{"id":13289061,"url":"https://github.com/kevchu3/azure-buildagent-container","last_synced_at":"2025-07-31T16:11:08.987Z","repository":{"id":50504036,"uuid":"519260045","full_name":"kevchu3/azure-buildagent-container","owner":"kevchu3","description":"Build a containerized Azure agent","archived":false,"fork":false,"pushed_at":"2022-10-14T14:54:06.000Z","size":62,"stargazers_count":5,"open_issues_count":1,"forks_count":8,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-10T16:20:56.604Z","etag":null,"topics":["azure-devops","build-agent","container"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kevchu3.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-07-29T15:17:36.000Z","updated_at":"2024-03-20T20:59:25.000Z","dependencies_parsed_at":"2023-01-20T01:48:15.874Z","dependency_job_id":null,"html_url":"https://github.com/kevchu3/azure-buildagent-container","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/kevchu3/azure-buildagent-container","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kevchu3%2Fazure-buildagent-container","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kevchu3%2Fazure-buildagent-container/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kevchu3%2Fazure-buildagent-container/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kevchu3%2Fazure-buildagent-container/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kevchu3","download_url":"https://codeload.github.com/kevchu3/azure-buildagent-container/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kevchu3%2Fazure-buildagent-container/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265205760,"owners_count":23727511,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["azure-devops","build-agent","container"],"created_at":"2024-07-29T17:00:25.280Z","updated_at":"2025-07-31T16:11:08.946Z","avatar_url":"https://github.com/kevchu3.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Hosting Azure Build Agent in OpenShift\n\n## Prerequisites\n\nYou will need the following:\n- OpenShift 4 cluster\n- Azure DevOps organization\n\n## Installation\n\n### 1. Clone this repository\n\n```\n$ git clone https://github.com/kevchu3/azure-buildagent-container.git\n```\n\n### 2. Set up a Personal Access Token\n\nFollow the documentation to [set up a Personal Access Token] in Azure.  Save the personal access token for use later in this installation.\n\n### 3. Configure Agent Pool\n\nCreate a new Agent Pool or configure an existing Agent Pool by navigating to Project Settings -\u003e Agent pools.\n\nTo create a new Agent Pool, navigate to Project Settings -\u003e Agent pools, and Add agent pool.\n\n- Pool to link: New\n- Pool type: Self-hosted\n- Name: \u003cyour agent pool name\u003e\n- Pipeline permissions: Grant access permission to all pipelines\n\nVerify from the pool's Security tab that you are assigned as an Administrator to the pool.\n\nOtherwise, configure an existing Agent Pool.  Confirm the following:\n- Pipeline permissions: Grant access permission to all pipelines\n- Verify from the pool's Security tab that you are assigned as an Administrator to the pool.\n\n### 4. Create Build Artifacts\n\nCreate a new project in OpenShift.  For our example, we have used `azure-build`.  The included [start.sh] wrapper script configures and runs the container, copy this as a ConfigMap to the project:\n```\n$ oc new-project azure-build\n$ oc create cm start-sh --from-file=start.sh=resources/start.sh\n```\n\nCreate [imagestream] and [buildconfig] artifacts to build the Azure build agent image.  Configured triggers will start a new build automatically.\n\n```\n$ oc create -f resources/imagestream.yaml -f resources/buildconfig.yaml\n```\n\nOptionally, determine the latest published agent release.  Navigate to [Azure Pipelines Agent] and check the page for the highest version number listed.  Note the Agent download URL for Linux x64.\n\nConfigure the `AZP_AGENT_PACKAGE_LATEST_URL` environment variable in the BuildConfig with the desired Agent download URL, and build a new agent image:\n\n```\n$ oc set env bc/azure-build-agent AZP_AGENT_PACKAGE_LATEST_URL=https://download.agent.dev.azure.com/agent/4.258.1/vsts-agent-linux-x64-4.258.1.tar.gz\n$ oc start-build azure-build-agent\n```\n\n### 5. Configure Builder as Rootless User\n\nAs a security best practice, pods should be run as a rootless user.  There are several methods to accomplish this, and we have opted to lock down privileges by [creating a new SecurityContextConstraint] named `nonroot-builder` for the Azure DevOps service account for our builder pods.\n\nAs cluster-admin, create a serviceaccount for the build agent, a [nonroot-builder SCC], and apply the SCC to the serviceaccount:\n```\n$ oc create sa azure-build-sa\n$ oc create -f resources/nonroot-builder.yaml\n$ oc adm policy add-scc-to-user nonroot-builder -z azure-build-sa\n```\n\n### 6. Configure Deployment\n\nThe Azure build agent is configured to use an [unattended config], which will allow us to deploy the agent as an OpenShift pod without manual intervention.\n\nConfigure the Azure DevOps credentials as a Secret named azdevops, replacing the values for environment variables with your own.  For example:\n\n```\n$ oc create secret generic azdevops \\\n  --from-literal=AZP_URL=https://dev.azure.com/yourOrg \\\n  --from-literal=AZP_TOKEN=YourPAT \\\n  --from-literal=AZP_POOL=NameOfYourPool\n```\n\nOptionally, for a [proxy configuration], also create a Secret named azproxy, replacing environment variables with your own.  The `NO_PROXY` proxy bypass configuration can be extracted from the [cluster-wide proxy].  For example:\n\n```\n$ oc get proxy -o jsonpath='{.items[0].status.noProxy}'\n$ oc create secret generic azproxy \\\n  --from-literal=AZP_PROXY_URL=http://192.168.0.1:8888 \\\n  --from-literal=AZP_PROXY_USERNAME=myuser \\\n  --from-literal=AZP_PROXY_PASSWORD=mypass \\\n  --from-literal=HTTP_PROXY=http://myuser:mypass@192.168.0.1:8888 \\\n  --from-literal=HTTPS_PROXY=https://myuser:mypass@192.168.0.1:8888 \\\n  --from-literal=NO_PROXY=.cluster.local,.ec2.internal,.svc,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.example.com,example.com,localhost\n```\n\nUnauthenticated proxy can be defined as follows:\n\n```\n$ oc create secret generic azproxy \\\n  --from-literal=AZP_PROXY_URL=http://192.168.0.1:8888 \\\n  --from-literal=HTTP_PROXY=http://192.168.0.1:8888 \\\n  --from-literal=HTTPS_PROXY=https://192.168.0.1:8888 \\\n  --from-literal=NO_PROXY=.cluster.local,.ec2.internal,.svc,10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30.0.0/16,api-int.example.com,example.com,localhost\n```\n\nSee the following table for a description of the above [environment variables]:\n\n| Environment variable     | Secret   | Description              |\n| ------------------------ | -------- | ------------------------ |\n| AZP_URL                  | azdevops | The URL of the Azure DevOps or Azure DevOps Server instance. |\n| AZP_TOKEN                | azdevops | Personal Access Token (PAT) with Agent Pools (read, manage) scope, created by a user who has permission to configure agents, at `AZP_URL`. |\n| AZP_POOL                 | azdevops | Agent pool name (default value: `Default`). |\n| AZP_PROXY_URL            | azproxy  | (Optional) Proxy URL for Agent to talk to Azure DevOps. |\n| AZP_PROXY_USERNAME       | azproxy  | (Optional) Proxy username for Agent. |\n| AZP_PROXY_PASSWORD       | azproxy  | (Optional) Proxy password for Agent. |\n| HTTP_PROXY               | azproxy  | (Optional) Configure container-wide proxy settings using `HTTP_PROXY` environment variable. |\n| HTTPS_PROXY              | azproxy  | (Optional) Configure container-wide proxy settings using `HTTPS_PROXY` environment variable. |\n| NO_PROXY                 | azproxy  | (Optional) Configure container-wide proxy bypass settings using `NO_PROXY` environment variable. |\n\n### 7. Deploy Build Agent\n\nCreate the [deployment] which will subsequently create a running build agent pod.\n\n```\n$ oc create -f resources/deployment.yaml\n```\n\nOptionally, you will need to perform these additional steps if you require a [privately signed CA for your proxy]:\n\na. [Modify the default Proxy object] to include your privately signed CA certificates.\n\nb. [Inject the privately signed CA] into your deployment.  You will deploy the [agent-with-custom-ca-deployment.yaml] file instead of the one above:\n\n```\n$ oc create -f resources/agent-with-custom-ca-deployment.yaml\n```\n\n## Verifying Your Work\n\nTo check that the build agent is running, from the Azure DevOps portal, navigate to Project Settings -\u003e Agent pools -\u003e Default (or your own Pool) -\u003e Agents.\nYou should now see a build agent with Online status.\n\nOptionally, you can scale up pod replicas which will deploy additional agents.\n\n## License\nGPLv3\n\n[set up a Personal Access Token]: https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/v2-linux?view=azure-devops#authenticate-with-a-personal-access-token-pat\n[start.sh]: resources/start.sh\n[imagestream]: resources/imagestream.yaml\n[buildconfig]: resources/buildconfig.yaml\n[Azure Pipelines Agent]: https://github.com/Microsoft/azure-pipelines-agent/releases\n[creating a new SecurityContextConstraint]: https://www.redhat.com/sysadmin/rootless-podman-jenkins-openshift\n[nonroot-builder SCC]: resources/nonroot-builder.yaml\n[unattended config]: https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/v2-linux?view=azure-devops#unattended-config\n[proxy configuration]: https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/proxy?view=azure-devops\u0026tabs=unix\n[cluster-wide proxy]: https://docs.openshift.com/container-platform/latest/networking/enable-cluster-wide-proxy.html\n[environment variables]: https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/docker?view=azure-devops#environment-variables\n[deployment]: resources/deployment.yaml\n[privately signed CA for your proxy]: https://docs.openshift.com/container-platform/latest/networking/configuring-a-custom-pki.html\n[Modify the default Proxy object]: https://docs.openshift.com/container-platform/latest/security/certificates/updating-ca-bundle.html#ca-bundle-replacing_updating-ca-bundle\n[Inject the privately signed CA]: https://docs.openshift.com/container-platform/latest/networking/configuring-a-custom-pki.html#certificate-injection-using-operators_configuring-a-custom-pki\n[agent-with-custom-ca-deployment.yaml]: resources/agent-with-custom-ca-deployment.yaml\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkevchu3%2Fazure-buildagent-container","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkevchu3%2Fazure-buildagent-container","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkevchu3%2Fazure-buildagent-container/lists"}