Wiki source code of Connecting Inbound Jenkins Agents
Last modified by DevOps-as-a-Service Operator on 2025/02/05 11:33
Hide last authors
| author | version | line-number | content |
|---|---|---|---|
 |
1.1 | 1 | You can run your own Jenkins agents, which will connect to your Jenkins Master at {{code language="none"}}https://<YOUR_CUSTOMER_ID>.devops.t-systems.net/jenkins/{{/code}} (replace <YOUR_CUSTOMER_ID> with your customer ID). |
| 2 | |||
| 3 | The easiest way to do this is to use the Jenkins Auto-Slave Helm chart provided by DevOps-as-a-Service. Read [[doc:Rancher 2.WebHome||anchor="Addpublichelmcharts"]] to see how to add the public chart repo to one of your Kubernetes clusters managed with Rancher 2. | ||
| 4 | |||
| 5 | The Jenkins Auto-Slave is a Jenkins agent based on {{code language="none"}}openjdk:17-slim-bullseye{{/code}}. When started, the container will download the latest agent.jar from your Jenkins master and automatically register itself as a new agent (worker node). This way, you can easily execute delivery pipelines in your own target environment. You just need to bind your jobs to your Jenkins agent by referring to the Jenkins Agent Labels that you set on the Agent. This method can be used to issue commands in Jenkins that require direct access to your network. | ||
| 6 | |||
| 7 | {{toc/}} | ||
| 8 | |||
| 9 | = Create Technical User = | ||
| 10 | |||
| 11 | Goto Technical Users on the DevOps-as-a-Service Self-self service portal and create a new technical user {{code language="none"}}https://<YOUR_CUSTOMER_ID>.devops.t-systems.net/sdportal/#/technical-user/new{{/code}} (replace <YOUR_CUSTOMER_ID> with your customer ID). | ||
| 12 | |||
| 13 | (% class="table-bordered" %) | ||
| 14 | (% class="active" %)|=((( | ||
| 15 | Field | ||
| 16 | )))|=((( | ||
| 17 | Value | ||
| 18 | ))) | ||
| 19 | |=((( | ||
| 20 | Username | ||
| 21 | )))|((( | ||
| 22 | e.g. jenkins_agent | ||
| 23 | ))) | ||
| 24 | |=((( | ||
| 25 | Password | ||
| 26 | )))|((( | ||
| 27 | use the provided default or choose another strong one, save it in a secure place to be able to use it later | ||
| 28 | ))) | ||
| 29 | |=(% colspan="1" %)((( | ||
| 30 | Tool | ||
| 31 | )))|(% colspan="1" %)((( | ||
| 32 | Jenkins | ||
| 33 | ))) | ||
| 34 | |=((( | ||
| 35 | Description | ||
| 36 | )))|((( | ||
| 37 | used for connecting Jenkins agents to Jenkins master | ||
| 38 | ))) | ||
| 39 | |||
| 40 | [[image:attach:image2021-7-28_10-47-55.png||queryparams="effects=drop-shadow" height="400"]] | ||
| 41 | |||
| 42 | Don't use the password from the example screenshot. Finally, click //Save//. | ||
| 43 | |||
| 44 | = Create Service Request = | ||
| 45 | |||
| 46 | Create a Service Request at [[Service Desk DevOps-as-a-Service>>url:https://prd.sdc.t-systems.net/jira/servicedesk/customer/portal/3/create/36||shape="rect"]]. | ||
| 47 | |||
| 48 | (% class="table-bordered" %) | ||
| 49 | (% class="active" %)|=((( | ||
| 50 | Field | ||
| 51 | )))|=((( | ||
| 52 | Value | ||
| 53 | ))) | ||
| 54 | |=((( | ||
| 55 | Summary | ||
| 56 | )))|((( | ||
| 57 | Connect Jenkins inbound agents | ||
| 58 | ))) | ||
| 59 | |=((( | ||
| 60 | Component | ||
| 61 | )))|((( | ||
| 62 | Jenkins | ||
| 63 | ))) | ||
| 64 | |=((( | ||
| 65 | Description | ||
| 66 | )))|((( | ||
| 67 | Please assign agent-admin role to technical user jenkins_agent. | ||
| 68 | |||
| 69 | Please open port 50000 of our Jenkins Master so that our agents can connect. | ||
| 70 | ))) | ||
| 71 | |||
| 72 | {{info title="**ℹ Note**"}} | ||
| 73 | Don't put the password of the technical user in the service request! We don't need it. Only the name of the user is important. | ||
| 74 | {{/info}} | ||
| 75 | |||
| 76 | [[image:attach:image2021-7-28_10-56-8.png||data-xwiki-image-style-border="true" queryparams="effects=drop-shadow" height="330" width="525"]] | ||
| 77 | |||
| 78 | If you use a fixed list of public IP addresses for your outgoing connections, we can set-up a whitelist of allowed IP addresses or networks to further restrict access to port 50000. | ||
| 79 | |||
| 80 | If unsure, try first without a whitelist and send us your whitelist later when everything is working. | ||
| 81 | |||
| 82 | = Create API Token in Jenkins = | ||
| 83 | |||
| 84 | Even before the Service Request has been finished, use the time to get the API token for the technical user on Jenkins. | ||
| 85 | |||
| 86 | * Login to Jenkins with the credentials of the Technical User (in the screenshot, jenkins_auto_slave_manoni is used). | ||
| 87 | * At the top of the page, click on the username and choose //Configure// from the menu. | ||
| 88 | |||
| 89 | (% style="margin-left: 30.0px;" %) | ||
| 90 | [[image:attach:image2021-4-12_13-37-55.png||data-xwiki-image-style-border="true" height="163" width="500"]] | ||
| 91 | |||
| 92 | * On the Configure page, click on "ADD NEW TOKEN" | ||
| 93 | |||
| 94 | (% style="margin-left: 30.0px;" %) | ||
| 95 | [[image:attach:image2021-4-12_13-39-34.png||data-xwiki-image-style-border="true" height="309" width="838"]] | ||
| 96 | |||
| 97 | * Copy and record the created token for the intended use, then click "SAVE". | ||
| 98 | |||
| 99 | (% style="margin-left: 30.0px;" %) | ||
| 100 | [[image:attach:image2021-4-12_13-41-17.png||data-xwiki-image-style-border="true" width="500"]] | ||
| 101 | |||
| 102 | * Log out | ||
| 103 | |||
| 104 | = Connect Agent to Jenkins Controller = | ||
| 105 | |||
| 106 | Using the Helm chart as mentioned at the top of the page, the remaining required steps in Rancher 2 are as follows. | ||
| 107 | |||
| 108 | {{info}} | ||
| 109 | **⚠ Pod Security Policy** | ||
| 110 | |||
| 111 | The provided Jenkins Agent container allows the installation of additional software during start-up. If you run the container with the restricted Pod Security Policy of Rancher which is the standard for new projects, this will not work, since some capabilities will not be granted to the pod. To fix this, you can associate the project in the cluster with the unrestricted Pod Security Policy. | ||
| 112 | {{/info}} | ||
| 113 | |||
| 114 | == Create Secret == | ||
| 115 | |||
| 116 | Goto the cluster where you want to deploy the Jenkins agent and first create a secret of type Opaque | ||
| 117 | |||
| 118 | (% class="table-bordered" %) | ||
| 119 | (% class="active" %)|=((( | ||
| 120 | Field | ||
| 121 | )))|=(% colspan="1" %)((( | ||
| 122 | Key | ||
| 123 | )))|=((( | ||
| 124 | Value | ||
| 125 | ))) | ||
| 126 | |((( | ||
| 127 | Name | ||
| 128 | )))|(% colspan="1" %)((( | ||
| 129 | |||
| 130 | )))|((( | ||
| 131 | jenkins-agent | ||
| 132 | ))) | ||
| 133 | |((( | ||
| 134 | Description | ||
| 135 | )))|(% colspan="1" %)((( | ||
| 136 | |||
| 137 | )))|((( | ||
| 138 | Username and API-Token for Jenkins Auto-Agent | ||
| 139 | ))) | ||
| 140 | |((( | ||
| 141 | Data | ||
| 142 | )))|(% colspan="1" %)((( | ||
| 143 | username | ||
| 144 | )))|((( | ||
| 145 | jenkins_agent | ||
| 146 | ))) | ||
| 147 | |(% colspan="1" %)((( | ||
| 148 | |||
| 149 | )))|(% colspan="1" %)((( | ||
| 150 | token | ||
| 151 | )))|(% colspan="1" %)((( | ||
| 152 | //fill in the API-Token obtained from Jenkins here// | ||
| 153 | ))) | ||
| 154 | |||
| 155 | [[image:attach:image-2023-5-22_11-58-27.png||data-xwiki-image-style-border="true" queryparams="effects=drop-shadow" height="400" width="968"]] | ||
| 156 | |||
| 157 | == Deploy Jenkins Auto-Agent Helm chart == | ||
| 158 | |||
| 159 | Goto "Apps/+ Charts" and click on the tile //jenkins-auto-agent//. | ||
| 160 | |||
| 161 | [[image:attach:image-2023-11-14_17-21-41.png||data-xwiki-image-style-border="true" queryparams="effects=drop-shadow" height="250"]] | ||
| 162 | |||
| 163 | In the following dialogs, the only mandatory information that you have to enter is: | ||
| 164 | |||
| 165 | (% class="relative-table wrapped" style="width:72.7961%" %) | ||
| 166 | |=((( | ||
| 167 | Field | ||
| 168 | )))|=((( | ||
| 169 | Value | ||
| 170 | )))|=((( | ||
| 171 | Description | ||
| 172 | ))) | ||
| 173 | |((( | ||
| 174 | Jenkins URL | ||
| 175 | )))|((( | ||
| 176 | [[https:~~/~~/CUSTOMER.devops.t-systems.net/jenkins/>>url:https://CUSTOMER.devops.t-systems.net/jenkins/||shape="rect"]] | ||
| 177 | )))|((( | ||
| 178 | The URL of the Jenkins controller. After registration the agent will connect to port 50000 of this host. | ||
| 179 | |||
| 180 | Make sure to replace CUSTOMER with the name of your DevOps-as-a-Service instance. | ||
| 181 | ))) | ||
| 182 | |((( | ||
| 183 | Jenkins Authentication Secret | ||
| 184 | )))|((( | ||
| 185 | jenkins-agent | ||
| 186 | )))|((( | ||
| 187 | Name of the Opaque Secret that contains technical user in role agent-admin. The keys are username and token. Token refers to the API token you have created for the technical user. | ||
| 188 | |||
| 189 | Please note that due to the retry mechanism in the Jenkins Auto-Agent your Jenkins controller will block this user very fast if you use a wrong token! | ||
| 190 | ))) | ||
| 191 | |||
| 192 | After clicking on //Install//, the agent will be deployed and started. Check the log of the pod to see what is happening. If everything works as expected, your new agent will automatically show up in the Jenkins controller UI. | ||
| 193 | |||
| 194 | == Controller Updates == | ||
| 195 | |||
| 196 | Every time the Jenkins controller has been updated, please restart your agent pods so that they download the latest agent and CLI jars from the Jenkins controller. Without that, problems due to different software versions used on controller and agent are possible. | ||
| 197 | |||
| 198 | = Connecting custom agents = | ||
| 199 | |||
| 200 | Public documentation about launching inbound agents can be found at [[https:~~/~~/github.com/jenkinsci/remoting/blob/master/docs/inbound-agent.md>>url:https://github.com/jenkinsci/remoting/blob/master/docs/inbound-agent.md||shape="rect"]]. The Jenkins CLI is documented at [[https:~~/~~/www.jenkins.io/doc/book/managing/cli/#using-the-cli-client>>url:https://www.jenkins.io/doc/book/managing/cli/#using-the-cli-client||shape="rect"]]. | ||
| 201 | |||
| 202 | |||
| 203 |