# 用户/平台方需提供的信息模板 # 复制本文件为 intake.yaml,填好后再开始落地,能避免 80% 的返工。 # ─────────── 1. 基础信息 ─────────── deployment_mode: "aliyun_ack" # aliyun_ack | idc_lan | both environments: - name: prod domain: jenkins.corp.example.com # 强烈建议域名;无 DNS 时填 IP internal_ip: 10.0.1.20 # 备选 expected_users: 80 expected_concurrent_builds: 30 - name: staging domain: jenkins-staging.corp.example.com expected_users: 20 expected_concurrent_builds: 10 # ─────────── 2. 网络与证书 ─────────── network: ingress_cidr: # 允许访问 Web 的网段 - 10.0.0.0/8 agent_cidr: # agent 网段 - 10.0.10.0/24 expose_to_internet: false zero_trust_gateway: "tailscale" # tailscale | teleport | cloudflare_access | none tls: source: "internal_ca" # internal_ca | letsencrypt_dns | self_signed ca_bundle_path: "/etc/ssl/corp-ca.pem" # ─────────── 3. LDAP / AD ─────────── ldap: url: "ldaps://ldap.corp.example.com:636" root_dn: "dc=corp,dc=example,dc=com" user_search_base: "ou=Users,dc=corp,dc=example,dc=com" user_search_filter: "sAMAccountName={0}" group_search_base: "ou=Groups,dc=corp,dc=example,dc=com" group_membership_filter: "member={0}" manager_dn: "cn=jenkins-bind,ou=ServiceAccounts,dc=corp,dc=example,dc=com" manager_password_ref: "vault:secret/jenkins/ldap#password" groups: admin: "cn=ci-admins,ou=Groups,dc=corp,dc=example,dc=com" developer: "cn=ci-developers,ou=Groups,dc=corp,dc=example,dc=com" release: "cn=ci-release,ou=Groups,dc=corp,dc=example,dc=com" viewer: "cn=all-staff,ou=Groups,dc=corp,dc=example,dc=com" # ─────────── 4. 阿里云(仅方案 A) ─────────── aliyun: region: cn-hangzhou ack_cluster_id: c-xxxxxxxx vpc_id: vpc-xxxxxxxx nas_filesystem_id: xxx-xxxxx oss_backup_bucket: company-jenkins-backup oss_backup_endpoint: oss-cn-hangzhou-internal.aliyuncs.com acr_instance: cr.cn-hangzhou.aliyuncs.com/devops slb_id: lb-xxxxxxxx dns_provider_for_acme: alidns ram_role_arn_for_csi: "acs:ram::xxxx:role/..." # ─────────── 5. IDC(仅方案 B) ─────────── idc: controller_primary_ip: 10.0.1.10 controller_standby_ip: 10.0.1.11 vip: 10.0.1.20 lb_node_ips: [10.0.1.30, 10.0.1.31] agents: - hostname: agent-linux-01 ip: 10.0.10.11 labels: [linux, build-heavy] - hostname: agent-win-01 ip: 10.0.10.21 labels: [windows] storage: jenkins_home_path: /srv/jenkins/home backup_target: "s3:http://minio.idc.local/jenkins-backup" backup_credentials_ref: "vault:secret/jenkins/minio" # ─────────── 6. 集成系统 ─────────── integrations: scm: type: gitlab # gitlab | bitbucket | github_enterprise base_url: https://git.corp.example.com webhook_secret_ref: "vault:secret/jenkins/scm#webhook" artifact: type: nexus # nexus | artifactory base_url: https://nexus.corp.example.com vault: url: https://vault.corp.example.com auth_method: approle role_id_ref: "vault:..." secret_id_ref: "vault:..." observability: prometheus_url: http://prom.corp.example.com:9090 grafana_url: https://grafana.corp.example.com loki_url: http://loki.corp.example.com:3100 notification: slack_webhook_ref: "vault:secret/jenkins/slack#url" email_smtp: smtp.corp.example.com:587 # ─────────── 7. 外置 DB(可选,多数情况不需要) ─────────── # 仅当:1) 使用 Audit Trail 写入外置 DB;2) 有独立 jk 聚合服务;3) 大规模历史检索 external_db: enabled: false type: postgres host: rds.corp.example.com port: 5432 database: jenkins_audit user: jenkins password_ref: "vault:secret/jenkins/db#password" purpose: ["audit"] # audit | aggregation | none # ─────────── 8. 策略 / 合规 ─────────── policy: rto_minutes: 30 rpo_hours: 24 backup_retention_days: 30 log_retention_days: 180 patch_window: "Sat 22:00-24:00 CST" on_call_team: "devops-platform" data_classification: "internal"