VSTS agent & TFS on premise (with an unofficial certificate, for testing purposes only)
I did not manage to let the agent work with the TFS generated certificate.
With the current ./start.sh
script it is only possible to use PAT as authentication type.
You cannot use PAT as authentication on an insecure connection.
So you need SSL and you need the agent to trust the server certificate. These are the steps when you do not own an official certificate for your Team Foundation Server.
Create a self signed certificate using OpenSSL
choco install openssl.lightopenssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.crt -days 365 -subj "/CN=$env:COMPUTERNAME"openssl pkcs12 -export -out server.pfx -inkey key.pem -in cert.crt
Source: https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl
Source: https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/
Import pfx
certutil -f -enterprise -p password -importpfx .\server.pfx
You’ve used a password in the previous step when creating the pfx.
Source: https://stackoverflow.com/a/33404847/129269
Configure IIS to use this certificate
Open Internet Information Services (IIS) Manager
Navigate to your-tfs-server → Sites → Team Foundation Server.
Click through Bindings → https → Edit → Select → your certificate → OK.
Create agent
docker run -ti --name build-agent microsoft/vsts-agent:ubuntu-16.04-tfs-2017-u1-docker-17.03.0-ce-standard tail -f /dev/null
Or whatever TFS image is currently available.
The tail command is to keep the container running (source: https://stackoverflow.com/a/30209974/129269)
Copy crt to agent
docker cp cert.crt build-agent:/usr/share/ca-certificates
docker exec -ti build-agent bash
Fix dns
My agent had troubles finding the server based on hostname.
curl your-tfs-hostname # could not resolve host
echo your-tfs-ip-address your-tfs-hostname >> /etc/hostscurl your-tfs-hostname
Update: You can also add your tfs server to the hosts list by including the --add-host your-tfs-hostname:your-tfs-ip
option in the docker run
command!
Trust certificate on agent
curl https://your-tfs-hostname # server certificate verification failedecho cert.crt /etc/ca-certificates.conf
update-ca-certificates # 1 added, 0 removed; done.curl https://your-tfs-hostname # success!
Source: https://leehblue.com/add-self-signed-cert-curl/
Set TFS environment variables
export VSTS_TOKEN=your-pat-here
export TFS_URL=https://your-tfs-hostname
You could provide these while creating the agent.
See the docs on how to obtain a pat.
Start the agent
./start.sh
Dockerfile
Maybe you want to create a Dockerfile containing the steps of finding and trusting the server. But on the other hand, maybe you should just buy an official certificate for your (production) servers.
Build something
Read more: https://medium.com/@MRiezebosch/vsts-agent-docker-commands-e252e4cf086b