In this article we will cover the basics on configuring Jenkins to use GCP to create agents on-demand.
We will start by covering the requirements to fulfil this setup and then move to how to configure a GCP service account.
After that comes the Jenkins configuration which I will start by the plugin installation, then the creation of the service account credentials and the cloud configuration.
At the end there’s a small test job to verify the configuration.
- Account on a Jenkins instance*: With administrator permissions.
- Account on Google Cloud Platform: Capable of using Compute Engine and create service accounts.
- Optional: gcloud command-line tool.
*This instance can be in any cloud or in on-premise. For readers with less experience we recommend this article which describe the process of creating a brand new Jenkins instance.
This account will be used by Jenkins to communicate with GCP, whenever is necessary to create an agent.
This account will have the following roles:
Using gcloud command-line tool or cloud shell this is easily achieved by running the following commands.
In this example we are going to use a cloud shell and the steps are as follows:
1. Create the service account:
gcloud iam service-accounts create jenkins-gce
2. Assign the required roles to the service account:
export PROJECT=$(gcloud info --format='value(config.project)') export SA_EMAIL=$(gcloud iam service-accounts list --filter="name:jenkins-gce" \ --format='value(email)') gcloud projects add-iam-policy-binding --member serviceAccount:$SA_EMAIL \ --role roles/compute.instanceAdmin $PROJECT gcloud projects add-iam-policy-binding --member serviceAccount:$SA_EMAIL \ --role roles/compute.networkAdmin $PROJECT gcloud projects add-iam-policy-binding --member serviceAccount:$SA_EMAIL \ --role roles/iam.serviceAccountUser $PROJECT gcloud projects get-iam-policy $PROJECT
You should see:
- members: - serviceAccount:jenkins-gce@$PROJECT.iam.gserviceaccount.com role: roles/compute.instanceAdmin - members: - serviceAccount:jenkins-gce@$PROJECT.iam.gserviceaccount.com role: roles/compute.networkAdmin - members: - serviceAccount:jenkins-gce@$PROJECT.iam.gserviceaccount.com - user:<user> role: roles/iam.serviceAccountUser
3. Grab the JSON service account key:
gcloud iam service-accounts keys create --iam-account $SA_EMAIL jenkins-gce.json
If you are using cloud shell, use the following command to download the file:
cloudshell download jenkins-gce.json
Using this service account Jenkins will be able to manage all the resources required to create agents on-demand.
Go to Manage Jenkins > Manage Plugins > Available and look for “Google Compute Engine” as we show you in the following image:
Go to Manage Jenkins > Manage Credentials > Global > Add Credentials of kind “Google Service Account from private key”.
Set your project name and upload the json file previously downloaded.
Go to Manage Jenkins > Manage Nodes and Clouds > Configure Clouds > Add a new cloud > Google Compute Engine and cover the fields with your information.
The Service Account Credentials should be the one created in the previous step and you can use an instance template or configure the instance directly in Jenkins.
Note: The instance requires java8 installed and on the default path. Create a VM, install Java8 and create a new OS image in your GCP project. Packer can also be used to achieve this. More info here.
This is a example of a Jenkins Cloud setup:
Example in Configuration as Code, replace PROJECT and REGION with the ones you are using:
clouds: - computeEngine: cloudName: "GCP" configurations: - bootDiskAutoDelete: true bootDiskSizeGb: 10 bootDiskSizeGbStr: "10" bootDiskType: "https://www.googleapis.com/compute/v1/projects/$PROJECT/zones/$REGION/diskTypes/pd-balanced" description: "CICD" externalAddress: true javaExecPath: "java" labelSet: - name: "linux" labelString: "linux" labels: "linux" launchTimeoutSeconds: 300 launchTimeoutSecondsStr: "300" mode: EXCLUSIVE namePrefix: "cicd" numExecutors: 1 numExecutorsStr: "1" region: "https://www.googleapis.com/compute/v1/projects/$PROJECT/regions/europe-west1" retentionTimeMinutes: 6 retentionTimeMinutesStr: "6" runAsUser: "jenkins" serviceAccountEmail: "jenkins-gce@$PROJECT.iam.gserviceaccount.com" template: "https://www.googleapis.com/compute/v1/projects/$PROJECT/global/instanceTemplates/jenkins-template-1" zone: "https://www.googleapis.com/compute/v1/projects/$PROJECT/zones/$REGION" credentialsId: "$PROJECT" instanceId: "" projectId: "$PROJECT"
1. Create a new Freestyle Project and called “Test GCP agents”, for example:
2. Restrict where the job can be run and select the label for GCP agents (gcp in this example):
3. In build section select “Execute shell” and add this small script to check the agent IP and hostname.
#!/bin/bash echo "This is my IP" curl -s ifconfig.co echo "This is my hostname" hostname -f
It is as shown in the image:
4. Run the job and verify the output:
You should be able to see the new VM in the GCP console and the job will output information about the instance which is also available on the console.
With this test we verify that everything works correctly.
Different type of agents can be created depending on the job requirements and, since the agents are ephemeral, the cost is reduced to the minimal required to run the job.
The configuration is simple, the complex task of create new agents is abstracted and can be achieved by a simple click or trigger.