Jenkins can't checkout to private github from non master agent

Using Jenkins
,
1

Hi,

My company SAP holds several JaaS servers (e.g. eldorado.jaas-gcp.cloud.sap.corp , ugdev.jaas-gcp.cloud.sap.corp)

When I’m trying to run a job from a Kubernetes agent in eldorado.jaas-gcp.cloud.sap.corp server it’s failed to checkout to our private github server (github.wdf.sap.corp/devx-wing/devspace-scheduler.git) because lacking an SSL certificate.

The job script :

pipeline {
    agent { kubernetes {
            defaultContainer 'go'
            yaml '''
apiVersion: v1
kind: Pod
spec:
  containers:
  - name: go
    image: golang:1.17.1
    command:
    - cat
    tty: true
'''
        }
    }    
    triggers {
        cron('H 0 * * 0')
    }
    stages {
        stage('stage1') {
            steps {
                script{
                    sh '''
                       echo "hello from stage 1"
                    '''
                }
            }
        }               
    }
}

The error :

Selected Git installation does not exist. Using Default
The recommended git tool is: NONE
using credential webidebot-github-token
Cloning the remote Git repository
Cloning repository https://github.wdf.sap.corp/devx-wing/devspace-scheduler.git
   > git init /home/jenkins/agent/workspace/devspace-scheduler-ci # timeout=10
  ERROR: Error cloning remote repo 'origin'
  hudson.plugins.git.GitException: Command "git fetch --tags --force --progress -- https://github.wdf.sap.corp/devx-wing/devspace-scheduler.git +refs/heads/*:refs/remotes/origin/*" returned status code 128:
  stdout: 
  stderr: fatal: unable to access 'https://github.wdf.sap.corp/devx-wing/devspace-scheduler.git/': server certificate verification failed. CAfile: none CRLfile: none

When it’s run on a ‘controller’ agent e.g -

agent { label ‘master’ }
it works as expected.

Also when I’m trying the same script in our other Jenkins server https://ugdev.jaas-gcp.cloud.sap.corp - it works.

This is the configuration of the SCM for the job :

configure-job
configure-job1689×635 14.7 KB

(The reason I need to run it from a different agent is that I need several tools installed on it)

What can be the difference between the JaaSs so that it works on one of them and not on the other?

Thanks in advance,
Yehuda

2

You described the root of the problem:

The agent lacks the SSL certificate that is on the controller. Note that we use the word “controller” instead of “controller”. Please update your post to use the correct term.

Your choices are:

  • Install the SSL certificate on each agent
  • Switch to use ssh private keys instead of username/password authentication to clone the repo
3

Thank you @MarkEWaite for your response.

As I understand. The agent is created from the image I gave it.
So I tried also to use an image that I installed on it the certificate but it’s not working on the eldorado.jaas-gcp.cloud.sap.corp JaaS but only in ugdev.jaas-gcp.cloud.sap.corp JaaS.

Do you have any idea what is configured in ugdev.jaas-gcp.cloud.sap.corp so it works on it with the same image?

4

No, I don’t. You’ll need to check with your Jenkins administrators. If you’d rather not do that, then switch to use ssh access and ssh private keys instead of using https access to the repository. Or, ask the repository administrators to provide an SSL certificate on the repository server.

1 Like