Skip to content

Instantly share code, notes, and snippets.

@farhadkzm

farhadkzm/Setting up Jenkins on Kubernetes behind a corporate proxy.md

Last active January 15, 2020 06:45
Show Gist options
  • Save farhadkzm/ed2a746d9dcfb887160337ee34ac3357 to your computer and use it in GitHub Desktop.
Save farhadkzm/ed2a746d9dcfb887160337ee34ac3357 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Setting up Jenkins on Kubernetes behind a corporate proxy.md

Setting up Jenkins on Kubernetes behind a corporate proxy

The purpose of this document is to guide you through challenges you might face with setting up Jenkins on Kubernetes while behind a proxy. Some corporate proxies intercept httpS communications by changing the cert, this causes Jenkins and other tools to fail while trying to connect to target urls. A proper way to fix issues with self-sign certificate (which is the case if your corporate proxy intercepts httpS communications) is to add the corporate' certs to Jenkins JVM as well as its OS. However, to begin with, we first start with a quick fix: Adding proxy configs and forcing Jenkins to get updates from http://updates.jenkins.io (Notice it's not a httpS endpoint).

persistence:
  enabled: true
  storageClass: local-storage
  size: 5Gi
master:
  adminUser: "admin"
  adminPassword: mypassword
  installPlugins:
    - skip-certificate-check:1.0
    - greenballs:1.15
    - kubernetes:1.21.2
    - workflow-job:2.36
    - workflow-aggregator:2.6
    - credentials-binding:1.20
    - git:4.0.0
  initContainerEnv:
    - name: http_proxy
      value: "http://proxy.xxx.corp:8080"
    - name: https_proxy
      value: "http://proxy.xxx.corp:8080"
    - name: no_proxy
      value: "jenkins-dev,jenkins-dev.jenkins.svc.cluster.local,localhost,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster.local"
    - name: JENKINS_UC
      value: "http://updates.jenkins.io"
#  http://jenkins-dev.default.svc.cluster.local:8080
  containerEnv:
    - name: http_proxy
      value: "http://proxy.xxx.corp:8080"
    - name: https_proxy
      value: "http://proxy.xxx.corp:8080"
    - name: no_proxy
      value: "jenkins-dev,jenkins-dev.jenkins.svc.cluster.local,localhost,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster.local"
  javaOpts: >-
    -Dhttp.proxyHost=http://proxy.xxx.corp
    -Dhttp.proxyPort=8080
    -Dhttps.proxyHost=http://proxy.xxx.corp
    -Dhttps.proxyPort=8080
    -Dhttp.nonProxyHosts="jenkins-dev|jenkins-dev.jenkins.svc.cluster.local|localhost|kubernetes.default|kubernetes.default.svc|kubernetes.default.svc.cluster.local"
agent:
  tag: 3.36-2
  envVars:
    - name: http_proxy
      value: "http://proxy.xxx.corp:8080"
    - name: https_proxy
      value: "http://proxy.xxx.corp:8080"
    - name: no_proxy
      value: "jenkins-dev,jenkins-dev-agent,jenkins-dev.jenkins.svc.cluster.local,localhost,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster.local"

A few notes:

  • If you're on a cloud, you can get rid of persistence section.
  • You might want to remove the adminPassword to let the chart create a random one for you. In that case, you need to decode the value in the secret jenkins-dev to see the actual password.
  • JENKINS_UC is a http endpoint and not a httpS.
  • skip-certificate-check is added to preinstalled plugin, that means Jenkins will not complain about invalid https certificates.
  • At the time this wirting, the default Jenkins Helm chart fails due to the issue here jenkinsci/mesos-plugin#83 The above config fixes that issue too.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment