chore(lab): experimental Jenkins CI lab (Helm + JCasC seed)

- Bootstraps local Jenkins on Kind/Minikube
- Seeds pipelines via Job DSL. mirroring existent GitHub actions checks

Author: DanielBlei

jenkins/README.md

@@ -0,0 +1,105 @@
+
+# Jenkins CI/CD Lab for Pipeline-Forge
+
+This directory contains a local Jenkins setup for experimenting with CI/CD Jenkins pipelines for the Pipeline-Forge project.
+
+## Overview
+
+This lab environment provides a quick way to spin up Jenkins locally using Kubernetes (kind or minikube) and configure it with Jenkins Configuration as Code (JCasc).
+
+The goal is to test and develop CI/CD pipelines for Pipeline-Forge components, evaluating Jenkins solutions and features.
+
+## Quick Start
+
+### Prerequisites
+
+- `kubectl`
+- `helm`
+- `docker`
+- Either `kind` or `minikube`
+
+### Installation
+
+Run the bootstrap script to create a local Jenkins instance:
+
+```bash
+# Kind by default
+./bootstrap_jenkins.sh
+
+# or specify minikube
+./bootstrap_jenkins.sh minikube
+```
+
+The script will:
+1. Create a local Kubernetes cluster
+2. Set up the `jenkins` namespace with required RBAC and storage
+3. Install Jenkins via Helm with JCasc configuration
+4. Wait for Jenkins to be ready
+
+
+After the installation completes:
+
+1. **Port forward to Jenkins:**
+   ```bash
+   kubectl port-forward svc/jenkins -n jenkins 8080:8080
+   ```
+
+2. **Get the admin password:**
+   ```bash
+   kubectl get secret -n jenkins jenkins -o jsonpath={.data.jenkins-admin-password} | base64 --decode
+   ```
+
+## Bootstrapping Pipelines
+
+**⚠️ Important:** After Jenkins is installed, you need to manually run the seed job to bootstrap all pipelines.
+
+**Steps:**
+1. Navigate to Jenkins UI
+2. Locate and run the seed job (configured via JCasc)
+3. This will create all Pipeline-Forge CI/CD pipelines (work in progress)
+
+
+## Cleanup
+
+Delete the local Jenkins cluster:
+```bash
+kind delete cluster --name jenkins
+# or
+minikube delete -p jenkins-control-plane
+```
+
+## Lab Implementation Notes
+
+Compared to the [upstream Jenkins Helm chart defaults](https://raw.githubusercontent.com/jenkinsci/helm-charts/main/charts/jenkins/values.yaml), this lab includes:
+
+**Seed Job via JCasC**
+A seed pipeline job is defined via Jenkins Configuration as Code
+- The seed job pulls the Pipeline-Forge repository and bootstraps Jenkins CI pipelines from repository-managed definitions
+
+**Two-Step Bootstrap (Intentional Design)**
+- Jenkins installation and CI/CD pipeline creation are deliberately separated
+- Keeps bootstrap logs clean and avoids hiding configuration issues
+- Allows you to debug seed job errors without re-running the entire cluster setup
+- Enables independent iteration on CI/CD pipeline definitions
+
+**CI-Focused Plugin Set**
+- Additional plugins for multibranch pipelines, GitHub integration, Job DSL, Kubernetes agents, and JCasC
+
+**Job DSL Script Security**
+- Script security for Job DSL is disabled via init script to allow seed job execution without needing manual approval
+- Can be manually re-enabled in Jenkins UI (Manage Jenkins → Configure System → Job DSL) after the initial seed job completes if required
+
+**Local-First Defaults**
+- Jenkins URL: `http://localhost:8080`
+- Access via port-forwarding with no external service
+
+**Configuration**
+
+Override values are defined in `values.lab.yaml`.
+
+**Note:** Plugin versions are intentionally unpinned for this development environment to always pull the latest versions.
+
+### References
+
+- [Installing Jenkins on Kubernetes](https://www.jenkins.io/doc/book/installing/kubernetes/#install-jenkins)
+- [Jenkins Helm Chart Default Values](https://raw.githubusercontent.com/jenkinsci/helm-charts/main/charts/jenkins/values.yaml)

jenkins/bootstrap_jenkins.sh

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+K8S_RUNTIME=${1:-kind}
+ROLLOUT_TIMEOUT=5m
+NAMESPACE=jenkins
+RELEASE_CHART=jenkins
+
+function apply_k8s_resources() {
+  echo "Creating Kubernetes resources (Service Account, RBAC, PV, PVC)..."
+  kubectl create ns "$NAMESPACE"
+  kubectl apply -n "$NAMESPACE" -f k8s/jenkins-serviceAccount-and-rbac.yaml
+  kubectl apply -n "$NAMESPACE" -f k8s/jenkins-volume.yaml
+}
+
+function helm_install() {
+    echo "Installing Jenkins via Helm..."
+    helm repo add jenkinsci https://charts.jenkins.io > /dev/null
+    helm repo update >/dev/null
+    helm install "$RELEASE_CHART" -n "$NAMESPACE" -f values.lab.yaml jenkinsci/jenkins
+}
+
+function  wait_rollout() {
+  echo "Waiting for rollout to complete..."
+  if ! kubectl rollout status statefulset/jenkins -n "$NAMESPACE" --timeout=$ROLLOUT_TIMEOUT; then
+    echo "Rollout timed out, double check the pod/container logs and events for more details." >&2
+    exit 1
+  fi
+}
+
+function main() {
+  if [[ $K8S_RUNTIME == "kind" ]]; then
+    kind create cluster --name jenkins # suffix -control-plane is added by kind
+  elif [[ $K8S_RUNTIME == "minikube" ]]; then
+    minikube start -p jenkins-control-plane
+  else
+    echo "Unknown runtime: $K8S_RUNTIME"
+    exit 1
+  fi
+
+  apply_k8s_resources
+  helm_install
+  wait_rollout
+
+  printf '\033[1;32m%s\033[0m\n\n' '✔ Jenkins is ready!'
+  # shellcheck disable=SC1083
+  echo -e "admin password: $(kubectl get secret -n "jenkins" jenkins -o jsonpath={.data.jenkins-admin-password} | base64 --decode)\n"
+  echo "Run 'kubectl port-forward svc/jenkins -n \"$NAMESPACE\" 8080:8080' and access Jenkins UI on localhost:8080"
+}
+
+main "$@"

jenkins/ci/ingest-test.Jenkinsfile

@@ -0,0 +1,173 @@
+pipeline {
+  agent {
+    kubernetes {
+      label 'buildah-pr'
+      defaultContainer 'tools'
+      yaml """
+        apiVersion: v1
+        kind: Pod
+        metadata:
+          labels:
+            app: jenkins-buildah
+        spec:
+          serviceAccountName: jenkins
+          restartPolicy: Never
+          containers:
+            - name: tools
+              image: quay.io/containers/podman:latest
+              command:
+                - cat
+              tty: true
+              env:
+                - name: XDG_RUNTIME_DIR
+                  value: /home/jenkins/.xdg
+                - name: TMPDIR
+                  value: /home/jenkins/.tmp
+                - name: BUILDAH_ISOLATION
+                  value: chroot
+"""
+    }
+  }
+
+  options {
+    timeout(time: 30, unit: 'MINUTES')
+    timestamps()
+    disableConcurrentBuilds()
+    buildDiscarder(logRotator(numToKeepStr: '10'))
+  }
+
+  environment {
+    IMAGE_TAG = "quay.io/danielblei/pipeline-forge/ingest:ci-${env.GIT_COMMIT}"
+    WORKDIR = 'workloads/ingest'
+  }
+
+  stages {
+    stage('Checkout') {
+      steps {
+        checkout scmGit(
+          branches: scm.branches,
+          extensions: [cloneOption(shallow: true, depth: 1)],
+          userRemoteConfigs: scm.userRemoteConfigs
+        )
+      }
+    }
+
+    stage('Sanity: tools present') {
+      steps {
+        container('tools') {
+          sh '''
+            set -euxo pipefail
+            podman --version
+            buildah --version
+          '''
+        }
+      }
+    }
+
+    stage('Setup Python Environment') {
+      steps {
+        dir("${env.WORKDIR}") {
+          sh '''
+            curl -LsSf https://astral.sh/uv/install.sh | sh
+            export PATH="$HOME/.local/bin:$PATH"
+            ls -la pyproject.toml
+            uv venv
+            uv sync --frozen
+            uv pip install -e . --no-deps
+          '''
+        }
+      }
+    }
+
+    stage('Quality Checks') {
+      parallel {
+        stage('Ruff Linter') {
+          steps {
+            dir("${env.WORKDIR}") {
+              sh '''
+                export PATH="$HOME/.local/bin:$PATH"
+                uv run ruff check .
+              '''
+            }
+          }
+        }
+        stage('Ruff Format Check') {
+          steps {
+            dir("${env.WORKDIR}") {
+              sh '''
+                export PATH="$HOME/.local/bin:$PATH"
+                uv run ruff format --check .
+              '''
+            }
+          }
+        }
+        stage('Type Check (mypy)') {
+          steps {
+            dir("${env.WORKDIR}") {
+              sh '''
+                export PATH="$HOME/.local/bin:$PATH"
+                uv run mypy .
+              '''
+            }
+          }
+        }
+      }
+    }
+
+    stage('Run Tests') {
+      steps {
+        dir("${env.WORKDIR}") {
+          catchError(buildResult: 'SUCCESS', stageResult: 'UNSTABLE') {
+            sh '''
+              export PATH="$HOME/.local/bin:$PATH"
+              uv run pytest . -v --junitxml=test-results.xml
+            '''
+          }
+        }
+      }
+      post {
+        always {
+          junit allowEmptyResults: true, testResults: "${env.WORKDIR}/test-results.xml"
+          archiveArtifacts artifacts: "${env.WORKDIR}/test-results.xml", allowEmptyArchive: true
+        }
+      }
+    }
+
+    stage('Build OCI Image (Buildah)') {
+      steps {
+        dir("${env.WORKDIR}") {
+          container('tools') {
+            sh '''
+              set -euxo pipefail
+              mkdir -p "$XDG_RUNTIME_DIR" "$TMPDIR"
+              buildah bud --layers -t "${IMAGE_TAG}" .
+            '''
+          }
+        }
+      }
+    }
+
+    stage('Smoke Test (Podman)') {
+      steps {
+        container('tools') {
+          sh '''
+            set -euxo pipefail
+            mkdir -p "$XDG_RUNTIME_DIR" "$TMPDIR"
+            podman run --rm "${IMAGE_TAG}" ingest --help
+          '''
+        }
+      }
+    }
+  }
+
+  post {
+    cleanup {
+      container('tools') {
+        sh '''
+          podman rmi -f "${IMAGE_TAG}" 2>/dev/null || true
+          buildah rmi -f "${IMAGE_TAG}" 2>/dev/null || true
+        '''
+      }
+    }
+  }
+}

jenkins/ci/operator-e2e-test.Jenkinsfile

@@ -0,0 +1,10 @@
+pipeline {
+  agent any
+  stages {
+    stage('Placeholder') {
+      steps {
+        echo 'Work in progress — please check ingest-test'
+      }
+    }
+  }
+}

jenkins/ci/operator-test.Jenkinsfile

@@ -0,0 +1,10 @@
+pipeline {
+  agent any
+  stages {
+    stage('Placeholder') {
+      steps {
+        echo 'Work in progress — please check ingest-test'
+      }
+    }
+  }
+}

jenkins/ci/trigger-test.Jenkinsfile

@@ -0,0 +1,10 @@
+pipeline {
+  agent any
+  stages {
+    stage('Placeholder') {
+      steps {
+        echo 'Work in progress — please check ingest-test'
+      }
+    }
+  }
+}

jenkins/job-dsl/seed.Jenkinsfile

@@ -0,0 +1,28 @@
+pipeline {
+  agent any
+
+  options {
+    timeout(time: 10, unit: 'MINUTES')
+  }
+
+  stages {
+    stage('Checkout') {
+      steps {
+        checkout scmGit(
+          branches: scm.branches,
+          extensions: [cloneOption(shallow: true, depth: 1, noTags: true)],
+          userRemoteConfigs: scm.userRemoteConfigs
+        )
+      }
+    }
+
+    stage('Generate jobs') {
+      steps {
+        jobDsl targets: 'jenkins/job-dsl/*.groovy',
+               removedJobAction: 'DELETE',
+               removedViewAction: 'DELETE',
+               lookupStrategy: 'JENKINS_ROOT'
+      }
+    }
+  }
+}