Issue

External CloudBees client controllers require the configuration of the Kubernetes Plugin in order to
provision ephemeral build agents on Openshift 4.x.

Environment

• CloudBees Jenkins Enterprise - Managed controller (CJE-MM)
• CloudBees Jenkins Team (CJT)
• CloudBees Jenkins Platform - Client controller (CJP-CM)
• CloudBees Jenkins Distribution
• Jenkins LTS
• Kubernetes Plugin

Resolution

CloudBees CI (modern) on Openshift doesn’t require the Kubernetes Plugin to be configured because it is
automatically configured with the installation of CloudBees CI software on those platforms. However,
external CloudBees client controllers do require the setup of the Kubernetes Plugin. For Openshift 4.x
create a non-expiring token and add it to CloudBees Jenkins to authenticate.

Openshift 4.x

Openshift 4.x uses Oauth tokens.

To correctly setup the Kubernetes Plugin within Jenkins you’ll need to create a serviceaccount in Openshift granting privileges to the serviceaccount and generating a non-expiring token to use in Jenkins.

Create a non-expiring token for a service account

1. oc login [url] -u [username] -p [password]

2. oc new-project cloudbees-core

3. oc create serviceaccount jenkins

4. oc policy add-role-to-user edit system:serviceaccount:cloudbees-core:jenkins -n cloudbees-core

5. oc serviceaccounts get-token jenkins -n cloudbees-core

6. Save the token value returned by the last command

7. Go to Manage Jenkins > Manage Nodes and Clouds > Configure Clouds and click on Kubernetes cloud details for your Kubernetes cloud item (for Openshift)

8. Configure Kubernetes URL and Kubernetes server certificate key

1. Add credential and create a credential of type Secret text where the secret is the token you obtained from step #6

References

• https://docs.openshift.com/container-platform/4.5/authentication/understanding-authentication.html#rbac-api-authentication_understanding-authentication
• http://v1.uncontained.io/playbooks/continuous_delivery/external-jenkins-integration.html