for agents
  agentListenerNodePort:

  # ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-policies
  # -- Traffic Policy of for the agentListener service
  agentListenerExternalTrafficPolicy:
  # -- Allowed inbound IP for the agentListener service
  agentListenerLoadBalancerSourceRanges:
  - 0.0.0.0/0
  # -- Disabled agent protocols
  disabledAgentProtocols:
    - JNLP-connect
    - JNLP2-connect
  csrf:
    defaultCrumbIssuer:
      # -- Enable the default CSRF Crumb issuer
      enabled: true
      # -- Enable proxy compatibility
      proxyCompatability: true

  # Kubernetes service type for the JNLP agent service
  # agentListenerServiceType is the Kubernetes Service type for the JNLP agent service,
  # either 'LoadBalancer', 'NodePort', or 'ClusterIP'
  # Note if you set this to 'LoadBalancer', you *must* define annotations to secure it. By default,
  # this will be an external load balancer and allowing inbound 0.0.0.0/0, a HUGE
  # security risk: https://github.com/kubernetes/charts/issues/1341
  # -- Defines how to expose the agentListener service
  agentListenerServiceType: "ClusterIP"

  # -- Annotations for the agentListener service
  agentListenerServiceAnnotations: {}

  # Optionally, assign an IP to the LoadBalancer agentListenerService LoadBalancer
  # GKE users: only regional static IPs will work for Service Load balancer.
  # -- Static IP for the agentListener LoadBalancer
  agentListenerLoadBalancerIP:

  # -- Whether legacy remoting security should be enabled
  legacyRemotingSecurityEnabled: false

  # Example of a 'LoadBalancer'-type agent listener with annotations securing it
  # agentListenerServiceType: LoadBalancer
  # agentListenerServiceAnnotations:
  #   service.beta.kubernetes.io/aws-load-balancer-internal: "True"
  #   service.beta.kubernetes.io/load-balancer-source-ranges: "172.0.0.0/8, 10.0.0.0/8"

  # LoadBalancerSourcesRange is a list of allowed CIDR values, which are combined with ServicePort to
  # set allowed inbound rules on the security group assigned to the controller load balancer
  # -- Allowed inbound IP addresses
  loadBalancerSourceRanges:
  - 0.0.0.0/0

  # -- Optionally assign a known public LB IP
  loadBalancerIP:

  # Optionally configure a JMX port. This requires additional javaOpts, for example,
  # javaOpts: >
  #   -Dcom.sun.management.jmxremote.port=4000
  #   -Dcom.sun.management.jmxremote.authenticate=false
  #   -Dcom.sun.management.jmxremote.ssl=false
  # jmxPort: 4000
  # -- Open a port, for JMX stats
  jmxPort:

  # -- Optionally configure other ports to expose in the controller container
  extraPorts: []
  # - name: BuildInfoProxy
  #   port: 9000
  #   targetPort: 9010 (Optional: Use to explicitly set targetPort if different from port)

  # Plugins will be installed during Jenkins controller start
  # -- List of Jenkins plugins to install. If you don't want to install plugins, set it to `false`
  installPlugins:
    - kubernetes:4285.v50ed5f624918
    - workflow-aggregator:600.vb_57cdd26fdd7
    - git:5.4.1
    - configuration-as-code:1850.va_a_8c31d3158b_

  # If set to false, Jenkins will download the minimum required version of all dependencies.
  # -- Download the minimum required version or latest version of all dependencies
  installLatestPlugins: true

  # -- Set to true to download the latest version of any plugin that is requested to have the latest version
  installLatestSpecifiedPlugins: false

  # -- List of plugins to install in addition to those listed in controller.installPlugins
  additionalPlugins: []

  # Without this; whenever the controller gets restarted (Evicted, etc.) it will fetch plugin updates that have the potential to cause breakage.
  # Note that for this to work, `persistence.enabled` needs to be set to `true`
  # -- Initialize only on first installation. Ensures plugins do not get updated inadvertently. Requires `persistence.enabled` to be set to `true`
  initializeOnce: false

  # Enable to always override the installed plugins with the values of 'controller.installPlugins' on upgrade or redeployment.
  # -- Overwrite installed plugins on start
  overwritePlugins: false

  # Configures if plugins bundled with `controller.image` should be overwritten with the values of 'controller.installPlugins' on upgrade or redeployment.
  # -- Overwrite plugins that are already installed in the controller image
  overwritePluginsFromImage: true

  # Configures the restrictions for naming projects. Set this key to null or empty to skip it in the default config.
  projectNamingStrategy: standard

  # Useful with ghprb plugin. The OWASP plugin is not installed by default, please update controller.installPlugins.
  # -- Enable HTML parsing using OWASP Markup Formatter Plugin (antisamy-markup-formatter)
  enableRawHtmlMarkupFormatter: false

  # This is ignored if enableRawHtmlMarkupFormatter is true
  # -- Yaml of the markup formatter to use
  markupFormatter: plainText

  # Used to approve a list of groovy functions in pipelines used the script-security plugin. Can be viewed under /scriptApproval
  # -- List of groovy functions to approve
  scriptApproval: []
  #  - "method groovy.json.JsonSlurperClassic parseText java.lang.String"
  #  - "new groovy.json.JsonSlurperClassic"

  # -- Map of groovy init scripts to be executed during Jenkins controller start
  initScripts: {}
  #  test: |-
  #    print 'adding global pipeline libraries, register properties, bootstrap jobs...'
  # -- Name of the existing ConfigMap that contains init scripts
  initConfigMap:

  # 'name' is a name of an existing secret in the same namespace as jenkins,
  # 'keyName' is the name of one of the keys inside the current secret.
  # the 'name' and 'keyName' are concatenated with a '-' in between, so for example:
  # an existing secret "secret-credentials" and a key inside it named "github-password" should be used in JCasC as ${secret-credentials-github-password}
  # 'name' and 'keyName' must be lowercase RFC 1123 label must consist of lower case alphanumeric characters or '-',
  # and must start and end with an alphanumeric character (e.g. 'my-name', or '123-abc')
  # existingSecret existing secret "secret-credentials" and a key inside it named "github-username" should be used in JCasC as ${github-username}
  # When using existingSecret no need to specify the keyName under additionalExistingSecrets.
  existingSecret:

  # -- List of additional existing secrets to mount
  additionalExistingSecrets: []
  # ref: https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets
  # additionalExistingSecrets:
  #  - name: secret-name-1
  #    keyName: username
  #  - name: secret-name-1
  #    keyName: password

  # -- List of additional secrets to create and mount
  additionalSecrets: []
  # ref: https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets
  # additionalSecrets:
  #  - name: nameOfSecret
  #    value: secretText

  # Generate SecretClaim resources to create Kubernetes secrets from HashiCorp Vault using kube-vault-controller.
  # 'name' is the name of the secret that will be created in Kubernetes. The Jenkins fullname is prepended to this value.
  # 'path' is the fully qualified path to the secret in Vault
  # 'type' is an optional Kubernetes secret type. The default is 'Opaque'
  # 'renew' is an optional secret renewal time in seconds
  # -- List of `SecretClaim` resources to create
  secretClaims: []
  # - name: secretName        # required
  #   path: testPath          # required
  #   type: kubernetes.io/tls # optional
  #   renew: 60               # optional

  # -- Name of default cloud configuration.
  cloudName: "kubernetes"

  # Below is the implementation of Jenkins Configuration as Code. Add a key under configScripts for each configuration area,
  # where each corresponds to a plugin or section of the UI. Each key (prior to | character) is just a label, and can be any value.
  # Keys are only used to give the section a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label
  # characters: lowercase letters, numbers, and hyphens. The keys become the name of a configuration yaml file on the controller in
  # /var/jenkins_home/casc_configs (by default) and will be processed by the Configuration as Code Plugin. The lines after each |
  # become the content of the configuration yaml file. The first line after this is a JCasC root element, e.g., jenkins, credentials,
  # etc. Best reference is https://<jenkins_url>/configuration-as-code/reference. The example below creates a welcome message:
  JCasC:
    # -- Enables default Jenkins configuration via configuration as code plugin
    defaultConfig: true

    # If true, the init container deletes all the plugin config files and Jenkins Config as Code overwrites any existing configuration
    # -- Whether Jenkins Config as Code should overwrite any existing configuration
    overwriteConfiguration: false
    # -- Remote URLs for configuration files.
    configUrls: []
    # - https://acme.org/jenkins.yaml
    # -- List of Jenkins Config as Code scripts
    # configScripts:
    #   groovy: |
    #     groovy:
    #       - script: |
    #           import hudson.model.User
    #           import jenkins.security.ApiTokenProperty

    #           // workaround for setting api-key https://github.com/jenkinsci/configuration-as-code-plugin/issues/1830
    #           def token = '11d851b3f9928edc4bc0ca06e59b56ff19'
    #           def user = User.get('auto')
    #           user.getProperty(ApiTokenProperty.class).tokenStore.addFixedNewToken("auto-token", token)
    #           user.save()

    #  welcome-message: |
    #    jenkins:
    #      systemMessage: Welcome to our CI\CD server. This Jenkins is configured and managed 'as code'.

    # Allows adding to the top-level security JCasC section. For legacy purposes, by default, the chart includes apiToken configurations
    # -- Jenkins Config as Code security-section
    security:
      apiToken:
        creationOfLegacyTokenEnabled: true
        tokenGenerationOnCreationEnabled: true
        usageStatisticsEnabled: true

    # Ignored if securityRealm is defined in controller.JCasC.configScripts
    # -- Jenkins Config as Code Security Realm-section
    securityRealm: |-
      local:
        allowsSignup: false
        enableCaptcha: false
        users:
        - id: "${chart-admin-username}"
          name: "Jenkins Admin"
          password: "${chart-admin-password}"

    # Ignored if authorizationStrategy is defined in controller.JCasC.configScripts
    # -- Jenkins Config as Code Authorization Strategy-section
    authorizationStrategy: |-
      loggedInUsersCanDoAnything:
        allowAnonymousRead: false

    # -- Annotations for the JCasC ConfigMap
    configMapAnnotations: {}

  # -- Custom init-container specification in raw-yaml format
  customInitContainers: []
  # - name: custom-init
  #   image: "alpine:3"
  #   imagePullPolicy: Always
  #   command: [ "uname", "-a" ]

  sidecars:
    configAutoReload:
      # If enabled: true, Jenkins Configuration as Code will be reloaded on-the-fly without a reboot.
      # If false or not-specified, JCasC changes will cause a reboot and will only be applied at the subsequent start-up.
      # Auto-reload uses the http://<jenkins_url>/reload-configuration-as-code endpoint to reapply config when changes to
      # the configScripts are detected.
      # -- Enables Jenkins Config as Code auto-reload
      enabled: true
      image:
        # -- Registry for the image that triggers the reload
        registry: docker.io
        # -- Repository of the image that triggers the reload
        repository: kiwigrid/k8s-sidecar
        # -- Tag for the image that triggers the reload
        tag: 1.27.6
      imagePullPolicy: IfNotPresent
      resources: {}
        #   limits:
        #     cpu: 100m
        #     memory: 100Mi
        #   requests:
        #     cpu: 50m
        #     memory: 50Mi
      # -- Enables additional volume mounts for the config auto-reload container
      additionalVolumeMounts: []
        #   - name: auto-reload-config
        #     mountPath: /var/config/logger
        #   - name: auto-reload-logs
        #     mountPath: /var/log/auto_reload
      # -- Config auto-reload logging settings
      logging:
        # See default settings https://github.com/kiwigrid/k8s-sidecar/blob/master/src/logger.py
        configuration:
          # -- Enables custom log config utilizing using the settings below.
          override: false
          logLevel: INFO
          formatter: JSON
          logToConsole: true
          logToFile: false
          maxBytes: 1024
          backupCount: 3

      # -- The scheme to use when connecting to the Jenkins configuration as code endpoint
      scheme: http
      # -- Skip TLS verification when connecting to the Jenkins configuration as code endpoint
      skipTlsVerify: false

      # -- How many connection-related errors to retry on
      reqRetryConnect: 10
      # -- How many seconds to wait before updating config-maps/secrets (sets METHOD=SLEEP on the sidecar)
      sleepTime:

      # -- Environment variable sources for the Jenkins Config as Code auto-reload container
      envFrom: []
      # -- Environment variables for the Jenkins Config as Code auto-reload container
      env: {}
      #   - name: REQ_TIMEOUT
      #     value: "30"

      # SSH port value can be set to any unused TCP port. The default, 1044, is a non-standard SSH port that has been chosen at random.
      # This is only used to reload JCasC config from the sidecar container running in the Jenkins controller pod.
      # This TCP port will not be open in the pod (unless you specifically configure this), so Jenkins will not be
      # accessible via SSH from outside the pod. Note if you use non-root pod privileges (runAsUser & fsGroup),
      # this must be > 1024:
      sshTcpPort: 1044
      # folder in the pod that should hold the collected dashboards:
      folder: "/var/jenkins_home/casc_configs"

      # If specified, the sidecar will search for JCasC config-maps inside this namespace.
      # Otherwise, the namespace in which the sidecar is running will be used.
      # It's also possible to specify ALL to search in all namespaces:
      # searchNamespace:
      # -- Enable container security context
      containerSecurityContext:
        readOnlyRootFilesystem: true
        allowPrivilegeEscalation: false

    # -- Configures additional sidecar container(s) for the Jenkins controller
    additionalSidecarContainers: []
    ## The example below runs the client for https://smee.io as sidecar container next to Jenkins,
    ## that allows triggering build behind a secure firewall.
    ## https://jenkins.io/blog/2019/01/07/webhook-firewalls/#triggering-builds-with-webhooks-behind-a-secure-firewall
    ##
    ## Note: To use it you should go to https://smee.io/new and update the url to the generated one.
    # - name: smee
    #   image: docker.io/twalter/smee-client:1.0.2
    #   args: ["--port", "{{ .Values.controller.servicePort }}", "--path", "/github-webhook/", "--url", "https://smee.io/new"]
    #   resources:
    #     limits:
    #       cpu: 50m
    #       memory: 128Mi
    #     requests:
    #       cpu: 10m
    #       memory: 32Mi

  # -- Name of the Kubernetes scheduler to use
  schedulerName: ""

  # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
  # -- Node labels for pod assignment
  nodeSelector: {}

  # ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature
  # -- Toleration labels for pod assignment
  tolerations: []
  # -- Set TerminationGracePeriodSeconds
  terminationGracePeriodSeconds:
  # -- Set the termination message path
  terminationMessagePath:
  # -- Set the termination message policy
  terminationMessagePolicy:

  # -- Affinity settings
  affinity: {}

  # Leverage a priorityClass to ensure your pods survive resource shortages
  # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
  # -- The name of a `priorityClass` to apply to the controller pod
  priorityClassName:

  # -- Annotations for controller pod
  podAnnotations: {}
  # -- Annotations for controller StatefulSet
  statefulSetAnnotations: {}

  # ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
  # -- Update strategy for StatefulSet
  updateStrategy: {}

  # -- Topology spread constraints
  topologySpreadConstraints: {}

  ingress:
    # -- Enables ingress
    enabled: false

    # Override for the default paths that map requests to the backend
    # -- Override for the default Ingress paths
    paths: []
    # - backend:
    #     serviceName: ssl-redirect
    #     servicePort: use-annotation
    # - backend:
    #     serviceName: >-
    #       {{ template "jenkins.fullname" . }}
    #     # Don't use string here, use only integer value!
    #     servicePort: 8080

    # For Kubernetes v1.14+, use 'networking.k8s.io/v1beta1'
    # For Kubernetes v1.19+, use 'networking.k8s.io/v1'
    # -- Ingress API version
    apiVersion: "extensions/v1beta1"
    # -- Ingress labels
    labels: {}
    # -- Ingress annotations
    annotations: {}
      # kubernetes.io/ingress.class: nginx
      # kubernetes.io/tls-acme: "true"
    # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName
    # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress
    # ingressClassName: nginx

    # Set this path to jenkinsUriPrefix above or use annotations to rewrite path
    # -- Ingress path
    path:

    # configures the hostname e.g. jenkins.example.com
    # -- Ingress hostname
    hostName:
    # -- Hostname to serve assets from
    resourceRootUrl:
    # -- Ingress TLS configuration
    tls: []
    # - secretName: jenkins.cluster.local
    #   hosts:
    #     - jenkins.cluster.local

  # often you want to have your controller all locked down and private,
  # but you still want to get webhooks from your SCM
  # A secondary ingress will let you expose different urls
  # with a different configuration
  secondaryingress:
    enabled: false
    # paths you want forwarded to the backend
    # ex /github-webhook
    paths: []
    # For Kubernetes v1.14+, use 'networking.k8s.io/v1beta1'
    # For Kubernetes v1.19+, use 'networking.k8s.io/v1'
    apiVersion: "extensions/v1beta1"
    labels: {}
    annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
    # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName
    # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress
    # ingressClassName: nginx
    # configures the hostname e.g., jenkins-external.example.com
    hostName:
    tls:
    # - secretName: jenkins-external.example.com
    #   hosts:
    #     - jenkins-external.example.com

  # If you're running on GKE and need to configure a backendconfig
  # to finish ingress setup, use the following values.
  # Docs: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig
  backendconfig:
    # -- Enables backendconfig
    enabled: false
    # -- backendconfig API version
    apiVersion: "extensions/v1beta1"
    # -- backendconfig name
    name:
    # -- backendconfig labels
    labels: {}
    # -- backendconfig annotations
    annotations: {}
    # -- backendconfig spec
    spec: {}

  # Openshift route
  route:
    # -- Enables openshift route
    enabled: false
    # -- Route labels
    labels: {}
    # -- Route annotations
    annotations: {}
    # -- Route path
    path:

  # -- Allows for adding entries to Pod /etc/hosts
  hostAliases: []
  # ref: https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
  # hostAliases:
  # - ip: 192.168.50.50
  #   hostnames:
  #     - something.local
  # - ip: 10.0.50.50
  #   hostnames:
  #     - other.local

  # Expose Prometheus metrics
  prometheus:
    # If enabled, add the prometheus plugin to the list of plugins to install
    # https://plugins.jenkins.io/prometheus

    # -- Enables prometheus service monitor
    enabled: false
    # -- Additional labels to add to the service monitor object
    serviceMonitorAdditionalLabels: {}
    # -- Set a custom namespace where to deploy ServiceMonitor resource
    serviceMonitorNamespace:
    # -- How often prometheus should scrape metrics
    scrapeInterval: 60s

    # Defaults to the default endpoint used by the prometheus plugin
    # -- The endpoint prometheus should get metrics from
    scrapeEndpoint: /prometheus

    # See here: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/
    # The `groups` root object is added by default, add the rule entries
    # -- Array of prometheus alerting rules
    alertingrules: []
    # -- Additional labels to add to the PrometheusRule object
    alertingRulesAdditionalLabels: {}
    # -- Set a custom namespace where to deploy PrometheusRule resource
    prometheusRuleNamespace: ""

    # RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds
    # relabelings for a few standard Kubernetes fields. The original scrape job’s name
    # is available via the __tmp_prometheus_job_name label.
    # More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config
    relabelings: []
    # MetricRelabelConfigs to apply to samples before ingestion.
    metricRelabelings: []

  googlePodMonitor:
    # If enabled, It creates Google Managed Prometheus scraping config
    enabled: false
    # Set a custom namespace where to deploy PodMonitoring resource
    # serviceMonitorNamespace: ""
    scrapeInterval: 60s
    # This is the default endpoint used by the prometheus plugin
    scrapeEndpoint: /prometheus

  # -- Can be used to disable rendering controller test resources when using helm template
  testEnabled: true

  httpsKeyStore:
    # -- Enables HTTPS keystore on jenkins controller
    enable: false
    # -- Name of the secret that already has ssl keystore
    jenkinsHttpsJksSecretName: ""
    # -- Name of the key in the secret that already has ssl keystore
    jenkinsHttpsJksSecretKey: "jenkins-jks-file"
    # -- Name of the secret that contains the JKS password, if it is not in the same secret as the JKS file
    jenkinsHttpsJksPasswordSecretName: ""
    # -- Name of the key in the secret that contains the JKS password
    jenkinsHttpsJksPasswordSecretKey: "https-jks-password"
    disableSecretMount: false

    # When HTTPS keystore is enabled, servicePort and targetPort will be used as HTTPS port
    # -- HTTP Port that Jenkins should listen to along with HTTPS, it also serves as the liveness and readiness probes port.
    httpPort: 8081
    # -- Path of HTTPS keystore file
    path: "/var/jenkins_keystore"
    # -- Jenkins keystore filename which will appear under controller.httpsKeyStore.path
    fileName: "keystore.jks"
    # -- Jenkins keystore password
    password: "password"

    # -- Base64 encoded Keystore content. Keystore must be converted to base64 then being pasted here
    jenkinsKeyStoreBase64Encoded:
    # Convert keystore.jks files content to base64 > $ cat keystore.jks | base64
#        /u3+7QAAAAIAAAABAAAAAQANamVua2luc2NpLmNvbQAAAW2r/b1ZAAAFATCCBP0wDgYKKwYBBAEq
#        AhEBAQUABIIE6QbCqasvoHS0pSwYqSvdydMCB9t+VNfwhFIiiuAelJfO5sSe2SebJbtwHgLcRz1Z
#        gMtWgOSFdl3bWSzA7vrW2LED52h+jXLYSWvZzuDuh8hYO85m10ikF6QR+dTi4jra0whIFDvq3pxe
#        TnESxEsN+DvbZM3jA3qsjQJSeISNpDjO099dqQvHpnCn18lyk7J4TWJ8sOQQb1EM2zDAfAOSqA/x
#        QuPEFl74DlY+5DIk6EBvpmWhaMSvXzWZACGA0sYqa157dq7O0AqmuLG/EI5EkHETO4CrtBW+yLcy
#        2dUCXOMA+j+NjM1BjrQkYE5vtSfNO6lFZcISyKo5pTFlcA7ut0Fx2nZ8GhHTn32CpeWwNcZBn1gR
#        pZVt6DxVVkhTAkMLhR4rL2wGIi/1WRs23ZOLGKtyDNvDHnQyDiQEoJGy9nAthA8aNHa3cfdF10vB
#        Drb19vtpFHmpvKEEhpk2EBRF4fTi644Fuhu2Ied6118AlaPvEea+n6G4vBz+8RWuVCmZjLU+7h8l
#        Hy3/WdUPoIL5eW7Kz+hS+sRTFzfu9C48dMkQH3a6f3wSY+mufizNF9U298r98TnYy+PfDJK0bstG
#        Ph6yPWx8DGXKQBwrhWJWXI6JwZDeC5Ny+l8p1SypTmAjpIaSW3ge+KgcL6Wtt1R5hUV1ajVwVSUi
#        HF/FachKqPqyLJFZTGjNrxnmNYpt8P1d5JTvJfmfr55Su/P9n7kcyWp7zMcb2Q5nlXt4tWogOHLI
#        OzEWKCacbFfVHE+PpdrcvCVZMDzFogIq5EqGTOZe2poPpBVE+1y9mf5+TXBegy5HToLWvmfmJNTO
#        NCDuBjgLs2tdw2yMPm4YEr57PnMX5gGTC3f2ZihXCIJDCRCdQ9sVBOjIQbOCzxFXkVITo0BAZhCi
#        Yz61wt3Ud8e//zhXWCkCsSV+IZCxxPzhEFd+RFVjW0Nm9hsb2FgAhkXCjsGROgoleYgaZJWvQaAg
#        UyBzMmKDPKTllBHyE3Gy1ehBNGPgEBChf17/9M+j8pcm1OmlM434ctWQ4qW7RU56//yq1soFY0Te
#        fu2ei03a6m68fYuW6s7XEEK58QisJWRAvEbpwu/eyqfs7PsQ+zSgJHyk2rO95IxdMtEESb2GRuoi
#        Bs+AHNdYFTAi+GBWw9dvEgqQ0Mpv0//6bBE/Fb4d7b7f56uUNnnE7mFnjGmGQN+MvC62pfwfvJTT
#        EkT1iZ9kjM9FprTFWXT4UmO3XTvesGeE50sV9YPm71X4DCQwc4KE8vyuwj0s6oMNAUACW2ClU9QQ
#        y0tRpaF1tzs4N42Q5zl0TzWxbCCjAtC3u6xf+c8MCGrr7DzNhm42LOQiHTa4MwX4x96q7235oiAU
#        iQqSI/hyF5yLpWw4etyUvsx2/0/0wkuTU1FozbLoCWJEWcPS7QadMrRRISxHf0YobIeQyz34regl
#        t1qSQ3dCU9D6AHLgX6kqllx4X0fnFq7LtfN7fA2itW26v+kAT2QFZ3qZhINGfofCja/pITC1uNAZ
#        gsJaTMcQ600krj/ynoxnjT+n1gmeqThac6/Mi3YlVeRtaxI2InL82ZuD+w/dfY9OpPssQjy3xiQa
#        jPuaMWXRxz/sS9syOoGVH7XBwKrWpQcpchozWJt40QV5DslJkclcr8aC2AGlzuJMTdEgz1eqV0+H
#        bAXG9HRHN/0eJTn1/QAAAAEABVguNTA5AAADjzCCA4swggJzAhRGqVxH4HTLYPGO4rzHcCPeGDKn
#        xTANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMCY2ExEDAOBgNVBAgMB29udGFyaW8xEDAOBgNV
#        BAcMB3Rvcm9udG8xFDASBgNVBAoMC2plbmtpbnN0ZXN0MRkwFwYDVQQDDBBqZW5raW5zdGVzdC5p
#        bmZvMR0wGwYJKoZIhvcNAQkBFg50ZXN0QHRlc3QuaW5mbzAeFw0xOTEwMDgxNTI5NTVaFw0xOTEx
#        MDcxNTI5NTVaMIGBMQswCQYDVQQGEwJjYTEQMA4GA1UECAwHb250YXJpbzEQMA4GA1UEBwwHdG9y
#        b250bzEUMBIGA1UECgwLamVua2luc3Rlc3QxGTAXBgNVBAMMEGplbmtpbnN0ZXN0LmluZm8xHTAb
#        BgkqhkiG9w0BCQEWDnRlc3RAdGVzdC5pbmZvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
#        AQEA02q352JTHGvROMBhSHvSv+vnoOTDKSTz2aLQn0tYrIRqRo+8bfmMjXuhkwZPSnCpvUGNAJ+w
#        Jrt/dqMoYUjCBkjylD/qHmnXN5EwS1cMg1Djh65gi5JJLFJ7eNcoSsr/0AJ+TweIal1jJSP3t3PF
#        9Uv21gm6xdm7HnNK66WpUUXLDTKaIs/jtagVY1bLOo9oEVeLN4nT2CYWztpMvdCyEDUzgEdDbmrP
#        F5nKUPK5hrFqo1Dc5rUI4ZshL3Lpv398aMxv6n2adQvuL++URMEbXXBhxOrT6rCtYzbcR5fkwS9i
#        d3Br45CoWOQro02JAepoU0MQKY5+xQ4Bq9Q7tB9BAwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAe
#        4xc+mSvKkrKBHg9/zpkWgZUiOp4ENJCi8H4tea/PCM439v6y/kfjT/okOokFvX8N5aa1OSz2Vsrl
#        m8kjIc6hiA7bKzT6lb0EyjUShFFZ5jmGVP4S7/hviDvgB5yEQxOPpumkdRP513YnEGj/o9Pazi5h
#        /MwpRxxazoda9r45kqQpyG+XoM4pB+Fd3JzMc4FUGxfVPxJU4jLawnJJiZ3vqiSyaB0YyUL+Er1Q
#        6NnqtR4gEBF0ZVlQmkycFvD4EC2boP943dLqNUvop+4R3SM1QMM6P5u8iTXtHd/VN4MwMyy1wtog
#        hYAzODo1Jt59pcqqKJEas0C/lFJEB3frw4ImNx5fNlJYOpx+ijfQs9m39CevDq0=

agent:
  # -- Enable Kubernetes plugin jnlp-agent podTemplate
  enabled: true
  # -- The name of the pod template to use for providing default values
  defaultsProviderTemplate: ""

  # Useful for not including a serviceAccount in the template if `false`
  # -- Use `serviceAccountAgent.name` as the default value for defaults template `serviceAccount`
  useDefaultServiceAccount: true

  # -- Override the default service account
  # @default -- `serviceAccountAgent.name` if `agent.useDefaultServiceAccount` is `true`
  serviceAccount:

  # For connecting to the Jenkins controller
  # -- Overrides the Kubernetes Jenkins URL
  jenkinsUrl:

  # connects to the specified host and port, instead of connecting directly to the Jenkins controller
  # -- Overrides the Kubernetes Jenkins tunnel
  jenkinsTunnel:
  # -- Disables the verification of the controller certificate on remote connection. This flag correspond to the "Disable https certificate check" flag in kubernetes plugin UI
  skipTlsVerify: false
  # -- Enable the possibility to restrict the usage of this agent to specific folder. This flag correspond to the "Restrict pipeline support to authorized folders" flag in kubernetes plugin UI
  usageRestricted: false
  # -- The connection timeout in seconds for connections to Kubernetes API. The minimum value is 5
  kubernetesConnectTimeout: 5
  # -- The read timeout in seconds for connections to Kubernetes API. The minimum value is 15
  kubernetesReadTimeout: 15
  # -- The maximum concurrent connections to Kubernetes API
  maxRequestsPerHostStr: "32"
  # -- Time in minutes after which the Kubernetes cloud plugin will clean up an idle worker that has not already terminated
  retentionTimeout: 5
  # -- Seconds to wait for pod to be running
  waitForPodSec: 600
  # -- Namespace in which the Kubernetes agents should be launched
  namespace:
  # -- Custom Pod labels (an object with `label-key: label-value` pairs)
  podLabels: {}
  # -- Custom registry used to pull the agent jnlp image from
  jnlpregistry:
  image:
    # -- Repository to pull the agent jnlp image from
    repository: "jenkins/inbound-agent"
    # -- Tag of the image to pull
    tag: "3261.v9c670a_4748a_9-1"
  # -- Configure working directory for default agent
  workingDir: "/home/jenkins/agent"
  nodeUsageMode: "NORMAL"
  # -- Append Jenkins labels to the agent
  customJenkinsLabels: []
  # -- Name of the secret to be used to pull the image
  imagePullSecretName:
  componentName: "jenkins-agent"
  # -- Enables agent communication via websockets
  websocket: false
  directConnection: false
  # -- Agent privileged container
  privileged: false
  # -- Configure container user
  runAsUser:
  # -- Configure container group
  runAsGroup:
  # -- Enables the agent to use the host network
  hostNetworking: false
  # -- Resources allocation (Requests and Limits)
  resources:
    requests:
      cpu: "512m"
      memory: "512Mi"
      # ephemeralStorage:
    limits:
      cpu: "512m"
      memory: "512Mi"
      # ephemeralStorage:
  livenessProbe: {}
#    execArgs: "cat /tmp/healthy"
#    failureThreshold: 3
#    initialDelaySeconds: 0
#    periodSeconds: 10
#    successThreshold: 1
#    timeoutSeconds: 1

  # You may want to change this to true while testing a new image
  # -- Always pull agent container image before build
  alwaysPullImage: false
  # When using Pod Security Admission in the Agents namespace with the restricted Pod Security Standard,
  # the jnlp container cannot be scheduled without overriding its container definition with a securityContext.
  # This option allows to automatically inject in the jnlp container a securityContext
  # that is suitable for the use of the restricted Pod Security Standard.
  # -- Set a restricted securityContext on jnlp containers
  restrictedPssSecurityContext: false
  # Controls how agent pods are retained after the Jenkins build completes
  # Possible values: Always, Never, OnFailure
  podRetention: "Never"
  # Disable if you do not want the Yaml the agent pod template to show up
  # in the job Console Output. This can be helpful for either security reasons
  # or simply to clean up the output to make it easier to read.
  showRawYaml: true

  # You can define the volumes that you want to mount for this container
  # Allowed types are: ConfigMap, EmptyDir, EphemeralVolume, HostPath, Nfs, PVC, Secret
  # Configure the attributes as they appear in the corresponding Java class for that type
  # https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes
  # -- Additional volumes
  volumes: []
  # - type: ConfigMap
  #   configMapName: myconfigmap
  #   mountPath: /var/myapp/myconfigmap
  # - type: EmptyDir
  #   mountPath: /var/myapp/myemptydir
  #   memory: false
  # - type: EphemeralVolume
  #   mountPath: /var/myapp/myephemeralvolume
  #   accessModes: ReadWriteOnce
  #   requestsSize: 10Gi
  #   storageClassName: mystorageclass
  # - type: HostPath
  #   hostPath: /var/lib/containers
  #   mountPath: /var/myapp/myhostpath
  # - type: Nfs
  #   mountPath: /var/myapp/mynfs
  #   readOnly: false
  #   serverAddress: "192.0.2.0"
  #   serverPath: /var/lib/containers
  # - type: PVC
  #   claimName: mypvc
  #   mountPath: /var/myapp/mypvc
  #   readOnly: false
  # - type: Secret
  #   defaultMode: "600"
  #   mountPath: /var/myapp/mysecret
  #   secretName: mysecret
  # Pod-wide environment, these vars are visible to any container in the agent pod

  # You can define the workspaceVolume that you want to mount for this container
  # Allowed types are: DynamicPVC, EmptyDir, EphemeralVolume, HostPath, Nfs, PVC
  # Configure the attributes as they appear in the corresponding Java class for that type
  # https://github.com/jenkinsci/kubernetes-plugin/tree/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/volumes/workspace
  # -- Workspace volume (defaults to EmptyDir)
  workspaceVolume: {}
  ## DynamicPVC example
  # - type: DynamicPVC
  #   configMapName: myconfigmap
  ## EmptyDir example
  # - type: EmptyDir
  #   memory: false
  ## EphemeralVolume example
  # - type: EphemeralVolume
  #   accessModes: ReadWriteOnce
  #   requestsSize: 10Gi
  #   storageClassName: mystorageclass
  ## HostPath example
  # - type: HostPath
  #   hostPath: /var/lib/containers
  ## NFS example
  # - type: Nfs
  #   readOnly: false
  #   serverAddress: "192.0.2.0"
  #   serverPath: /var/lib/containers
  ## PVC example
  # - type: PVC
  #   claimName: mypvc
  #   readOnly: false

  # Pod-wide environment, these vars are visible to any container in the agent pod
  # -- Environment variables for the agent Pod
  envVars: []
  # - name: PATH
  #   value: /usr/local/bin
  # -- Mount a secret as environment variable
  secretEnvVars: []
  # - key: PATH
  #   optional: false # default: false
  #   secretKey: MY-K8S-PATH
  #   secretName: my-k8s-secret

  # -- Node labels for pod assignment
  nodeSelector: {}
  # Key Value selectors. Ex:
  # nodeSelector
  #   jenkins-agent: v1

  # -- Command to execute when side container starts
  command:
  # -- Arguments passed to command to execute
  args: "${computer.jnlpmac} ${computer.name}"
  # -- Side container name
  sideContainerName: "jnlp"

  # Doesn't allocate pseudo TTY by default
  # -- Allocate pseudo tty to the side container
  TTYEnabled: false
  # -- Max number of agents to launch
  containerCap: 10
  # -- Agent Pod base name
  podName: "default"

  # Enables garbage collection of orphan pods for this Kubernetes cloud. (beta)
  garbageCollection:
    # -- When enabled, Jenkins will periodically check for orphan pods that have not been touched for the given timeout period and delete them.
    enabled: false
    # -- Namespaces to look at for garbage collection, in addition to the default namespace defined for the cloud. One namespace per line.
    namespaces: ""
    # namespaces: |-
    #   namespaceOne
    #   namespaceTwo
    # -- Timeout value for orphaned pods
    timeout: 300

  # -- Allows the Pod to remain active for reuse until the configured number of minutes has passed since the last step was executed on it
  idleMinutes: 0


  # The raw yaml of a Pod API Object, for example, this allows usage of toleration for agent pods.
  # https://github.com/jenkinsci/kubernetes-plugin#using-yaml-to-define-pod-templates
  # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
  # -- The raw yaml of a Pod API Object to merge into the agent spec
  yamlTemplate: ""
  # yamlTemplate: |-
  #   apiVersion: v1
  #   kind: Pod
  #   spec:
  #     tolerations:
  #     - key: "key"
  #       operator: "Equal"
  #       value: "value"

  # -- Defines how the raw yaml field gets merged with yaml definitions from inherited pod templates. Possible values: "merge" or "override"
  yamlMergeStrategy: "override"
  # -- Controls whether the defined yaml merge strategy will be inherited if another defined pod template is configured to inherit from the current one
  inheritYamlMergeStrategy: false
  # -- Timeout in seconds for an agent to be online
  connectTimeout: 100
  # -- Annotations to apply to the pod
  annotations: {}

  # Containers specified here are added to all agents. Set key empty to remove container from additional agents.
  # -- Add additional containers to the agents
  additionalContainers: []
  #  - sideContainerName: dind
  #    image:
  #      repository: docker
  #      tag: dind
  #    command: dockerd-entrypoint.sh
  #    args: ""
  #    privileged: true
  #    resources:
  #      requests:
  #        cpu: 500m
  #        memory: 1Gi
  #      limits:
  #        cpu: 1
  #        memory: 2Gi

  # Useful when configuring agents only with the podTemplates value, since the default podTemplate populated by values mentioned above will be excluded in the rendered template.
  # -- Disable the default Jenkins Agent configuration
  disableDefaultAgent: false

  # Below is the implementation of custom pod templates for the default configured kubernetes cloud.
  # Add a key under podTemplates for each pod template. Each key (prior to | character) is just a label, and can be any value.
  # Keys are only used to give the pod template a meaningful name. The only restriction is they may only contain RFC 1123 \ DNS label
  # characters: lowercase letters, numbers, and hyphens. Each pod template can contain multiple containers.
  # For this pod templates configuration to be loaded, the following values must be set:
  # controller.JCasC.defaultConfig: true
  # Best reference is https://<jenkins_url>/configuration-as-code/reference#Cloud-kubernetes. The example below creates a python pod template.
  # -- Configures extra pod templates for the default kubernetes cloud
  podTemplates: {}
  #  python: |
  #    - name: python
  #      label: jenkins-python
  #      serviceAccount: jenkins
  #      containers:
  #        - name: python
  #          image: python:3
  #          command: "/bin/sh -c"
  #          args: "cat"
  #          ttyEnabled: true
  #          privileged: true
  #          resourceRequestCpu: "400m"
  #          resourceRequestMemory: "512Mi"
  #          resourceLimitCpu: "1"
  #          resourceLimitMemory: "1024Mi"

# Inherits all values from `agent` so you only need to specify values which differ
# -- Configure additional
additionalAgents: {}
#  maven:
#    podName: maven
#    customJenkinsLabels: maven
#    # An example of overriding the jnlp container
#    # sideContainerName: jnlp
#    image:
#      repository: jenkins/jnlp-agent-maven
#      tag: latest
#  python:
#    podName: python
#    customJenkinsLabels: python
#    sideContainerName: python
#    image:
#      repository: python
#      tag: "3"
#    command: "/bin/sh -c"
#    args: "cat"
#    TTYEnabled: true

# Here you can add additional clouds
# They inherit all values from the default cloud (including the main agent), so
# you only need to specify values which differ. If you want to override
# default additionalAgents with the additionalClouds.additionalAgents set
# additionalAgentsOverride to `true`.
additionalClouds: {}
#  remote-cloud-1:
#    kubernetesURL: https://api.remote-cloud.com
#    additionalAgentsOverride: true
#    additionalAgents:
#      maven-2:
#        podName: maven-2
#        customJenkinsLabels: maven
#        # An example of overriding the jnlp container
#        # sideContainerName: jnlp
#        image:
#          repository: jenkins/jnlp-agent-maven
#          tag: latest
#        namespace: my-other-maven-namespace
#  remote-cloud-2:
#    kubernetesURL: https://api.remote-cloud.com

persistence:
  # -- Enable the use of a Jenkins PVC
  enabled: true

  # A manually managed Persistent Volume and Claim
  # Requires persistence.enabled: true
  # If defined, PVC must be created manually before volume will be bound
  # -- Provide the name of a PVC
  existingClaim:

  # jenkins data Persistent Volume Storage Class
  # If defined, storageClassName: <storageClass>
  # If set to "-", storageClassName: "", which disables dynamic provisioning
  # If undefined (the default) or set to null, no storageClassName spec is
  #   set, choosing the default provisioner (gp2 on AWS, standard on GKE, AWS & OpenStack)
  # -- Storage class for the PVC
  storageClass:
  # -- Annotations for the PVC
  annotations: {}
  # -- Labels for the PVC
  labels: {}
  # -- The PVC access mode
  accessMode: "ReadWriteOnce"
  # -- The size of the PVC
  size: "8Gi"

  # ref: https://kubernetes.io/docs/concepts/storage/volume-pvc-datasource/
  # -- Existing data source to clone PVC from
  dataSource: {}
  #   name: PVC-NAME
  #   kind: PersistentVolumeClaim

  # -- SubPath for jenkins-home mount
  subPath:
  # -- Additional volumes
  volumes: []
  #  - name: nothing
  #    emptyDir: {}

  # -- Additional mounts
  mounts: []
  #  - mountPath: /var/nothing
  #    name: nothing
  #    readOnly: true

networkPolicy:
  # -- Enable the creation of NetworkPolicy resources
  enabled: false

  # For Kubernetes v1.4, v1.5 and v1.6, use 'extensions/v1beta1'
  # For Kubernetes v1.7, use 'networking.k8s.io/v1'
  # -- NetworkPolicy ApiVersion
  apiVersion: networking.k8s.io/v1
  # You can allow agents to connect from both within the cluster (from within specific/all namespaces) AND/OR from a given external IP range
  internalAgents:
    # -- Allow internal agents (from the same cluster) to connect to controller. Agent pods will be filtered based on PodLabels
    allowed: true
    # -- A map of labels (keys/values) that agent pods must have to be able to connect to controller
    podLabels: {}
    # -- A map of labels (keys/values) that agents namespaces must have to be able to connect to controller
    namespaceLabels: {}
      # project: myproject
  externalAgents:
    # -- The IP range from which external agents are allowed to connect to controller, i.e., 172.17.0.0/16
    ipCIDR:
    # -- A list of IP sub-ranges to be excluded from the allowlisted IP range
    except: []
      # - 172.17.1.0/24

## Install Default RBAC roles and bindings
rbac:
  # -- Whether RBAC resources are created
  create: true
  # -- Whether the Jenkins service account should be able to read Kubernetes secrets
  readSecrets: false

serviceAccount:
  # -- Configures if a ServiceAccount with this name should be created
  create: true

  # The name of the ServiceAccount is autogenerated by default
  #  -- The name of the ServiceAccount to be used by access-controlled resources
  name:
  # -- Configures annotations for the ServiceAccount
  annotations: {}
  # -- Configures extra labels for the ServiceAccount
  extraLabels: {}
  # -- Controller ServiceAccount image pull secret
  imagePullSecretName:


serviceAccountAgent:
  # -- Configures if an agent ServiceAccount should be created
  create: false

  # If not set and create is true, a name is generated using the fullname template
  # -- The name of the agent ServiceAccount to be used by access-controlled resources
  name:
  # -- Configures annotations for the agent ServiceAccount
  annotations: {}
  # -- Configures extra labels for the agent ServiceAccount
  extraLabels: {}
  # -- Agent ServiceAccount image pull secret
  imagePullSecretName:

# -- Checks if any deprecated values are used
checkDeprecation: true

awsSecurityGroupPolicies:
  enabled: false
  policies:
    - name: ""
      securityGroupIds: []
      podSelector: {}

# Here you can configure unit tests values when executing the helm unittest in the CONTRIBUTING.md
helmtest:
  # A testing framework for bash
  bats:
    # Bash Automated Testing System (BATS)
    image:
      # -- Registry of the image used to test the framework
      registry: "docker.io"
      # -- Repository of the image used to test the framework
      repository: "bats/bats"
      # -- Tag of the image to test the framework
      tag: "1.11.0"