How to use podTemplate in a declarative pipeline with the kubernetes-plugin.

[Vincent Heet]

Hi,

I configured a declarative pipeline with the kubernetes-plugin to start a jenkins job's in a k8s cluster. This is working great but now I want to use volumes for secrets and need to specify a podTemplate. I'm not sure how to configure a podTemplate for a declarative pipeline. The pipeline that is working:

pipeline {
    agent {
        kubernetes {
            label 'jenkins-demo'
            containerTemplate {
                name 'dind-jdk8-maven3'
                image 'eu.gcr.io/jenkins-demo/dind-jdk8-maven3:v4'
                ttyEnabled true
                command 'cat'
            }
        }
    }
    stages {
    }
}

The above I would like to extend with a podTemplate containing volumes and a secretVolume. The issue is that I don't know the correct syntax for specifying a podTemplate in the declarative pipeline. So I came up with this:

pipeline {
    agent {
        kubernetes {
            label 'jenkins-demo'
            podTemplate {
                volumes {
                    secretVolume(secretName: 'some-secret', mountPath: '/some-secret')
                }
                containerTemplate {
                    name 'dind-jdk8-maven3'
                    image 'eu.gcr.io/jenkins-demo/dind-jdk8-maven3:v4'
                    ttyEnabled true
                    command 'cat'
                }
            }
        }
    }
    stages {
    }
}

Ofcourse this doesn't work an throws an error. Can anyone help me out with specifying a podTemplate so I can use k8s secrets?

Thanks,

Vincent

[Carlos Sanchez]

It is not yet possible. Volumes would need to be added to the class https://github.com/jenkinsci/kubernetes-plugin/blob/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/pipeline/KubernetesDeclarativeAgent.java

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/a69efdfc-7c1c-4e4f-a909-0b43ad95868b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Vincent Heet]

Ok so maybe i'm able to add this myself next week. I looked at the class you mentioned but would adding the PodTemplate class as a property there fix my issue? And I'm not sure why you mention volumes, volumes would then be supported from the PodTemplate if I understand this correctly?

To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.

[Carlos Sanchez]

I'm not familiar with declarative pipeline, but looking at what Andrew did in KubernetesDeclarativeAgent.java I assume you need to add the pod template fields that you need in there. envVars, volumes,...

To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/4fed7d43-bbbc-46ab-a718-5e7f6e5d2a99%40googlegroups.com.

[Chris Willmore]

Hey Vincent - did you ever give this a try? I'm looking at doing this now and was wondering if you ran into any blockers.

-Chris

[Vincent Heet]

Hi Chris,

No I didn't. I ended up rewriting my Jenkinsfile in the non-declarative Groovy format which worked like a charm.

Greetings, Vincent

[Tim Zhukov]

Hey All,

Is volume support still in development? I would like to use declarative syntax with k8s plugin, but our agent containers share persistence across pod with volume mounts.

--

Best 

Tim Zhukov 

[Carlos Sanchez]

I don't think it is possible, a volumes field would need to be added to KubernetesDeclarativeAgent

https://github.com/jenkinsci/kubernetes-plugin/blob/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/pipeline/KubernetesDeclarativeAgent.java

To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/2be2f487-e5db-4770-a2e1-e2ed402e1f1b%40googlegroups.com.

[Vamsi krishna]

Hello all....

Local headers refused by remote: Authorization failure

Jan 04, 2018 6:13:25 PM hudson.remoting.jnlp.Main$CuiListener status

INFO: Protocol JNLP4-connect encountered an unexpected exception

whats this error means...  this is the logs error i am getting in my pod.. can anyone have idea.. i am thinking remote jnlp-4 is not accepting that container and the jnlp port issue i am guessing but not sure? any idea

[Tim Zhukov]

Hi,

Have anyone deployed a jenkins on CoreOs Tectonic? I'm experimenting with a docker build container and I can't figure out how to run it as jenkins user instead of root. I figured out that I need to give jenkins user access to host's docker group, but before I start sshing on the node and such, I was wondering if anyone has had experience with this.

--

Best 

Tim Zhukov

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/DEwTX-C5ct4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/f6324704-c29a-4d1c-8bd7-6a07a7b38b38%40googlegroups.com.

[Chris Willmore]

Hi Tim,

I have not run on Tectonic. However. I believe the issue is that the podTemplate / plugin does not support "runAsUser" (afaik). Using "runAsUser" would allow you to map the owner of the containerized build process to the user on the underlying host with docker access. 

Without "runAsUser" support, you probably could hack the jnlp-agent to run with the same UID as needed.

-Chris

To unsubscribe from this group and all its topics, send an email to jenkinsci-use...@googlegroups.com.

[Tim Zhukov]

There was a suggestion to contact docker on the host via docker API and forgoing socket altogether. I've done that manually a few times, but I'm not sure how to setup against CoreOS on tectonic. Altogether it seems like the safest solution, but also the most involved.

--

Tim

To unsubscribe from this group and all its topics, send an email to jenkinsci-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/f825b7dc-ed98-4b99-b60a-0e6db7f74c71%40googlegroups.com.