This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Register User-installed Jenkins Tool

Reference

It is recommended to use the Samsung Cloud Platform Marketplace for installing and operating Jenkins.
If you cannot use the Marketplace or need to register a self‑installed Jenkins as a tool in the DevOps Console, refer to this document.
This document guides the registration of the Jenkins tool in DevOps Console, so it provides only a brief overview of Jenkins installation and operation.

Getting started with registering a user-installed Jenkins tool

Install Jenkins and plugins.

Jenkins installation

Before installing

To register Jenkins in the DevOps Console, Jenkins generally must meet the following conditions. If there are other conditions, register an SR before installation to verify.

Use a domain for Jenkins access
Jenkins domain is registered in DNS
Use HTTPS (port 443) and a public certificate for Jenkins communication.

Installation

Install Jenkins on a VM or Kubernetes

Plugin Installation

Install the following plugins in Jenkins.

Plugin ID	Name
apache-httpcomponents-client-4-api	Apache HttpComponents Client 4.x API
credentials	Credentials
credentials-binding	Credentials Binding
github	GitHub
jobConfigHistory	Job Configuration History
kubernetes	Kubernetes
mask-passwords	Mask Passwords
maven-plugin	Maven Integration
matrix-auth	Matrix Authorization Strategy
metrics	Metrics
pipeline-stage-view	Pipeline: Stage View
pipeline-utility-steps	Pipeline Utility Steps
script-security	Script Security
ssh-steps	SSH Pipeline Steps
workflow-aggregator	Pipeline
workflow-step-api	Pipeline: Step API

Table. List of installed plugins

Reference

You can view the plugin details at https://plugins.jenkins.io/{Plugin ID}.

Jenkins configuration

Common Settings

Jenkins Administration > System

Item	value	Explanation
of executors	0	Set to 0 to restrict direct build execution on the Controller and allow builds only on the Agent.
Jenkins URL	(ex) `https://{YOUR_DOMAIN}/jenkins/`
System Admin e-mail address	(ex) admin@example.com

Table. Jenkins Management > System Settings

Jenkins Administration > Security

Item	value	Explanation
Authorization	Project-based Matrix Authorization Strategy
Authenticated Users	Overall > Read
<ADMIN_USER>	Overall > Administer	Add admin account using Add user

Table. Jenkins Management > Security Settings

Support email format for Jenkins Username

By default, Jenkins does not allow the @ sign or dot (.) to be used in the login username. However, since DevOps Console uses an email address as the username, we configure Jenkins to allow email addresses as usernames as well.
Create the file /{JENKINS_HOME}/init.groovy.d/init.groovy, add the following content, and restart Jenkins.
- (ex) /var/jenkins_home/init.groovy.d/init.groovy

Color mode

hudson.security.HudsonPrivateSecurityRealm.ID_REGEX=/^[\w-\.\@\_]+$/

hudson.security.HudsonPrivateSecurityRealm.ID_REGEX=/^[\w-\.\@\_]+$/

Code block. init.groovy

Additional Jenkins configuration installed on Kubernetes

RBAC

Configure RBAC on Jenkins’s Service Account so that Jenkins can create Pods in Kubernetes.

Color mode

# In GKE need to get RBAC permissions first with
# kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin [--user=<user-name>|--group=<group-name>]
 
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins
 
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: jenkins
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["events"]
  verbs: ["watch"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]
 
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: jenkins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: jenkins
subjects:
- kind: ServiceAccount
  name: jenkins

# In GKE need to get RBAC permissions first with
# kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin [--user=<user-name>|--group=<group-name>]
 
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins
 
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: jenkins
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["events"]
  verbs: ["watch"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]
 
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: jenkins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: jenkins
subjects:
- kind: ServiceAccount
  name: jenkins

code block. service-account.yml

Reference

https://github.com/jenkinsci/kubernetes-plugin/blob/master/src/main/kubernetes/service-account.yml

Jenkins Management > Clouds

kubernetes

Add the kubernetes cloud.
Set up the Kubernetes cloud as follows. Use the default values for the remaining items.

Item	value	Explanation
Cloud name	kubernetes
Type	Kubernetes selection
Kubernetes URL	`https://kubernetes.default`	Create a Pod (Agent) in the cluster where Jenkins is running
Disable https certificate	check
Kubernetes Namespace	(example) jenkins	Enter the Namespace where the Jenkins Controller is running, and a Pod (Agent) is created in that Namespace.
WebSocket	check
Jenkins URL	(example) `http://{JENKINS_SERVICE_NAME}:{PORT}/jenkins`	Jenkins URL used when invoking Pod(Agent) → Pod(Controller) Use the Kubernetes Service name because it is called within the same namespace

Table. Jenkins Management > Clouds > kubernetes Configuration

kubernetes > Pod Templates

Add a Pod Template.
BASE-TEMPLATE is a parent template used in the DevOps Console to define values that should be shared across all Pod Templates.

Item	value	Explanation
Name	BASE-TEMPLATE
Image Pull Secret	`{IMAGE_PULL_SECRET}` Enter name	Create a Secret in the Namespace so that the Pod(Agent) image can be pulled, and enter its name.

Table. Jenkins Management > Clouds > kubernetes > Pod Templates Settings

Register Jenkins tool in DevOps Console

Register Firewall

Refer to the table below and register the firewall in Jenkins.

Origin	Destination	Destination Port
User install Jenkins	DevOps Console web	443
DevOps Console source IP	User install Jenkins web	443

Table. Jenkins (Destination) Firewall List

Reference

To check the source IP of the DevOps Console, click the URL ⓘ on the Add Tool screen. You can view the DevOps Console’s source IP in the tooltip.

DevOps Console Tasks

For detailed information about registering the Jenkins tool, see Add Tool
In the tool registration step, check the plugins installed on Jenkins, and if any plugins need to be installed, a plugin installation guide page will be displayed. Download and install the plugins as instructed.

Jenkins Verification

Jenkins Management > System

Global Trusted Pipeline Libraries

Check that cicdpaas is configured in the Library.
If it is not configured
- Verify the communication between DevOps Console and Jenkins.
- DevOps Console > Management > Jenkins detail screen > Check the settings in the Global Library tab.

DevOps Console Credentials

Test Connection Click the button to confirm that Success appears.

Add an agent (VM) to Jenkins

DevOps Console Tasks

Add Agent (VM)

Jenkins Tasks

Jenkins Management > Nodes > Agent Detail View

Verify that the Agent added in the DevOps Console has been created. Run the Agent according to the guide on the Jenkins screen and connect it to Jenkins.

Add an agent (Kubernetes) to Jenkins

Before Adding a Kubernetes Agent

Create User‑Jenkins Agent Image

For CI/CD in Jenkins, an agent image is required.
Create a Jenkins agent image that matches the user’s needs by using the default images provided by Jenkins.
After creating the image, push it to the user’s image repository.

Color mode

FROM jenkins/inbound-agent:latest-jdk17

USER root

# Docker CLI
RUN curl -L0 "https://download.docker.com/linux/static/stable/x86_64/docker-29.1.3.tgz" -o /tmp/docker.tgz && \
    tar --extract \
      --file /tmp/docker.tgz \
      --strip-components 1 \
      --directory /usr/local/bin/ && \
    rm /tmp/docker.tgz

COPY --from=docker/buildx-bin /buildx /usr/libexec/docker/cli-plugins/docker-buildx

# Install your build tools...
# xxx

USER jenkins

FROM jenkins/inbound-agent:latest-jdk17

USER root

# Docker CLI
RUN curl -L0 "https://download.docker.com/linux/static/stable/x86_64/docker-29.1.3.tgz" -o /tmp/docker.tgz && \
    tar --extract \
      --file /tmp/docker.tgz \
      --strip-components 1 \
      --directory /usr/local/bin/ && \
    rm /tmp/docker.tgz

COPY --from=docker/buildx-bin /buildx /usr/libexec/docker/cli-plugins/docker-buildx

# Install your build tools...
# xxx

USER jenkins

code block. Dockerfile example

Docker‑in‑Docker Image

In the DevOps Console, Docker in Docker is used to create Docker images in a Kubernetes environment.
Use Docker’s provided dind (Docker‑in‑Docker) image and push it to your repository.

Reference

https://hub.docker.com/_/docker

DevOps Console Tasks

Add Pod Template
- By default, one (or multiple) agents are registered. Delete the default registered agent.
If you need to build a Docker image, select Docker in Docker.
Enter the JNLP image URL with the Jenkins agent address of the user you created above.

Jenkins Tasks

Jenkins Management > Clouds > Kubernetes > Pod Templates

The agent (Kubernetes) added from the DevOps Console is registered as a Pod Template.
If Docker‑in‑Docker is selected in DevOps Console, the default image address is pre‑filled in the dind container. Replace it with the image address you pushed to your repository.