Minikube – configure Jenkins Kubernetes plugin

Posted: January 3, 2020 in Jenkins

In this article we’ll be configuring Jenkins server so it can access to minikube cluster.

Jenkins is installed on Windows 10 machine and minikube is running on Virtual Box VM.For details how to run minkube on Windows, see this post.

Preparing a service account for kubernetes-plugin in minikube

account.yaml:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins
  namespace: default
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: jenkins
  namespace: default
rules:
- apiGroups: [""]
  resources: ["pods","services"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]
- apiGroups: [""]
  resources: ["persistentvolumeclaims"]
  verbs: ["create","delete","get","list","patch","update","watch"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: jenkins
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: jenkins
subjects:
- kind: ServiceAccount
  name: jenkins
---
# Allows jenkins to create persistent volumes
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: jenkins-crb
subjects:
- kind: ServiceAccount
  namespace: default
  name: jenkins
roleRef:
  kind: ClusterRole
  name: jenkinsclusterrole
  apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: jenkinsclusterrole
rules:
- apiGroups: [""]
  resources: ["persistentvolumes"]
  verbs: ["create","delete","get","list","patch","update","watch"]

Apply above file, it will create service account

Get token:

kubectl get secrets
NAME                  TYPE                                  DATA   AGE
default-token-9f5cx   kubernetes.io/service-account-token   3      67m
jenkins-token-rk2mg   kubernetes.io/service-account-token   3      38m

kubectl describe secrets/jenkins-token-rk2mg
Name:         jenkins-token-rk2mg
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: jenkins
              kubernetes.io/service-account.uid: 43e75f2b-5dde-4c8c-add7-0613d4a59707

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1066 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6InJNMGd2WWwxTENGbWZ5Z1J1ODJJMk84ZXhPRVkxVVhkTENCU0dmWWY4TGsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImplbmtpbnMtdG9rZW4tcmsybWciLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiamVua2lucyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjQzZTc1ZjJiLTVkZGUtNGM4Yy1hZGQ3LTA2MTNkNGE1OTcwNyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmplbmtpbnMifQ.Gh0xmcYkQUk0hVElueiKmeKS3bzPcEAqeTyHrXV88n9CCucvP84vh4Cq0s1E2sw7UluQInSlHConf4GXB1HcYK5dAv-w7i0cod9u_zBzrlb_Km5BkR3mtjdpoTgGIWR9xEHwfj9_Vh7g89-Y6HO8mB2jGbpovm2EnxyRUMJ7QuV6UNFV-de_xzLLUuwdfhqAxtPnUltz7VzYY0OI_k6tesPva4C4pX0R3b3Fvb8LJjxZDEvrrx5UbGVjFJh9_THYGzMfxpsQwrHqhA1PrjxCJo8I0B19MreghzGllOjZKcIS7EINYfob2KsUBOnXluiglFY3oQ2tyK24JNpzrM5WbA

Copy above token to clipboard, we’ll need it later on.

In C:\users\%USERNAME%\.kube folder there is file named config

apiVersion: v1
clusters:
- cluster:
    certificate-authority: C:\Users\dragan.vucanovic\.minikube\ca.crt
    server: https://172.16.0.104:8443
  name: minikube
contexts:
- context:
    cluster: minikube
    user: minikube
  name: minikube
current-context: minikube
kind: Config
preferences: {}
users:
- name: minikube
  user:
    client-certificate: C:\Users\dragan.vucanovic\.minikube\client.crt
    client-key: C:\Users\dragan.vucanovic\.minikube\client.key

We’ll need server and client-certificate value

In Jenkins click on Manage Jenkins – Configure Credentials – Credentials – Jenkins

In drop-down menu select Add credentials

Kind: secret text

Secret: token string (output of kubectl describe secrets/jenkins-token-rk2mg)

Configuring Kubernetes plugin

Jenkins – manage Jenkins – Configure system scroll to bottom and in Add a new cloud, select Kubernetes

Kubernetes URL: value server from config file

 Kubernetes server certificate key: value certificate-authority from config file

Credentials: credentials created in previous step.

Click on “Test Connection” tab and you should get Connection test successful

We now can reference Jenkins secret into pipeline

stage('Deploy Patient App') {
    steps {
        withCredentials([
            string(credentialsId: 'kubernetes', variable: 'api_token')
            ]) {
             sh 'kubectl --token $api_token --server https://172.17.86.28:8443 --insecure-skip-tls-verify=true apply -f some.yaml '
               }
            }
           }

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s