jenkins: Run Jenkins in Kubernetes

Running Jenkins in Kubernetes is relatively straightforward.  The
Kubernetes plugin automatically discovers all the connection and
authentication configuration, so a `kubeconfig` file is no longer
necessary.  I did set the *Jenkins tunnel* option, though, so that
agents will connect directly to the Jenkins JNLP port instead of going
through the ingress controller.

Jobs now run in pods in the *jenkins-job* namespace instead of the
*jenkins* namespace.  The latter is now where the Jenkins controller
runs, and the controller should not have permission to modify its own
resources.

jenkins/jenkins.yaml

@@ -3,12 +3,43 @@ kind: Namespace
 metadata:
   name: jenkins
 
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: jenkins-jobs
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: jenkins
+  namespace: jenkins
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: jenkins
+  namespace: jenkins
+  labels:
+    app.kubernetes.io/name: jenkins
+    app.kubernetes.io/component: master
+    app.kubernetes.io/instance: jenkins
+    app.kubernetes.io/part-of: jenkins
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 20Gi
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: jenkins
-  namespace: jenkins
+  namespace: jenkins-jobs
 rules:
 - apiGroups:
   - ''
@@ -23,13 +54,106 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: jenkins-binding
-  namespace: jenkins
+  name: jenkins
+  namespace: jenkins-jobs
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: jenkins
 subjects:
-- apiGroup: rbac.authorization.k8s.io
-  kind: User
+- kind: ServiceAccount
   name: jenkins
+  namespace: jenkins
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: master
+    app.kubernetes.io/name: jenkins
+    app.kubernetes.io/instance: jenkins
+    app.kubernetes.io/part-of: jenkins
+  name: jenkins
+  namespace: jenkins
+spec:
+  ports:
+  - name: http
+    port: 8080
+  - name: jnlp
+    port: 40414
+  selector:
+    app.kubernetes.io/component: master
+    app.kubernetes.io/name: jenkins
+    app.kubernetes.io/instance: jenkins
+  type: ClusterIP
+
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: jenkins
+  namespace: jenkins
+  labels:
+    app.kubernetes.io/name: jenkins
+    app.kubernetes.io/component: master
+    app.kubernetes.io/instance: jenkins
+    app.kubernetes.io/part-of: jenkins
+spec:
+  serviceName: jenkins
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: jenkins
+      app.kubernetes.io/component: master
+      app.kubernetes.io/instance: jenkins
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: jenkins
+        app.kubernetes.io/component: master
+        app.kubernetes.io/instance: jenkins
+    spec:
+      containers:
+      - name: jenkins
+        image: docker.io/jenkins/jenkins:lts
+        imagePullPolicy: Always
+        ports:
+        - name: http
+          containerPort: 8080
+        - name: jnlp
+          containerPort: 40414
+        volumeMounts:
+        - name: jenkins-data
+          mountPath: /var/jenkins_home
+      securityContext:
+        runAsUser: 1000
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+      serviceAccountName: jenkins
+      volumes:
+      - name: jenkins-data
+        persistentVolumeClaim:
+          claimName: jenkins
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: jenkins
+  namespace: jenkins
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: jenkins.pyrocufflink.blue
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: jenkins
+            port:
+              name: http
+  tls:
+  - hosts:
+    - jenkins.pyrocufflink.blue