From b7a7e4f6b4201079f92bc89208073c5a4d333e55 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sun, 23 Nov 2025 10:29:20 -0600 Subject: [PATCH] jenkins: Add CronJob for updatecheck `updatecheck` is a little utility I wrote that queries Fedora Bodhi for updates and sends an HTTP request when one is found. I am specifically going to use it to trigger rebuilding the _gasket-driver_ RPM whenever there is a new _kernel_ published. --- jenkins/kustomization.yaml | 21 +++++++++++ jenkins/updatecheck.toml | 13 +++++++ jenkins/updatecheck.yaml | 74 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 108 insertions(+) create mode 100644 jenkins/updatecheck.toml create mode 100644 jenkins/updatecheck.yaml diff --git a/jenkins/kustomization.yaml b/jenkins/kustomization.yaml index fadb6a4..f14f05d 100644 --- a/jenkins/kustomization.yaml +++ b/jenkins/kustomization.yaml @@ -11,6 +11,18 @@ resources: - iscsi.yaml - ssh-host-keys - workspace-volume.yaml +- updatecheck.yaml + +configMapGenerator: +- name: updatecheck + namespace: jenkins + files: + - config.toml=updatecheck.toml + options: + disableNameSuffixHash: true + labels: + app.kubernetes.io/name: updatecheck + app.kubernetes.io/component: updatecheck patches: - patch: | @@ -23,6 +35,15 @@ patches: volumeName: jenkins storageClassName: '' +- patch: | + apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: updatecheck + namespace: jenkins + spec: + storageClassName: synology-iscsi + images: - name: docker.io/jenkins/jenkins newTag: 2.528.2-lts diff --git a/jenkins/updatecheck.toml b/jenkins/updatecheck.toml new file mode 100644 index 0000000..6cdbad1 --- /dev/null +++ b/jenkins/updatecheck.toml @@ -0,0 +1,13 @@ +[storage] +dir = "/var/lib/updatecheck" + +[[watch]] +packages = "kernel" + +[watch.on_update] +url = "https://jenkins.pyrocufflink.blue/generic-webhook-trigger/invoke" +coalesce = true + +[[watch.on_update.headers]] +name = 'Token' +value_file = '/run/secrets/updatecheck/token' diff --git a/jenkins/updatecheck.yaml b/jenkins/updatecheck.yaml new file mode 100644 index 0000000..3922576 --- /dev/null +++ b/jenkins/updatecheck.yaml @@ -0,0 +1,74 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: updatecheck + namespace: jenkins + labels: + app.kubernetes.io/name: updatecheck + app.kubernetes.io/component: updatecheck +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 300Mi + +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: updatecheck + namespace: jenkins + labels: &labels + app.kubernetes.io/name: updatecheck + app.kubernetes.io/component: updatecheck +spec: + schedule: >- + 22 */4 * * * + concurrencyPolicy: Forbid + jobTemplate: + metadata: + labels: *labels + spec: + template: + metadata: + labels: *labels + spec: + restartPolicy: Never + containers: + - name: updatecheck + image: git.pyrocufflink.net/infra/updatecheck + args: + - /etc/updatecheck/config.toml + env: + - name: RUST_LOG + value: updatecheck=debug,info + securityContext: + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /etc/updatecheck + name: config + - mountPath: /run/secrets/updatecheck + name: secrets + readOnly: true + - mountPath: /var/lib/updatecheck + name: data + securityContext: + runAsUser: 21470 + runAsGroup: 21470 + fsGroup: 21470 + runAsNonRoot: true + volumes: + - name: config + configMap: + name: updatecheck + - name: data + persistentVolumeClaim: + claimName: updatecheck + - name: secrets + secret: + secretName: webhook-trigger + items: + - key: text + path: token + mode: 0440