feat: jenkins ArgoCD Application — points to helm/jenkins chart

Reviewed-on: #5

apps/nginx-canary/application.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nginx-canary
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: http://gitea-http.gitea.svc.cluster.local:3000/admin/k3s-gitops
+    path: apps/nginx-canary
+    targetRevision: HEAD
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: nginx-canary
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

apps/nginx-canary/certificate.yaml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: nginx-canary-tls
+  namespace: nginx-canary
+spec:
+  secretName: nginx-canary-tls
+  issuerRef:
+    name: letsencrypt-http
+    kind: ClusterIssuer
+  dnsNames:
+    - nginx-canary.thedevops.dev

apps/nginx-canary/configmap.yaml

@@ -0,0 +1,180 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-canary-html
+  namespace: nginx-canary
+data:
+  index.html: |
+    <!DOCTYPE html>
+    <html lang="en">
+    <head>
+      <meta charset="UTF-8">
+      <meta name="viewport" content="width=device-width, initial-scale=1.0">
+      <title>Hello from MCP v2 — Canary</title>
+      <style>
+        * { margin: 0; padding: 0; box-sizing: border-box; }
+        body {
+          font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
+          background: linear-gradient(135deg, #1a0a00, #3d1f00, #1a0a00);
+          min-height: 100vh;
+          display: flex;
+          align-items: center;
+          justify-content: center;
+          color: #fff;
+        }
+        .card {
+          background: rgba(255,200,0,0.08);
+          backdrop-filter: blur(12px);
+          border: 1px solid rgba(255,200,0,0.3);
+          border-radius: 20px;
+          padding: 60px 80px;
+          text-align: center;
+          box-shadow: 0 25px 50px rgba(0,0,0,0.5), 0 0 60px rgba(255,180,0,0.08);
+          max-width: 650px;
+          width: 90%;
+        }
+        .badge {
+          display: inline-block;
+          background: linear-gradient(90deg, #f59e0b, #d97706);
+          color: #000;
+          font-size: 0.75rem;
+          font-weight: 800;
+          letter-spacing: 2px;
+          text-transform: uppercase;
+          padding: 6px 18px;
+          border-radius: 20px;
+          margin-bottom: 10px;
+        }
+        .version-badge {
+          display: inline-block;
+          background: rgba(245,158,11,0.2);
+          border: 1px solid rgba(245,158,11,0.5);
+          color: #fbbf24;
+          font-size: 0.7rem;
+          font-weight: 700;
+          letter-spacing: 2px;
+          text-transform: uppercase;
+          padding: 4px 14px;
+          border-radius: 20px;
+          margin-bottom: 30px;
+        }
+        h1 {
+          font-size: 3rem;
+          font-weight: 800;
+          background: linear-gradient(90deg, #fbbf24, #f59e0b);
+          -webkit-background-clip: text;
+          -webkit-text-fill-color: transparent;
+          margin-bottom: 10px;
+        }
+        .subtitle { color: #d97706; font-size: 1rem; margin-bottom: 20px; }
+        .canary-warning {
+          background: rgba(245,158,11,0.15);
+          border: 1px solid rgba(245,158,11,0.4);
+          border-radius: 8px;
+          padding: 10px 20px;
+          font-size: 0.85rem;
+          color: #fbbf24;
+          margin-bottom: 25px;
+          font-weight: 600;
+        }
+        .ip-box {
+          background: rgba(0,0,0,0.35);
+          border: 1px solid rgba(245,158,11,0.5);
+          border-radius: 12px;
+          padding: 20px 30px;
+          margin-bottom: 20px;
+        }
+        .ip-label {
+          font-size: 0.7rem;
+          letter-spacing: 2px;
+          text-transform: uppercase;
+          color: #b45309;
+          margin-bottom: 8px;
+        }
+        .ip-value {
+          font-size: 1.8rem;
+          font-weight: 700;
+          font-family: 'Courier New', monospace;
+          color: #fbbf24;
+          letter-spacing: 3px;
+        }
+        .info-grid {
+          display: grid;
+          grid-template-columns: 1fr 1fr;
+          gap: 12px;
+          margin-bottom: 20px;
+        }
+        .info-box {
+          background: rgba(0,0,0,0.35);
+          border: 1px solid rgba(245,158,11,0.3);
+          border-radius: 10px;
+          padding: 12px 16px;
+          text-align: left;
+        }
+        .info-label {
+          font-size: 0.65rem;
+          letter-spacing: 2px;
+          text-transform: uppercase;
+          color: #b45309;
+          margin-bottom: 4px;
+        }
+        .info-value {
+          font-size: 0.95rem;
+          font-weight: 700;
+          font-family: 'Courier New', monospace;
+          color: #fbbf24;
+        }
+        .footer { font-size: 0.78rem; color: #78350f; margin-top: 10px; }
+      </style>
+    </head>
+    <body>
+      <div class="card">
+        <div class="badge">&#128036; Canary Release</div><br>
+        <div class="version-badge">v2.0.0</div>
+        <h1>Hello from MCP v2</h1>
+        <p class="subtitle">Canary deployment — receiving experimental traffic</p>
+        <div class="canary-warning">&#9888; This is a CANARY build — not yet promoted to stable</div>
+        <div class="ip-box">
+          <div class="ip-label">Your IP Address</div>
+          <div class="ip-value" id="ip">Detecting...</div>
+        </div>
+        <div class="info-grid">
+          <div class="info-box">
+            <div class="info-label">Track</div>
+            <div class="info-value">canary</div>
+          </div>
+          <div class="info-box">
+            <div class="info-label">Version</div>
+            <div class="info-value">v2.0.0</div>
+          </div>
+          <div class="info-box">
+            <div class="info-label">Image</div>
+            <div class="info-value">nginx:1.25-alpine</div>
+          </div>
+          <div class="info-box">
+            <div class="info-label">Replicas</div>
+            <div class="info-value">2</div>
+          </div>
+        </div>
+        <div class="footer">nginx-canary &middot; thedevops.dev &middot; ArgoCD + Traefik + MCP</div>
+      </div>
+      <script>
+        fetch('https://api.ipify.org?format=json')
+          .then(r => r.json())
+          .then(d => { document.getElementById('ip').textContent = d.ip; })
+          .catch(() => { document.getElementById('ip').textContent = window.location.hostname; });
+      </script>
+    </body>
+    </html>
+  nginx.conf: |
+    server {
+      listen 80;
+      server_name _;
+      root /usr/share/nginx/html;
+      index index.html;
+      add_header X-Version "v2.0.0" always;
+      add_header X-Track "canary" always;
+      location / {
+        try_files $uri $uri/ =404;
+      }
+    }

apps/nginx-canary/deployment.yaml

@@ -0,0 +1,56 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-canary
+  namespace: nginx-canary
+  labels:
+    app: nginx-canary
+    track: canary
+    version: v2.0.0
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: nginx-canary
+  template:
+    metadata:
+      labels:
+        app: nginx-canary
+        track: canary
+        version: v2.0.0
+    spec:
+      containers:
+        - name: nginx
+          image: nginx:1.25-alpine
+          ports:
+            - containerPort: 80
+          volumeMounts:
+            - name: html
+              mountPath: /usr/share/nginx/html/index.html
+              subPath: index.html
+            - name: html
+              mountPath: /etc/nginx/conf.d/default.conf
+              subPath: nginx.conf
+          resources:
+            requests:
+              cpu: 50m
+              memory: 64Mi
+            limits:
+              cpu: 200m
+              memory: 128Mi
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 80
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 80
+            initialDelaySeconds: 10
+            periodSeconds: 20
+      volumes:
+        - name: html
+          configMap:
+            name: nginx-canary-html

apps/nginx-canary/ingressroute.yaml

@@ -0,0 +1,37 @@
+---
+# Direct HTTPS access to canary app at nginx-canary.thedevops.dev
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nginx-canary-direct
+  namespace: nginx-canary
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`nginx-canary.thedevops.dev`)
+      kind: Rule
+      services:
+        - name: nginx-canary
+          port: 80
+  tls:
+    secretName: nginx-canary-tls
+---
+# HTTP redirect for nginx-canary.thedevops.dev
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nginx-canary-direct-http
+  namespace: nginx-canary
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`nginx-canary.thedevops.dev`)
+      kind: Rule
+      middlewares:
+        - name: redirect-https
+          namespace: nginx-mcp
+      services:
+        - name: nginx-canary
+          port: 80

apps/nginx-canary/namespace.yaml

@@ -4,3 +4,4 @@ metadata:
   name: nginx-canary
   labels:
     track: canary
+    managed-by: argocd

apps/nginx-canary/service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx-canary
+  namespace: nginx-canary
+  labels:
+    app: nginx-canary
+    track: canary
+spec:
+  selector:
+    app: nginx-canary
+  ports:
+    - name: http
+      port: 80
+      targetPort: 80
+  type: ClusterIP

apps/nginx-mcp/configmap.yaml

@@ -10,7 +10,7 @@ data:
     <head>
       <meta charset="UTF-8">
       <meta name="viewport" content="width=device-width, initial-scale=1.0">
-      <title>Hello from MCP - v1 Stable</title>
+      <title>Hello from MCP — v1 Stable</title>
       <style>
         * { margin: 0; padding: 0; box-sizing: border-box; }
         body {
@@ -74,9 +74,21 @@ data:
           padding: 20px 30px;
           margin-bottom: 30px;
         }
-        .ip-label { font-size: 0.7rem; letter-spacing: 2px; text-transform: uppercase; color: #64748b; margin-bottom: 8px; }
+        .ip-label {
-        .ip-value { font-size: 1.8rem; font-weight: 700; font-family: 'Courier New', monospace; color: #a78bfa; letter-spacing: 3px; }
+          font-size: 0.7rem;
-        .footer { font-size: 0.78rem; color: #475569; }
+          letter-spacing: 2px;
+          text-transform: uppercase;
+          color: #64748b;
+          margin-bottom: 8px;
+        }
+        .ip-value {
+          font-size: 1.8rem;
+          font-weight: 700;
+          font-family: 'Courier New', monospace;
+          color: #a78bfa;
+          letter-spacing: 3px;
+        }
+        .footer { font-size: 0.78rem; color: #475569; margin-top: 10px; }
       </style>
     </head>
     <body>

apps/nginx-mcp/namespace.yaml

@@ -4,3 +4,4 @@ metadata:
   name: nginx-mcp
   labels:
     track: stable
+    managed-by: argocd

apps/nginx-weighted/application.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nginx-weighted
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: http://gitea-http.gitea.svc.cluster.local:3000/admin/k3s-gitops
+    path: apps/nginx-weighted
+    targetRevision: HEAD
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: nginx-mcp
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

apps/nginx-weighted/canary-proxy-svc.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx-canary-proxy
+  namespace: nginx-mcp
+  labels:
+    app: nginx-canary-proxy
+  annotations:
+    description: >
+      ExternalName proxy required because Traefik v3 does not allow
+      cross-namespace service references inside TraefikService weighted config.
+      This service bridges nginx-mcp namespace → nginx-canary namespace.
+spec:
+  type: ExternalName
+  externalName: nginx-canary.nginx-canary.svc.cluster.local
+  ports:
+    - port: 80
+      targetPort: 80

apps/nginx-weighted/certificate-stable.yaml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: nginx-stable-tls
+  namespace: nginx-mcp
+spec:
+  secretName: nginx-stable-tls
+  issuerRef:
+    name: letsencrypt-http
+    kind: ClusterIssuer
+  dnsNames:
+    - nginx-stable.thedevops.dev

apps/nginx-weighted/certificate.yaml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: nginx-weighted-tls
+  namespace: nginx-mcp
+spec:
+  secretName: nginx-weighted-tls
+  issuerRef:
+    name: letsencrypt-http
+    kind: ClusterIssuer
+  dnsNames:
+    - nginx.thedevops.dev

apps/nginx-weighted/ingressroute-stable.yaml

@@ -0,0 +1,37 @@
+---
+# Direct HTTPS access to stable app at nginx-stable.thedevops.dev
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nginx-stable-direct
+  namespace: nginx-mcp
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`nginx-stable.thedevops.dev`)
+      kind: Rule
+      services:
+        - name: nginx-mcp
+          port: 80
+  tls:
+    secretName: nginx-stable-tls
+---
+# HTTP redirect for nginx-stable.thedevops.dev
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nginx-stable-direct-http
+  namespace: nginx-mcp
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`nginx-stable.thedevops.dev`)
+      kind: Rule
+      middlewares:
+        - name: redirect-https
+          namespace: nginx-mcp
+      services:
+        - name: nginx-mcp
+          port: 80

apps/nginx-weighted/ingressroute.yaml

@@ -0,0 +1,38 @@
+---
+# HTTPS entrypoint — routes nginx.thedevops.dev through weighted TraefikService
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nginx-weighted
+  namespace: nginx-mcp
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`nginx.thedevops.dev`)
+      kind: Rule
+      services:
+        - name: nginx-weighted
+          namespace: nginx-mcp
+          kind: TraefikService
+  tls:
+    secretName: nginx-weighted-tls
+---
+# HTTP entrypoint — redirects all HTTP traffic to HTTPS via middleware
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nginx-weighted-http
+  namespace: nginx-mcp
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`nginx.thedevops.dev`)
+      kind: Rule
+      middlewares:
+        - name: redirect-https
+          namespace: nginx-mcp
+      services:
+        - name: nginx-mcp
+          port: 80

apps/nginx-weighted/middleware.yaml

@@ -0,0 +1,9 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect-https
+  namespace: nginx-mcp
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true

apps/nginx-weighted/traefikservice.yaml

@@ -0,0 +1,25 @@
+---
+# TraefikService — weighted load balancer between stable and canary.
+# THIS IS THE ONLY FILE YOU NEED TO EDIT to shift traffic weights.
+#
+# Weight scenarios:
+#   Initial canary test    → stable: 90  canary: 10
+#   Extended testing       → stable: 50  canary: 50
+#   Full promote to canary → stable:  0  canary: 100
+#   Emergency rollback     → stable: 100 canary:  0
+apiVersion: traefik.io/v1alpha1
+kind: TraefikService
+metadata:
+  name: nginx-weighted
+  namespace: nginx-mcp
+spec:
+  weighted:
+    services:
+      - name: nginx-mcp
+        namespace: nginx-mcp
+        port: 80
+        weight: 90
+      - name: nginx-canary-proxy
+        namespace: nginx-mcp
+        port: 80
+        weight: 10

helm/jenkins/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v2
+name: jenkins
+description: Jenkins CI/CD — Helm chart for thedevops.dev cluster
+type: application
+version: 0.1.0
+appVersion: "lts-jdk17"
+keywords:
+  - jenkins
+  - ci
+  - cd
+maintainers:
+  - name: admin
+    url: https://thedevops.dev

helm/jenkins/argocd-application.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: jenkins
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: http://gitea-http.gitea.svc.cluster.local:3000/admin/k3s-gitops
+    path: helm/jenkins          # Helm chart directory
+    targetRevision: HEAD
+    helm:
+      valueFiles:
+        - values.yaml           # default values
+      # To override per-environment add values here:
+      # values: |
+      #   replicaCount: 2
+      #   persistence:
+      #     size: 50Gi
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: jenkins
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

helm/jenkins/templates/_helpers.tpl

@@ -0,0 +1,43 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "jenkins.name" -}}
+{{- .Chart.Name }}
+{{- end }}
+
+{{/*
+Full name: release + chart name (trimmed to 63 chars)
+*/}}
+{{- define "jenkins.fullname" -}}
+{{- printf "%s-%s" .Release.Name .Chart.Name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels applied to all resources
+*/}}
+{{- define "jenkins.labels" -}}
+helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+app.kubernetes.io/name: {{ include "jenkins.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels used in Deployment + Service matchLabels
+*/}}
+{{- define "jenkins.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "jenkins.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+ServiceAccount name
+*/}}
+{{- define "jenkins.serviceAccountName" -}}
+{{- if .Values.rbac.enabled }}
+{{- .Values.rbac.serviceAccountName }}
+{{- else }}
+default
+{{- end }}
+{{- end }}

helm/jenkins/templates/deployment.yaml

@@ -0,0 +1,100 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "jenkins.name" . }}
+  namespace: {{ .Values.namespace }}
+  labels:
+    {{- include "jenkins.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "jenkins.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "jenkins.selectorLabels" . | nindent 8 }}
+    spec:
+      serviceAccountName: {{ include "jenkins.serviceAccountName" . }}
+      securityContext:
+        fsGroup: {{ .Values.securityContext.fsGroup }}
+      initContainers:
+        {{- if .Values.initContainers.installDocker.enabled }}
+        - name: install-docker
+          image: {{ .Values.initContainers.installDocker.image }}
+          command:
+            - sh
+            - -c
+            - |
+              echo "Installing Docker CLI..."
+              cp /usr/local/bin/docker /tmp/tools-bin/
+              chmod +x /tmp/tools-bin/docker
+              echo "Docker CLI installed"
+          volumeMounts:
+            - name: tools-bin
+              mountPath: /tmp/tools-bin
+        {{- end }}
+        {{- if .Values.initContainers.installKubectl.enabled }}
+        - name: install-kubectl
+          image: {{ .Values.initContainers.installKubectl.image }}
+          command:
+            - sh
+            - -c
+            - |
+              echo "Installing kubectl {{ .Values.initContainers.installKubectl.kubectlVersion }}..."
+              wget -q -O /tmp/tools-bin/kubectl \
+                "https://dl.k8s.io/release/{{ .Values.initContainers.installKubectl.kubectlVersion }}/bin/linux/amd64/kubectl"
+              chmod +x /tmp/tools-bin/kubectl
+              echo "kubectl installed"
+          volumeMounts:
+            - name: tools-bin
+              mountPath: /tmp/tools-bin
+        {{- end }}
+      containers:
+        - name: {{ include "jenkins.name" . }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.httpPort }}
+            - name: agent
+              containerPort: {{ .Values.service.agentPort }}
+          env:
+            {{- toYaml .Values.extraEnv | nindent 12 }}
+            {{- if .Values.containerd.enabled }}
+            - name: DOCKER_HOST
+              value: "unix:///var/run/containerd.sock"
+            {{- end }}
+          command:
+            - sh
+            - -c
+            - |
+              export PATH="/tmp/tools-bin:$PATH"
+              exec /usr/local/bin/jenkins.sh
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - name: jenkins-home
+              mountPath: /var/jenkins_home
+            {{- if .Values.containerd.enabled }}
+            - name: docker-sock
+              mountPath: /var/run/containerd.sock
+            {{- end }}
+            - name: tools-bin
+              mountPath: /tmp/tools-bin
+      volumes:
+        - name: jenkins-home
+          {{- if .Values.persistence.enabled }}
+          persistentVolumeClaim:
+            claimName: {{ .Values.persistence.claimName }}
+          {{- else }}
+          emptyDir: {}
+          {{- end }}
+        {{- if .Values.containerd.enabled }}
+        - name: docker-sock
+          hostPath:
+            path: {{ .Values.containerd.socketPath }}
+            type: Socket
+        {{- end }}
+        - name: tools-bin
+          emptyDir: {}

helm/jenkins/templates/ingress.yaml

@@ -0,0 +1,28 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "jenkins.name" . }}
+  namespace: {{ .Values.namespace }}
+  labels:
+    {{- include "jenkins.labels" . | nindent 4 }}
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    cert-manager.io/cluster-issuer: {{ .Values.ingress.certIssuer }}
+spec:
+  tls:
+    - hosts:
+        - {{ .Values.ingress.host }}
+      secretName: {{ .Values.ingress.tlsSecretName }}
+  rules:
+    - host: {{ .Values.ingress.host }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ include "jenkins.name" . }}
+                port:
+                  number: {{ .Values.service.httpPort }}
+{{- end }}

helm/jenkins/templates/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Values.namespace }}
+  labels:
+    {{- include "jenkins.labels" . | nindent 4 }}

helm/jenkins/templates/pvc.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.persistence.enabled }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ .Values.persistence.claimName }}
+  namespace: {{ .Values.namespace }}
+  labels:
+    {{- include "jenkins.labels" . | nindent 4 }}
+spec:
+  accessModes:
+    - {{ .Values.persistence.accessMode }}
+  storageClassName: {{ .Values.persistence.storageClass }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size }}
+{{- end }}

helm/jenkins/templates/rbac.yaml

@@ -0,0 +1,47 @@
+{{- if .Values.rbac.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.rbac.serviceAccountName }}
+  namespace: {{ .Values.namespace }}
+  labels:
+    {{- include "jenkins.labels" . | nindent 4 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.rbac.clusterRoleName }}
+  labels:
+    {{- include "jenkins.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "services", "configmaps", "secrets"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["pods/exec", "pods/log"]
+    verbs: ["create", "get"]
+  - apiGroups: ["apps"]
+    resources: ["deployments", "statefulsets", "daemonsets", "replicasets"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: ["argoproj.io"]
+    resources: ["applications"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Values.rbac.clusterRoleName }}
+  labels:
+    {{- include "jenkins.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.rbac.clusterRoleName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.rbac.serviceAccountName }}
+    namespace: {{ .Values.namespace }}
+{{- end }}

helm/jenkins/templates/service.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "jenkins.name" . }}
+  namespace: {{ .Values.namespace }}
+  labels:
+    {{- include "jenkins.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  selector:
+    {{- include "jenkins.selectorLabels" . | nindent 4 }}
+  ports:
+    - name: http
+      port: {{ .Values.service.httpPort }}
+      targetPort: {{ .Values.service.httpPort }}
+    - name: agent
+      port: {{ .Values.service.agentPort }}
+      targetPort: {{ .Values.service.agentPort }}

helm/jenkins/values.yaml

@@ -0,0 +1,79 @@
+# Jenkins Helm Chart — default values
+# All tuneable parameters are here.
+# Override per-environment with: helm install -f values-prod.yaml
+
+# -- Namespace where Jenkins is deployed
+namespace: jenkins
+
+# -- Number of Jenkins pods (should stay 1 — Jenkins is stateful)
+replicaCount: 1
+
+image:
+  # -- Jenkins image
+  repository: jenkins/jenkins
+  tag: lts-jdk17
+  pullPolicy: IfNotPresent
+
+service:
+  type: ClusterIP
+  # -- Jenkins web UI port
+  httpPort: 8080
+  # -- Jenkins agent JNLP port
+  agentPort: 50000
+
+ingress:
+  enabled: true
+  # -- Hostname for Jenkins web UI
+  host: jenkins.thedevops.dev
+  # -- cert-manager ClusterIssuer name
+  certIssuer: letsencrypt-http
+  # -- TLS secret name
+  tlsSecretName: jenkins-tls
+
+persistence:
+  enabled: true
+  # -- Storage class (longhorn, local-path, etc.)
+  storageClass: longhorn
+  # -- PVC size for jenkins_home
+  size: 20Gi
+  accessMode: ReadWriteOnce
+  claimName: jenkins-home
+
+# -- Security context — fsGroup 1000 required for jenkins_home permissions
+securityContext:
+  fsGroup: 1000
+
+# -- RBAC — creates ServiceAccount, ClusterRole, ClusterRoleBinding
+rbac:
+  enabled: true
+  serviceAccountName: jenkins
+  clusterRoleName: jenkins-deployer
+
+# -- Resource limits/requests
+resources:
+  requests:
+    cpu: 200m
+    memory: 512Mi
+  limits:
+    cpu: 1000m
+    memory: 2Gi
+
+# -- Mount containerd socket for Docker CLI access
+containerd:
+  enabled: true
+  socketPath: /run/k3s/containerd/containerd.sock
+
+# -- initContainers install Docker CLI and kubectl into shared volume
+initContainers:
+  installDocker:
+    enabled: true
+    image: docker:24-cli
+  installKubectl:
+    enabled: true
+    image: alpine:3.19
+    kubectlVersion: v1.28.0
+
+# -- Extra environment variables for Jenkins container
+extraEnv:
+  - name: JENKINS_OPTS
+    value: "--httpPort=8080"