apiVersion: v1
kind: Namespace
metadata:
  name: jenkins

---
apiVersion: v1
kind: Namespace
metadata:
  name: jenkins-jobs

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins
  namespace: jenkins

---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: jenkins
  namespace: jenkins
  labels:
    app.kubernetes.io/name: jenkins
    app.kubernetes.io/component: master
    app.kubernetes.io/instance: jenkins
    app.kubernetes.io/part-of: jenkins
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: jenkins
  namespace: jenkins-jobs
rules:
- apiGroups:
  - ''
  resources:
  - persistentvolumeclaims
  - pods
  - pods/exec
  verbs:
  - '*'

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: jenkins
  namespace: jenkins-jobs
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: jenkins
subjects:
- kind: ServiceAccount
  name: jenkins
  namespace: jenkins

---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/component: master
    app.kubernetes.io/name: jenkins
    app.kubernetes.io/instance: jenkins
    app.kubernetes.io/part-of: jenkins
  name: jenkins
  namespace: jenkins
spec:
  ports:
  - name: http
    port: 8080
  - name: jnlp
    port: 40414
  selector:
    app.kubernetes.io/component: master
    app.kubernetes.io/name: jenkins
    app.kubernetes.io/instance: jenkins
  type: ClusterIP

---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: jenkins
  namespace: jenkins
  labels:
    app.kubernetes.io/name: jenkins
    app.kubernetes.io/component: master
    app.kubernetes.io/instance: jenkins
    app.kubernetes.io/part-of: jenkins
spec:
  serviceName: jenkins
  selector:
    matchLabels:
      app.kubernetes.io/name: jenkins
      app.kubernetes.io/component: master
      app.kubernetes.io/instance: jenkins
  template:
    metadata:
      annotations:
        io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel: 'true'
      labels:
        app.kubernetes.io/name: jenkins
        app.kubernetes.io/component: master
        app.kubernetes.io/instance: jenkins
    spec:
      containers:
      - name: jenkins
        image: docker.io/jenkins/jenkins:2.401.3-lts
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
          containerPort: 8080
        - name: jnlp
          containerPort: 40414
        securityContext:
          seLinuxOptions:
            level: s0:c525,c600
        volumeMounts:
        - name: jenkins-data
          mountPath: /var/jenkins_home
      securityContext:
        runAsUser: 1000
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      serviceAccountName: jenkins
      volumes:
      - name: jenkins-data
        persistentVolumeClaim:
          claimName: jenkins

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: jenkins
  namespace: jenkins
spec:
  ingressClassName: nginx
  rules:
  - host: jenkins.pyrocufflink.blue
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: jenkins
            port:
              name: http
  tls:
  - hosts:
    - jenkins.pyrocufflink.blue