Skip to Content

Connecting Inbound Jenkins Agents

Last modified by DevOps-as-a-Service Operator on 2025/02/05 11:33

You can run your own Jenkins agents, which will connect to your Jenkins Master at https://<YOUR_CUSTOMER_ID>.devops.t-systems.net/jenkins/ (replace <YOUR_CUSTOMER_ID> with your customer ID).

The easiest way to do this is to use the Jenkins Auto-Slave Helm chart provided by DevOps-as-a-Service. Read Rancher 2 to see how to add the public chart repo to one of your Kubernetes clusters managed with Rancher 2.

The Jenkins Auto-Slave is a Jenkins agent based on openjdk:17-slim-bullseye. When started, the container will download the latest agent.jar from your Jenkins master and automatically register itself as a new agent (worker node). This way, you can easily execute delivery pipelines in your own target environment. You just need to bind your jobs to your Jenkins agent by referring to the Jenkins Agent Labels that you set on the Agent. This method can be used to issue commands in Jenkins that require direct access to your network.

Create Technical User

Goto Technical Users on the DevOps-as-a-Service Self-self service portal and create a new technical user https://<YOUR_CUSTOMER_ID>.devops.t-systems.net/sdportal/#/technical-user/new (replace <YOUR_CUSTOMER_ID> with your customer ID).

Field

Value

Username

e.g. jenkins_agent

Password

use the provided default or choose another strong one, save it in a secure place to be able to use it later

Tool

Jenkins

Description

used for connecting Jenkins agents to Jenkins master

image2021-7-28_10-47-55.png

Don't use the password from the example screenshot. Finally, click Save.

Create Service Request

Create a Service Request at Service Desk DevOps-as-a-Service.

Field

Value

Summary

Connect Jenkins inbound agents

Component

Jenkins

Description

Please assign agent-admin role to technical user jenkins_agent.

Please open port 50000 of our Jenkins Master so that our agents can connect.

Information
ℹ Note

Don't put the password of the technical user in the service request! We don't need it. Only the name of the user is important.

image2021-7-28_10-56-8.png

If you use a fixed list of public IP addresses for your outgoing connections, we can set-up a whitelist of allowed IP addresses or networks to further restrict access to port 50000.

If unsure, try first without a whitelist and send us your whitelist later when everything is working.

Create API Token in Jenkins

Even before the Service Request has been finished, use the time to get the API token for the technical user on Jenkins.

  • Login to Jenkins with the credentials of the Technical User (in the screenshot, jenkins_auto_slave_manoni is used).
  • At the top of the page, click on the username and choose Configure from the menu.

 image2021-4-12_13-37-55.png

  • On the Configure page, click on "ADD NEW TOKEN"

image2021-4-12_13-39-34.png

  • Copy and record the created token for the intended use, then click "SAVE".

image2021-4-12_13-41-17.png

  • Log out

Connect Agent to Jenkins Controller

Using the Helm chart as mentioned at the top of the page, the remaining required steps in Rancher 2 are as follows.

Information

⚠ Pod Security Policy

The provided Jenkins Agent container allows the installation of additional software during start-up. If you run the container with the restricted Pod Security Policy of Rancher which is the standard for new projects, this will not work, since some capabilities will not be granted to the pod. To fix this, you can associate the project in the cluster with the unrestricted Pod Security Policy.

Create Secret

Goto the cluster where you want to deploy the Jenkins agent and first create a secret of type Opaque

Field

Key

Value

Name

 

jenkins-agent

Description

 

Username and API-Token for Jenkins Auto-Agent

Data

username

jenkins_agent

 

token

fill in the API-Token obtained from Jenkins here

image-2023-5-22_11-58-27.png

Deploy Jenkins Auto-Agent Helm chart

Goto "Apps/+ Charts" and click on the tile jenkins-auto-agent.

image-2023-11-14_17-21-41.png

In the following dialogs, the only mandatory information that you have to enter is:

Field

Value

Description

Jenkins URL

The URL of the Jenkins controller. After registration the agent will connect to port 50000 of this host.

Make sure to replace CUSTOMER with the name of your DevOps-as-a-Service instance.

Jenkins Authentication Secret

jenkins-agent

Name of the Opaque Secret that contains technical user in role agent-admin. The keys are username and token. Token refers to the API token you have created for the technical user.

Please note that due to the retry mechanism in the Jenkins Auto-Agent your Jenkins controller will block this user very fast if you use a wrong token!

After clicking on Install, the agent will be deployed and started. Check the log of the pod to see what is happening. If everything works as expected, your new agent will automatically show up in the Jenkins controller UI.

Controller Updates

Every time the Jenkins controller has been updated, please restart your agent pods so that they download the latest agent and CLI jars from the Jenkins controller. Without that, problems due to different software versions used on controller and agent are possible.

Connecting custom agents

Public documentation about launching inbound agents can be found at https://github.com/jenkinsci/remoting/blob/master/docs/inbound-agent.md. The Jenkins CLI is documented at https://www.jenkins.io/doc/book/managing/cli/#using-the-cli-client.

 

© 2018-2025 T-Systems International GmbH