Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-66046

Can't override jnlp podTemplate & container - Jenkins declarative pipeline

      I'm using jenkins on kubernetes cluster, installed with helm chart as below,

      helm repo add jenkinsci https://charts.jenkins.io
      helm repo update
      kubectl create ns jenkins
      kubectl apply -f https://raw.githubusercontent.com/nurhun/jenkisn_pvc/main/pvc_jks.yaml
      kubectl apply -f https://raw.githubusercontent.com/jenkins-infra/jenkins.io/master/content/doc/tutorials/kubernetes/installing-jenkins-on-kubernetes/jenkins-sa.yaml 
      helm install my-jenkins jenkinsci/jenkins -n jenkins \
      --set controller.serviceType=LoadBalancer \
      --set controller.servicePort=8888 \
      --set persistence.existingClaim=jenkins-pvc \
      --set persistence.accessMode=ReadWriteMany
      

      Also tried --set agent.enabled=false but also graps the default jnlp image

      And tried to override the jnlp agent by below pipeline, but it skip my definition and pull the default jenkins/inbound-agent:4.3-4 image.

      My pipeline:

      pipeline {
        
          agent {
              kubernetes {
                  cloud 'kubernetes'
                  label 'jnlp'
                  defaultContainer 'jnlp'
                  yaml """
                      apiVersion: v1
                      kind: Pod
                      metadata:
                      labels:
                          label: agent
                          jenkins: slave
                      name: jnlp
                      spec:
                      containers:
                      - name: jnlp
                        image: nurhun/my_custom_jenkins_inboud_agent:v1.0
                        args: ['\$(JENKINS_SECRET)', '\$(JENKINS_NAME)']
                        env:
                        - name: CONTAINER_ENV_VAR
                          value: jnlp
                        - name: JENKINS_AGENT_WORKDIR
                          value: /home/jenkins/agent
                        - name: JENKINS_URL
                          value: http://my-jenkins.jenkins.svc.cluster.local:8888/
                        - name: "JENKINS_TUNNEL"
                          value: "my-jenkins-agent.jenkins.svc.cluster.local:50000"
                        volumeMounts:
                        - mountPath: "/home/jenkins/agent"
                          name: "workspace-volume"
                          readOnly: false
                        - name: jenkins-docker-cfg
                          mountPath: /var/run/docker.sock
                      volumes:
                      - name: jenkins-docker-cfg
                        hostPath:
                          path: /var/run/docker.sock
                      - emptyDir:
                          medium: ""
                          name: "workspace-volume"
                  """
              }
          }
      
            
          stages {
      
              stage('Build') {
                  agent {
                      kubernetes {
                          label 'jnlp'
                          defaultContainer 'jnlp'
                      }
                  }
      
                  steps {
                      sh "docker build . -t custom_image:${IMAGE_TAG}"
                  }
              }
           }
      }
      

       

      I also tried to set the Defaults Provider Template Name as below, but still doesn't work.

       

      Any ideas ?

          [JENKINS-66046] Can't override jnlp podTemplate & container - Jenkins declarative pipeline

          Matthew added a comment -

          I am having a similar issue.  No matter what I set in my cloud settings, it's always using:

          jenkins/inbound-agent:4.3-4
          

          This is an issue, because 4.3-4 has 2 critical CVES (CVE-2021-20231 & CVE-2021-20232) which are stopping us from being able to deploy in our prod cluster.

          Matthew added a comment - I am having a similar issue.  No matter what I set in my cloud settings, it's always using: jenkins/inbound-agent:4.3-4 This is an issue, because 4.3-4 has 2 critical CVES (CVE-2021-20231 & CVE-2021-20232) which are stopping us from being able to deploy in our prod cluster.

          Matthew added a comment -

          As a Major priority with a relatively simple fix, it's now been a few months.  Any chance of this getting resolved soon?

          Matthew added a comment - As a Major priority with a relatively simple fix, it's now been a few months.  Any chance of this getting resolved soon?

          I was having an issue with the default agent image "jenkins/inbound-agent:4.3-4" from kubernetes plugin version 1.30.1 that was used for my podTemplates. The new letsencrypt ca was apparently not in the truststore (not checked), and git clone was failing because it couldn't validate the certificate.

          I ran into this issue when I attempted to add a customer jnlp container spec in my podTemplate with the arguments as provided in the documentation page, which is:

           

          spec:
            containers:
            - name: jnlp
              image: 'jenkins/inbound-agent:4.7-1'
              args: ['\$(JENKINS_SECRET)', '\$(JENKINS_NAME)']
          

          For some reason, this appeared to be ignored. However, NOT specifying the container args worked as expected.

           

          To be explicit, a container spec like this one below was pulling my custom image, and resolved my issue:

           

          containers:
            - name: jnlp
              image: 'my/custom/image:myCustomImageTag'
          

           

           

          charly ghislain added a comment - I was having an issue with the default agent image "jenkins/inbound-agent:4.3-4" from kubernetes plugin version 1.30.1 that was used for my podTemplates. The new letsencrypt ca was apparently not in the truststore (not checked), and git clone was failing because it couldn't validate the certificate. I ran into this issue when I attempted to add a customer jnlp container spec in my podTemplate with the arguments as provided in the documentation page, which is:   spec: containers: - name: jnlp image: 'jenkins/inbound-agent:4.7-1' args: [ '\$(JENKINS_SECRET)' , '\$(JENKINS_NAME)' ] For some reason, this appeared to be ignored. However, NOT specifying the container args worked as expected.   To be explicit, a container spec like this one below was pulling my custom image, and resolved my issue:   containers: - name: jnlp image: 'my/custom/image:myCustomImageTag'    

          Any update on this? it is starting to cause a lot of issues with twistlock blocking the image due to vulnerabilities in this older version.

          Ryan Montgomery added a comment - Any update on this? it is starting to cause a lot of issues with twistlock blocking the image due to vulnerabilities in this older version.

          Mark Waite added a comment -

          montti can't you use the most recent release of the inbound agent image as published at https://hub.docker.com/r/jenkins/inbound-agent/tags?page=1&name=4.10-3 ? The available images include 4.10-3, 4.10-3-jdk11, and 4.10-3-jdk8.

          Mark Waite added a comment - montti can't you use the most recent release of the inbound agent image as published at https://hub.docker.com/r/jenkins/inbound-agent/tags?page=1&name=4.10-3 ? The available images include 4.10-3, 4.10-3-jdk11, and 4.10-3-jdk8.

          Matthew added a comment - - edited

          The bug is that the provided tag is being ignored.  4.3-4 is hard-coded in the code, rather than pulled in from the provided helm value.  We would like to use the most recent tag, but can't

          Matthew added a comment - - edited The bug is that the provided tag is being ignored.  4.3-4 is hard-coded in the code, rather than pulled in from the provided helm value.  We would like to use the most recent tag, but can't

            Unassigned Unassigned
            nurhun Nurhun
            Votes:
            3 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated: