Configuring the Jenkins Agent

Preparations for the Cluster

Before configuring the Jenkins agent, you need to perform some operations on the cluster to support subsequent configuration of the Jenkins agent.

1. Return to the CCE console and click the cluster name. In the Connection Information area on the right, click Configure to download the kubectl configuration file, which will be used as the credential for Jenkins to connect to the cluster.
   Figure 1 Connection Information
   

2. In the navigation pane of the cluster console, choose Storage. In the upper right corner, click Create PVC. In the Create PVC dialog, configure the following parameters and click Create. The created PVC persistently stores the data generated when the Jenkins agent completes jobs.
   Figure 2 Creating a PVC
   
   • PVC Type: SFS Turbo
   • PVC Name: jenkins-agent
   • Creation Method: Create new
   • SFS Turbo: Select the SFS Turbo volume used in 2.
   • PV Name: pv-efs-jenkins-agent

3. Return to the ECS and create a secret with SWR authentication information as the credential for pushing images to SWR.
   1. Download jq to process and operate JSON data. You can query, filter, modify, and format JSON data. The following uses an ECS running CentOS 7.6 as an example.

      yum install jq
   2. Create the Docker registry secret to store SWR authentication information. Extract and decode the SWR authentication information and save it to the /tmp/config.json file.
      • docker-server: Enter the SWR image repository address in the format of swr.[Region].myhuaweicloud.com.

        Obtain the region from Regions and Endpoints. Replace [Region] with the actual region name, for example, swr.cn-east-3.myhuaweicloud.com for CN East-Shanghai1.

      • docker-username: Enter the username in the SWR login command.

        To obtain the username, log in to the SWR console, click Login Command in the upper right corner of the Dashboard page, and view the command on the Temporary login command tab. The content following -u in the command is the username.

      • docker-password: Enter the password in the SWR login command.

        The content following -p in the command on the Temporary login command tab is the password.

        NOTE:

        The validity period of the temporary login command is 6 hours. After the temporary login command expires, you need to reconfigure the validity period.

        You can select Long-term login command on the Login Command page and configure related information as prompted to obtain the long-term login command and then the username and password.

        Figure 3 Obtaining docker-username and docker-password
        

      kubectl create secret docker-registry swr-secret \
         --docker-server=https://swr.xxx.myhuaweicloud.com \
         --docker-username=xxx \
         --docker-password=xxx \
         --dry-run=client -o json | jq -r '.data.".dockerconfigjson"' | base64 -d > /tmp/config.json
   3. Use the /tmp/config.json file to create a generic secret. The secret can be directly mounted to the pod of the Jenkins agent created later.

      kubectl create secret generic swr-secret --from-file=/tmp/config.json -n default

Configuring Cloud Information on the Jenkins Web Page

1. Return to the Jenkins web page. In the navigation pane, choose Manage Jenkins > System Configuration > Plugins > Available plugins. On the Available plugins tab, search for and install the Kubernetes plugin. The Kubernetes plugin dynamically creates a pod for the Jenkins agent in the cluster and deletes the pod after it is used.

   The plugin version may change over time. Select a plugin version as required. In this example, the plugin version is 4295.v7fa_01b_309c95. You can install other plugins as required, such as Kubernetes CLI Plugin (which allows kubectl to be configured for a job to interact with Kubernetes clusters).

   Figure 4 Searching for the Kubernetes plugin
   

2. In the upper left corner of the current page, click Manage Jenkins and then choose Security > Security. In the CSRF Protection area, select Enable proxy compatibility and click Apply.
   NOTE:

   Selecting Enable proxy compatibility is to avoid "Error 403 No valid crumb was included in the request".

   Jenkins uses CSRF protection to prevent cross-site request forgery attacks. When a user performs sensitive operations (such as building a project), Jenkins requires a valid "crumb". When a reverse proxy (such as Nginx or Apache) or load balancer is used, requests are forwarded from the client to the Jenkins server. The proxy or load balancer may modify the request header, and the CSRF token (crumb) will be lost or will not be passed correctly, resulting in the "Error 403 No valid crumb was included in the request" error.

   After Enable proxy compatibility is selected, Jenkins uses a fault tolerance mechanism to ensure that it can properly process transferred requests in the proxy environment, so that CSRF tokens (crumbs) can be correctly transferred and verified through the proxy.

   Figure 5 Selecting Enable proxy compatibility
   

3. In the upper left corner of the current page, click Manage Jenkins, choose Security > Credentials, choose Stores scoped to Jenkins > System > Global credentials (unrestricted), and click Add Credentials on the right to add a cluster credential.

   On the New credentials page, set Kind to Secret file, Scope to Global (Jenkins, nodes, items, all child items, etc), and File to the downloaded kubectl configuration file. Retain the default values for other parameters and click Create.

4. Create a cloud, which will be used to configure cluster information so that Jenkins can match the correct cluster.
   1. In the upper left corner of the current page, click Manage Jenkins, then choose System Configuration > Clouds, click New Cloud to create a cloud, and enter the basic information about the cloud.

      Enter a cloud name, select Kubernetes for Type, and click Create.

      Figure 6 Basic cloud information
      
   2. Specify cluster information.
      Figure 7 Cluster details
      

      Table 1 Cluster parameters

      Parameter	Example Value	Description
      Kubernetes URL	https://kubernetes.default.svc.cluster.local:443	Indicates the address of the cluster APl Server. You can directly enter https://kubernetes.default.svc.cluster.local:443, which is the standard DNS address for accessing the Kubernetes API server in the cluster.
      Kubernetes Namespace	default	Specifies the namespace where the dynamically created Jenkins agent is located. NOTE: The namespace must be the same as that of the jenkins-master workload created in 3.
      Credentials	xxx-kubeconfig.yaml	Specifies the cluster connection credential. Select the credential uploaded in 3. NOTE: After selecting a credential, click Test Connection on the right to check whether the cluster can be connected. If Connected to Kubernetes xxx is displayed in the command output on the left, the cluster can be connected.
      Jenkins URL	http://10.247.22.139:8080	Indicates the Jenkins access path. Enter the IP address for intra-cluster access in 4. The port number is 8080.
      Jenkins tunnel	10.247.22.139:50000	Indicates the tunnel that is used to establish connectivity between the Jenkins master and Jenkins agent. Enter the IP address for intra-cluster access in 4. The port number is 50000.

   3. Confirm the preceding information and click Save.

5. Configure a pod template. With this template, Jenkins can create pods for the Jenkins agent in the cluster as required and use the created pods to run Jenkin jobs. The pods are created on demand and are automatically deleted after the jobs are complete.
   1. Click the cloud name and choose Pod Templates > Add a pod template.
   2. Configure basic parameters for the pod template.
      • Name: name of the pod template. You can name the pod template as needed, for example, jenkins-agent.
      • Namespace: namespace of the pod to be created. The namespace must be the same as that in the cloud, for example, default.
      • Other parameters: You can configure them as required. In this example, retain the default values.
      Figure 8 Configuring basic parameters for the pod template
      
   3. Add a container template. In this example, three container templates need to be added. The parameters are described in Table 2 in the form of container 1, container 2, and container 3. You can add three container templates based on the table.
      • Container 1: The jenkins/inbound-agent:latest image is used to connect the Jenkins agent to the Jenkins master to ensure continuous job execution.
      • Container 2: The maven:3.8.1-jdk-8 image is used to execute packing jobs in the pipeline.
      • Container 3: The gcr.io/kaniko-project/executor:v1.23.2-debug image is used to build Docker images in the container.
        NOTE:

        You should push the three images to the SWR image repository in advance to improve the container creation speed and reliability. For details, see Uploading an Image Through a Client.

        With images stored in the SWR image repository, Jenkins does not need to pull images from external sources, accelerating container creation and reducing network latency. This also reduces the risk of container creation failures caused by network fluctuation or image pull failures, ensuring a more stable, efficient build process.

      Figure 9 Container template parameters
      

      Table 2 Container template parameters

      Parameter	Example Value	Description
      Name	Container 1: jnlp Container 2: maven Container 3: kaniko	Indicates the name of each container created in the cluster. The name of container 1 is fixed to jnlp. You can name other containers as needed.
      Docker image	Container 1: jenkins/inbound-agent:latest Container 2: maven:3.8.1-jdk-8 Container 3: gcr.io/kaniko-project/executor:v1.23.2-debug	Indicates the image required for creating a container. If you have pushed the images to SWR, change the value to the image path in SWR.
      Working directory	Containers 1 to 3: /home/jenkins/agent	Indicates the default file storage location of the containers during the execution of build jobs. You can change the directory as needed.
      Command to run	Containers 1 to 3: sleep	Indicates the command that is executed when the container is started.
      Arguments to pass to the command	Containers 1 to 3: 9999999	Specifies the parameters to be transferred to Command to run. The sleep 9999999 command indicates that the container keeps running until it already runs for 9,999,999 seconds or is manually stopped. This configuration is used to keep the container active and prevent the container from automatically exiting when there is no job.

   4. Click Add Volume, select Persistent Volume Claim, and configure the parameters. The PVC is mounted to all containers to provide persistent storage for each container.
      • Claim Name: Enter the name of the PVC created in 2.
      • Mount path: Enter the mount path. The value is fixed to /root/.m2.
      Figure 10 Configuring a PVC
      
   5. Click Add Volume again, select Secret Volume, and configure the parameters. When a pipeline job is being executed, the secret is used as a credential for the kaniko container to push images to SWR.
      • Secret Name: Enter the name of the secret created in 3.
      • Mount path: Enter the mount path. The value is fixed to /kaniko/.docker.
      Figure 11 Configuring a secret
      
   6. Configure the secret for pulling the image. In this example, default-secret is used.
      NOTE:

      When pulling images in your account from SWR, you can use this secret. To use images in other accounts, you need to create a secret for a third-party image repository. For details, see Creating a Secret for a Third-Party Image Repository.

      Figure 12 Configuring the image pull secret
      
   7. Confirm the preceding information and click Save.