Erwin Müller

Jenk­ins on Ku­berntes — Part 1

Part 1 — Con­fig­ure System

Part 1 will de­scribe how to con­fig­ure the Jenk­ins sys­tem to add the Sonar­Qube, Key­cloak and Gitea servers, and to con­fig­ure the Ku­ber­netes cloud where our builds are go­ing to run.

Sonar­Qube servers

We add our Sonar­Qube serv­er, so that with­Sonar­QubeEnv can in­ject the serv­er URL and the au­then­ti­ca­tion to­ken to our build. The name must match the pa­ra­me­ter that we pass to the method.

SonarQube Servers
Sonar­Qube Servers
  • En­vi­ron­ment variables: [ ]
  • Sonar­Qube installations:
  • Name: sonar­qube
  • Serv­er URL: https://​sonar​qube​.an​risoft​ware​.com
  • Serv­er au­thN to­ken: xxx

Glob­al Key­cloak Settings

Our Jenk­ins will use Key­cloak sin­gle sign on (SSO). The doc­u­men­ta­tion of the plu­g­in de­scribes how to con­fig­ure Key­cloak for Jenk­ins: key­cloak-plu­g­in

  • Key­cloak JSON: { … }
  • [ ] Val­i­date To­ken on each request
  • Use de­fault IDP:

Gitea Servers

We are go­ing to use Gitea as our repos­i­to­ry. Here we have to con­fig­ure the Gitea serv­er so that Jenk­ins can use web-hook triggers.

Gitea Servers
Gitea Servers
  • Gitea Servers
  • Name: an­risoft­ware-com
  • Serv­er URL: https://​gitea​.an​risoft​ware​.com
  • [x] Man­age hooks
  • Cre­den­tials: jenkins/**** (jenk­ins gitea)


Af­ter we in­stalled Jenk­ins in Ku­ber­netes, the cloud is al­ready con­fig­ured with the de­faults. The de­faults are work­ing, but we are go­ing to use our own Dock­er im­age for Maven builds. That is, be­cause we need to able so sign our ar­ti­facts with GnuPG. The sig­na­tures are nec­es­sary if we want to de­ploy our projects in Maven Cen­tral, but it’s al­so good prac­tice to do so any­way. A sig­na­ture guar­an­tees that the pub­lished ar­ti­facts are build from a trust­ed source.

Af­ter we have con­fig­ured Ku­ber­netes, we can start cre­at­ing our build pipelines. The builds are then run in­side Dock­er con­tain­ers. Those con­tain­er will share a NFS di­rec­to­ry that is mount­ed un­der /home/jenkins/workspace and we pass all the nec­es­sary pa­ra­me­ters to sign the cre­at­ed ar­ti­facts and to up­load the gen­er­at­ed re­ports to a web serv­er via SSH.


  • Name: ku­ber­netes
  • Ku­ber­netes URL: https://kubernetes.default
  • Ku­ber­netes Name­space: jenkins
  • Jenk­ins URL: http://jenkins:8080
  • Jenk­ins Tun­nel: jenkins-agent:50000


Ku­ber­netes Pod Template

  • Name: maven-3-jd­k‑8
  • Name­space: jenkins
  • La­bels: maven-3-jd­k‑8


Con­tain­er Template

  • Name: jnlp
  • Dock­er im­age: jenkins/jnlp-slave:3.10 – 1
  • Al­ways pull image: [ ]
  • Work­ing di­rec­to­ry: /home/jenkins
  • Com­mand to run:
  • Ar­gu­ments to pass: ${computer.jnlpmac} ${com​put​er​.name}
  • Al­lo­cate pseu­do-TTY: [x]
  • EnvVars:

Con­tain­er Template

  • Name: maven
  • Dock­er im­age: erwin82/maven:v3.5.3‑jdk-8‑r.10
  • Al­ways pull image: [ ]
  • Work­ing di­rec­to­ry: /home/jenkins
  • Com­mand to run: /bin/sh ‑c
  • Ar­gu­ments to pass: cat
  • Al­lo­cate pseu­do-TTY: [x]
  • EnvVars:


En­vi­ron­ment Variable

  • Val­ue: http://jenkins:8080

En­vi­ron­ment Vari­able from Secret

  • Se­cret­Name: jenkins-ssh
  • Se­cretKey: ssh_hosts

En­vi­ron­ment Variable

  • Val­ue: /root/.ssh

En­vi­ron­ment Vari­able from Secret

  • Se­cret­Name: jenkins-ssh
  • Se­cretKey: ssh_id_rsa

En­vi­ron­ment Vari­able from Secret

  • Se­cret­Name: jenkins-ssh
  • Se­cretKey: ssh_user

En­vi­ron­ment Vari­able from Secret

  • Se­cret­Name: jenkins-ssh
  • Se­cretKey: ssh_pass

En­vi­ron­ment Variable

  • Val­ue: jenkins

En­vi­ron­ment Variable

  • Val­ue: jenkins@​anrisoftware.​com


Per­sis­tent Vol­ume Claim

  • Claim Name: jenkins-work
  • Read On­ly: [ ]
  • Mount path: /home/jenkins/workspace

Leave a Reply

Your email address will not be published.