BestHub
search
Sign in
Operations 8 min read

Managing Kubernetes Manifests with Kustomize and Automating Code Review with Gerrit and Jenkins

This article demonstrates how to use Kustomize for managing Kubernetes manifests, set up a Gerrit instance with Docker, configure SSH keys, integrate Gerrit with Jenkins via the Gerrit Trigger plugin, and create a Jenkins pipeline that automatically builds and tests code changes upon review approval.

DevOps Cloud Academy
DevOps Cloud Academy
DevOps Cloud Academy
Managing Kubernetes Manifests with Kustomize and Automating Code Review with Gerrit and Jenkins

Gerrit + Jenkins

Background

Our team uses Gerrit for code management and code review. We want to automatically trigger a Jenkins pipeline when a review is submitted and merged. This article records the configuration of the Gerrit Trigger pipeline, without covering server configuration details.

Gerrit Configuration

We can quickly start a Gerrit instance using Docker. The default ports are HTTP 8080 and SSH 29418. The CANONICAL_WEB_URL parameter specifies the server web address.

docker run --name gerrit -itd \
-p 8088:8080 \
-p 29418:29418 \
-e CANONICAL_WEB_URL=http://192.168.1.200:8088 gerritcodereview/gerrit

After the container starts, install any required plugins or skip the step. Log in with the default admin account and create a Jenkins user.

Jenkins User SSH Key

Enter the Jenkins pod, generate an SSH key pair, and note the location of the private key ( /var/jenkins_home/.ssh/id_rsa ) and public key ( /var/jenkins_home/.ssh/id_rsa.pub ).

[root@zeyang-nuc-service ~]# kubectl exec -it jenkins-6ccf555769-sfdw6 -n devops bash
bash-4.2$ id
uid=1000(jenkins) gid=1000(jenkins) groups=1000(jenkins)
bash-4.2$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/var/jenkins_home/.ssh/id_rsa):
Created directory '/var/jenkins_home/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /var/jenkins_home/.ssh/id_rsa.
Your public key has been saved in /var/jenkins_home/.ssh/id_rsa.pub.
SHA256:nGqkSVAUuc2xrGe8Bz/xuWcQ/YVrDISPJux+tCZkJgI jenkins@jenkins-6ccf555769-sfdw6

Copy the content of id_rsa.pub and add it to the Gerrit user configuration (click **ADD**).

cat /var/jenkins_home/.ssh/id_rsa.pub

Gerrit Permissions

Add the Jenkins user to the Non‑interactive Users group (BROWSE → Groups → Non‑Interactive Users → Members).

Create a repository and set basic permissions:

refs/* : read Non-interactive Users
refs/heads/* : Label Code-Review Non-interactive Users

Create a group named Event Streaming Users (Gerrit 2.7+) and add the Jenkins user to it.

Enable the Stream Events capability for the group in All‑Projects → Access → Global Capabilities → Stream Events :

allow Event Streaming Users

Jenkins Configuration

Install the **Gerrit Hook** plugin in Jenkins. After installation, the Gerrit icon appears in the system management UI.

Add the **Gerrit Trigger** build step to the pipeline job. If you encounter the error "Connection error : com.jcraft.jsch.JSchException: Auth fail", it is usually caused by an SSH‑key mismatch.

Create a Code Review

Push a change to Gerrit using the special ref refs/for/master :

[root@zeyang-nuc-service devops]# echo 123 >test.txt
[root@zeyang-nuc-service devops]# git add .
[root@zeyang-nuc-service devops]# git commit -m "init"
[root@zeyang-nuc-service devops]# git push origin HEAD:refs/for/master
Username for 'http://192.168.1.200:8088': admin
Password for 'http://[email protected]:8088':
... (push output) ...
remote: SUCCESS
remote:   http://192.168.1.200:8088/c/devops/+/21 init [NEW]

After the review is approved and merged, Gerrit automatically triggers the Jenkins pipeline.

Pipeline as Code

// Pipeline parameters
String BRANCH_NAME = "${env.GERRIT_BRANCH}"
String PROJECT_NAME = "devops"
String PROJECT_URL = "http://192.168.1.200:8088/devops"
currentBuild.description = "Trigger By ${BRANCH_NAME}"

pipeline {
    agent {
        node { label "build" }
    }
    options { skipDefaultCheckout() }
    triggers {
        gerrit customUrl: '',
               gerritProjects: [[branches: [[compareType: 'ANT', pattern: '**']],
                                 compareType: 'PLAIN',
                                 pattern: "${PROJECT_NAME}"]],
               serverName: 'devops',
               triggerOnEvents: [changeMerged()]
    }
    stages {
        stage('GetCode') {
            steps {
                echo "========executing GetCode========"
                checkout([$class: 'GitSCM', branches: [[name: "${BRANCH_NAME}"]],
                          userRemoteConfigs: [[url: "${PROJECT_URL}"]]])
            }
        }
    }
    post {
        always { echo "========always========"; cleanWs() }
        success { echo "========pipeline executed successfully ========" }
        failure { echo "========pipeline execution failed========" }
    }
}

With this configuration, any change that passes Gerrit review automatically triggers the Jenkins pipeline, enabling a smooth CI/CD workflow.

CI/CDkubernetesDevOpsJenkinsGerritKustomize
DevOps Cloud Academy
Written by

DevOps Cloud Academy

Exploring industry DevOps practices and technical expertise.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment