CI/CD: Jenkins 2 on openshift

Jenkins 2 overview and setup – APPAGILE

We specifically unveil the steps with oc and an example workflow for Jenkins 2.

IMPORTANT: after installing the OpenShift plugin for Jenkins, always check the box enabling the OpenShift builder support (also for the related OpenShift Jenkins builder API) in the build configuration panel of your project.

Setup

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# setup ci jenkins
oc new-project ci
oc new-app library/jenkins:2.0
oc expose svc jenkins
# setup sample for jenkins build
oc new-project demo
oc new-app eap64-basic-s2i \
--param=APPLICATION_NAME=demo-jenkins \
--param=SOURCE_REPOSITORY_URL=<HTTPS>://gitlabappadev.tsi-af.de/julien.siebenthal/demo-jenkins.git \
--param=SOURCE_REPOSITORY_REF=2.7.0.Final \
--param=CONTEXT_DIR=demo
# setup a secret to access correctly the private repos if needed
oc secrets new-basicauth basicsecret --username=<your_username> --password=<your_password>
oc setbuild-secret --sourcebc/demo-jenkinsbasicsecret
# setup policies
oc policy add-role-to-user edit system:serviceaccount:ci:default -n ci
oc policy add-role-to-user edit system:serviceaccount:demo:default -n demo
oc policy add-role-to-user edit system:serviceaccount:ci:default -n demo

On the Jenkins pipeline side here is the Groovy script based on the Ticket-Monster example.

We give the export of the buildconfig that can be used in relation with oc create :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
apiVersion: v1
kind: BuildConfig
metadata:
  annotations:
    openshift.io/generated-by: OpenShiftNewApp
  creationTimestamp: null
  labels:
    app: eap64-basic-s2i
    application: demo-jenkins
    template: eap64-basic-s2i
    xpaas: 1.3.2
  name: demo-jenkins
spec:
  nodeSelector: null
  output:
    to:
      kind: ImageStreamTag
      name: demo-jenkins:latest
  postCommit: {}
  resources: {}
  runPolicy: Serial
  source:
    contextDir: demo
    git:
      ref: 2.7.0.Final
      uri: <HTTPS>://gitlabappadev.tsi-af.de/julien.siebenthal/demo-jenkins.git
    sourceSecret:
      name: basicsecret
    type: Git
  strategy:
    sourceStrategy:
      forcePull: true
      from:
        kind: ImageStreamTag
        name: jboss-eap64-openshift:1.4
        namespace: openshift
    type: Source

Security

To pull/push from/to a private repo, setup with the Credential binding plugin a new domain and credential, see Jenkins access to Gitdev private repo using ssh, to Gitlabappadev using https

  • user/private_key for ssh based pull/push
  • user/password for https based pull/push

use a git https based approach use (gitlabappadev.tsi-af.de, seems git ssh not enabled) :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
node {
  stage 'Checkout'
  git branch: '2.7.0.Final', credentialsId: '3a6a12be-0b9a-45af-9c41-4f21fa1543e3', url: '<HTTPS>://gitlabappadev.tsi-af.de/julien.siebenthal/demo-jenkins.git'
  // ** NOTE: This 'M3' maven tool must be configured in the global configuration.
  defmvnHome = tool 'M3'
  stage 'Build'
  sh "${mvnHome}/bin/mvn -f demo/pom.xml clean install"
  stage 'Deploy'
  defbuilder = newcom.openshift.jenkins.plugins.pipeline.OpenShiftBuilder("""demo-jenkins""demo"null"""""""""true""""""")
  stepbuilder
}

Jenkins web console

From there you can directly interact with the web console of your project.

screen%20shot%202016-11-24%20at%2009_38_12

Jenkins access to Gitdev private repo using ssh, to Gitlabappadev using https:

  1. Access your jenkins pod
    1. access jump server
    2. locate where your Jenkins pod run (which node), then ssh to the corresponding machine
    3. from there in the shell:
      >> docker exec -it <jenkins_pod_ID> /bin/bash
    4. cd in the pod session
    5. you should be in the /var/jenkins_home
    6. create a ssh key in my case:
      >> ssh-keygen -t rsa -C “USERNAME@masterd3.tsi-af.de
    7. it asks for a passphrase, you should put one and record it somewhere safe
    8. a pair is created, by default the id_rsa (private key) and id_rsa.pub (public key)
    9. not finished, once done you must be sure you can access the gitdev (gitlab) server, type :
      >> ssh -T git@gitdev.tsi-af.de
    10. during the authentication process the daemon asks for the passphrase you have introduced earlier if you set one, give it
    11. the ssh daemon will ask you if you want to authenticate to the gitdev server, obviously yes.
  2. In the Jenkins web console
    1. be sure to have the proper module for ssh authentication so to say:
      1. SSH-Agent plugin
      2. SSH plugin (normally it is required by the first one and will be installed automatically)
      3. Credentials binding plugin
    2. restart the Jenkins server once the plugins are downloaded
    3. then you should go into the Credentials option displayed from now on the web console
      1. you should define a domain
        1. set this to the hostname gitdev.tsi-af.de
      2. and from this domain a key based new credential
        1. indicate you want a ssh authentication with private key and indicate the correct location of it (in my case /var/jenkins_home/.ssh/id_rsa) and do not forget to set the passphrase
        2. IMPORTANT: leave the credentialID field empty, once you save, one will be created automatically for you. This ID is tremendously important, it will be added into the Jenkinsfile workflow script
        3. save the credential.screen%20shot%202016-11-18%20at%2012_03_27
    4. go in your workflow build project and adapt the script, mine is:
      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      node {
        stage 'Checkout'
        git branch: '2.7.0.Final', credentialsId: '9cae6b3a-4437-4a33-b99e-c3174f90670f', url: 'git@gitdev.tsi-af.de:jdesiebe/myticket-monster.git'
        // ** NOTE: This 'M3' maven tool must be configured in the global configuration.
        def mvnHome = tool 'M3'
        stage 'Build'
        sh "${mvnHome}/bin/mvn -f demo/pom.xml clean install"
        stage 'Deploy'
        def builder = new com.openshift.jenkins.plugins.pipeline.OpenShiftBuilder("""ticket-monster""demo"null"""""""""true""""""")
        step builder
      }
    5. As you see in the script, a credentialID field is added and refer to the credential we added just before, also we indicate to Jenkins that we want to use the ssh prototcol to pull the git repo.
  3. Restart your build, it should work (Lächeln).
  4. if you want to get momentarily access to private repos from gitlabappadev.tsi-af.de use https
    1. in that case set a new domain and a credential with username/password setup, no need for a key

Jenkins based documentation on the web related to workflows and security