This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Register user-installed Jenkins tool

Reference

For installing and operating Jenkins, it is recommended to use the Samsung Cloud Platform Marketplace.
If you cannot use the marketplace or want to register a self-installed Jenkins as a tool in DevOps Console, use this document.
This document is a guide for registering the Jenkins tool in DevOps Console, so it briefly explains Jenkins installation and operation.

Start registering Jenkins tool for user installation

Install Jenkins and plugins.

Jenkins Installation

Before installing

To register Jenkins in the DevOps Console, Jenkins generally must meet the following conditions. If there are other conditions, register an SR before installation to verify.

Use domain for Jenkins access
Jenkins domain registered in DNS
Jenkins communication with HTTPS (port 443), use public certificate

Installation

Install Jenkins on a VM or Kubernetes.

Plugin Installation

Install the following plugin in Jenkins.

Plugin ID	Name
apache-httpcomponents-client-4-api	Apache HttpComponents Client 4.x API
credentials	Credentials
credentials-binding	Credentials Binding
github	GitHub
jobConfigHistory	Job Configuration History
kubernetes	Kubernetes
mask-passwords	Mask Passwords
maven-plugin	Maven Integration
matrix-auth	Matrix Authorization Strategy
metrics	Metrics
pipeline-stage-view	Pipeline: Stage View
pipeline-utility-steps	Pipeline Utility Steps
script-security	Script Security
ssh-steps	SSH Pipeline Steps
workflow-aggregator	Pipeline
workflow-step-api	Pipeline: Step API

Table. Installed plugin list

Reference

https://plugins.jenkins.io/{Plugin ID} you can view detailed plugin information.

Jenkins Settings

Common Settings

Jenkins Management > System

Item	Value	Description
# of executors	0	Set to 0 to restrict direct build execution on the Controller and allow builds only on Agents
Jenkins URL	(ex) `https://{YOUR_DOMAIN}/jenkins/`
System Admin e-mail address	(ex) admin@example.com

Table. Jenkins Management > System Settings

Jenkins Management > Security

Item	Value	Description
Authorization	Project-based Matrix Authorization Strategy
Authenticated Users	Overall > Read
<ADMIN_USER>	Overall > Administer	Add admin account using Add user

Table. Jenkins Management > Security Settings

Support email format for Jenkins Username

By default, Jenkins does not allow the @ symbol (.) to be used in the login Username. However, since DevOps Console uses email as the Username, we configure Jenkins to allow using email as the Username as well.
/{JENKINS_HOME}/init.groovy.d/init.groovy Create the file, enter the following contents, and restart Jenkins.
- (ex) /var/jenkins_home/init.groovy.d/init.groovy

Color mode

hudson.security.HudsonPrivateSecurityRealm.ID_REGEX=/^[\w-\.\@\_]+$/

hudson.security.HudsonPrivateSecurityRealm.ID_REGEX=/^[\w-\.\@\_]+$/

Code block. init.groovy

Additional Jenkins configuration installed on Kubernetes

RBAC

Set RBAC on Jenkins’s Service Account so that Jenkins can create Pods in Kubernetes.

Color mode

# In GKE need to get RBAC permissions first with
# kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin [--user=<user-name>|--group=<group-name>]
  
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins
  
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: jenkins
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["events"]
  verbs: ["watch"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]
  
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: jenkins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: jenkins
subjects:
- kind: ServiceAccount
  name: jenkins

# In GKE need to get RBAC permissions first with
# kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin [--user=<user-name>|--group=<group-name>]
  
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins
  
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: jenkins
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["events"]
  verbs: ["watch"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]
  
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: jenkins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: jenkins
subjects:
- kind: ServiceAccount
  name: jenkins

Code block. service-account.yml

Reference

https://github.com/jenkinsci/kubernetes-plugin/blob/master/src/main/kubernetes/service-account.yml

Jenkins Management > Clouds

kubernetes

kubernetes add the cloud.
kubernetes set the cloud as follows. Use the default values for the remaining items.

Item	Value	Description
Cloud name	kubernetes
Type	Kubernetes selection
Kubernetes URL	`https://kubernetes.default`	Create a Pod (Agent) in the cluster where Jenkins is running
Disable https certificate	Check
Kubernetes Namespace	(example) jenkins	Enter the Namespace where the Jenkins Controller is running, a Pod (Agent) will be created in that Namespace
WebSocket	check
Jenkins URL	(example) `http://{JENKINS_SERVICE_NAME}:{PORT}/jenkins`	Jenkins URL used when calling Pod(Agent) → Pod(Controller) Since it is called within the same Namespace, use the Kubernetes Service Name

Table. Jenkins Management > Clouds > kubernetes Settings

kubernetes > Pod Templates

Add a Pod Template.
BASE-TEMPLATE is a higher-level template used in the DevOps Console that sets values that must be commonly used in each Pod Template.

Item	Value	Description
Name	BASE-TEMPLATE
Image Pull Secret	`{IMAGE_PULL_SECRET}` Enter name	Create a Secret in the Namespace so that the Pod (Agent) image can be pulled, and enter its name

Table. Jenkins Management > Clouds > kubernetes > Pod Templates Settings

Register Jenkins tool in DevOps Console

Register firewall

Refer to the table below and register the firewall in Jenkins.

Origin	Destination	Destination Port
User Install Jenkins	DevOps Console Web	443
DevOps Console Source IP	User-installed Jenkins web	443

Table. Jenkins (Destination) Firewall List

Reference

To check the source IP of DevOps Console, click the URL ⓘ on the tool addition screen. You can check the source IP of DevOps Console in the tooltip.

DevOps Console Task

For detailed information related to Jenkins tool registration, please refer to Add Tool.
In the tool registration step, check the plugins installed in Jenkins, and if there are plugins that need to be installed, a plugin installation guide page will be displayed. Download and install the plugins as instructed.

Jenkins Check

Jenkins Management > System

Global Trusted Pipeline Libraries

Check if cicdpaas is set in the Library.
If it is not set
- DevOps Console ↔ Jenkins Check the communication status.
- DevOps Console > Management > Jenkins detail screen > Check the settings in the Global Library tab.

DevOps Console Credentials

Test Connection Click the button to verify that Success is displayed.

Add agent (VM) to Jenkins

DevOps Console Task

Check Add Agent (VM) and add the agent (VM).

Jenkins job

Jenkins Management > Nodes > Agent Detail Screen

Check that the Agent added from the DevOps Console has been created. Run the Agent according to the guide on the Jenkins screen and connect it to Jenkins.

Add agent (Kubernetes) to Jenkins

Before adding the agent (Kubernetes)

User Jenkins agent image creation

An agent image is required for CI/CD in Jenkins.
Use the default images provided by Jenkins to create a Jenkins agent image that fits the user.
After generating the image, push it to the user image repository.

Color mode

FROM jenkins/inbound-agent:latest-jdk17

USER root

# Docker CLI
RUN curl -L0 "https://download.docker.com/linux/static/stable/x86_64/docker-29.1.3.tgz" -o /tmp/docker.tgz && \
    tar --extract \
      --file /tmp/docker.tgz \
      --strip-components 1 \
      --directory /usr/local/bin/ && \
    rm /tmp/docker.tgz
  
COPY --from=docker/buildx-bin /buildx /usr/libexec/docker/cli-plugins/docker-buildx

# Install your build tools...
# xxx

USER jenkins

FROM jenkins/inbound-agent:latest-jdk17

USER root

# Docker CLI
RUN curl -L0 "https://download.docker.com/linux/static/stable/x86_64/docker-29.1.3.tgz" -o /tmp/docker.tgz && \
    tar --extract \
      --file /tmp/docker.tgz \
      --strip-components 1 \
      --directory /usr/local/bin/ && \
    rm /tmp/docker.tgz
  
COPY --from=docker/buildx-bin /buildx /usr/libexec/docker/cli-plugins/docker-buildx

# Install your build tools...
# xxx

USER jenkins

Code block. Dockerfile example

Docker in Docker image

DevOps Console uses Docker in Docker to generate Docker images in a Kubernetes environment.
Push the docker:dind (Docker in Docker) image provided by Docker to your repository.

Reference

https://hub.docker.com/_/docker

DevOps Console Task

Pod Template Add check and add the agent (kubernetes).
- By default, one (or multiple) agents are registered. Delete the default registered agent.
If you need to build a Docker image, select to use Docker in Docker.
Enter the Jenkins agent address of the user created above into the jnlp image URL.

Jenkins job

Jenkins Management > Clouds > kubernetes > Pod Templates

The agent (Kubernetes) added from DevOps Console is registered as a Pod Template.
If you selected Docker in Docker in the DevOps Console, the dind container has the default image address entered. Change to the docker:dind image address you pushed to your user repository.