Move K8s cloud setup to init script only; remove ensureK8sCloud from Matrix

- Remove ensureK8sCloud() and its call sites from Matrix.groovy so the
  pipeline never modifies Jenkins cloud config (bad on shared Jenkins).
- Enhance jenkins-configure-k8s-and-labels.groovy: support
  JENKINS_K8S_NAMESPACE, set serverUrl only when JENKINS_K8S_API_URL
  is provided (GHA passes it; avoid default on shared Jenkins).
- Pass JENKINS_K8S_NAMESPACE from local_gha_ci.sh into Jenkins container.
- Document in USERGUIDE that Kubernetes clouds must be pre-configured.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: mike-dubman

.github/scripts/jenkins-configure-k8s-and-labels.groovy

@@ -4,6 +4,7 @@
 // - JENKINS_AGENT_EXECUTORS (integer)
 // - JENKINS_K8S_CLOUDS (comma-separated cloud names)
 // - JENKINS_K8S_API_URL (Kubernetes API URL)
+// - JENKINS_K8S_NAMESPACE (optional; default "default")
 // - JENKINS_K8S_TOKEN (service account bearer token)
 
 import jenkins.model.Jenkins
@@ -18,7 +19,9 @@ def labelTokens = (env.get("JENKINS_AGENT_LABELS") ?: "")
   .split(",")
   .collect { it.trim() }
   .findAll { it }
-def apiUrl = env.get("JENKINS_K8S_API_URL") ?: "https://kind-control-plane:6443"
+def apiUrlRaw = (env.get("JENKINS_K8S_API_URL") ?: "").trim()
+def apiUrl = apiUrlRaw ?: "https://kind-control-plane:6443"
+def namespace = (env.get("JENKINS_K8S_NAMESPACE") ?: "default").trim() ?: "default"
 def k8sToken = env.get("JENKINS_K8S_TOKEN") ?: ""
 def jenkinsUrl = env.get("JENKINS_K8S_JENKINS_URL") ?: "http://jenkins:8080"
 def jenkinsTunnel = env.get("JENKINS_K8S_JENKINS_TUNNEL") ?: "jenkins:50000"
@@ -105,9 +108,11 @@ cloudNames.each { name ->
     cloud = new KubernetesCloud(name)
     j.clouds.add(cloud)
   }
-  cloud.serverUrl = apiUrl
+  if (apiUrlRaw) {
+    cloud.serverUrl = apiUrl
+  }
   cloud.skipTlsVerify = true
-  cloud.namespace = "default"
+  cloud.namespace = namespace
   cloud.jenkinsUrl = jenkinsUrl
   cloud.jenkinsTunnel = jenkinsTunnel
   if (tokenCredReady) {

USERGUIDE.md

@@ -58,6 +58,8 @@ Source of truth: `schema_validator/ci_demo_schema.yaml`.
 
 ### `kubernetes_conf`
 
+When using Kubernetes, the Jenkins server must have the Kubernetes cloud(s) referenced by `cloud` pre-configured (e.g. via init scripts at startup or by administrators). The pipeline does not create or update Jenkins cloud configuration.
+
 | Key | Type |
 |---|---|
 | `cloud` | `str` |

scripts/local_gha_ci.sh

@@ -249,6 +249,7 @@ docker run -d --name "${JENKINS_NAME}" \
   -e JENKINS_K8S_TOKEN="${K8S_TOKEN}" \
   -e JENKINS_K8S_JENKINS_URL="http://${JENKINS_K8S_DNS_NAME}:8080" \
   -e JENKINS_K8S_JENKINS_TUNNEL="${JENKINS_K8S_DNS_NAME}:50000" \
+  -e JENKINS_K8S_NAMESPACE="${JENKINS_K8S_NAMESPACE:-default}" \
   -e JAVA_OPTS="-Djenkins.install.runSetupWizard=false -Dhudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION=true -Dpermissive-script-security.enabled=no_security -Dhudson.plugins.git.GitSCM.ALLOW_LOCAL_CHECKOUT=true" \
   "${JENKINS_IMAGE}" \
   /usr/local/bin/jenkins.sh >/dev/null

src/com/mellanox/cicd/Matrix.groovy

@@ -853,62 +853,6 @@ def parseImagePullSecrets(secretsInput) {
     reportFail('config', "imagePullSecrets must be a List or String, got: ${secretsInput.getClass().getName()}")
 }
 
-@NonCPS
-def ensureK8sCloud(cloudName, namespace = "default") {
-    if (!cloudName) {
-        return false
-    }
-    def j = Jenkins.instance
-    def cl = j.pluginManager.uberClassLoader
-    def k8sCloudClass = cl.loadClass("org.csanchez.jenkins.plugins.kubernetes.KubernetesCloud")
-    def cloud = j.clouds.getByName(cloudName)
-    def cloudCreated = false
-
-    if (cloud != null && !k8sCloudClass.isInstance(cloud)) {
-        j.clouds.remove(cloud)
-        cloud = null
-    }
-
-    if (cloud == null) {
-        cloud = k8sCloudClass.getConstructor(String).newInstance(cloudName)
-        j.clouds.add(cloud)
-        cloudCreated = true
-    }
-
-    // Only set serverUrl when JENKINS_K8S_API_URL is set; otherwise preserve existing (e.g. from
-    // startup script). Do not default to "https://k3s:6443" here—that hostname only resolves in
-    // local Docker; on shared Jenkins it causes UnknownHostException. Local runs must pass
-    // JENKINS_K8S_API_URL (e.g. scripts/local_gha_ci.sh does).
-    def apiUrl = System.getenv("JENKINS_K8S_API_URL")?.trim()
-    if (apiUrl) {
-        cloud.serverUrl = apiUrl
-    }
-    cloud.skipTlsVerify = true
-    // Do not overwrite namespace on existing shared clouds unless explicitly requested.
-    def namespaceEnv = System.getenv("JENKINS_K8S_NAMESPACE")?.trim()
-    def desiredNamespace = namespaceEnv ?: namespace ?: "default"
-    if (namespaceEnv || cloudCreated || !cloud.namespace) {
-        cloud.namespace = desiredNamespace
-    }
-    def jenkinsUrlEnv = System.getenv("JENKINS_URL")?.trim()
-    if (jenkinsUrlEnv) {
-        cloud.jenkinsUrl = jenkinsUrlEnv
-    } else if (!cloud.jenkinsUrl) {
-        cloud.jenkinsUrl = "http://jenkins:8080"
-    }
-    def tunnelEnv = System.getenv("JENKINS_TUNNEL")?.trim()
-    if (tunnelEnv) {
-        cloud.jenkinsTunnel = tunnelEnv
-    } else if (!cloud.jenkinsTunnel) {
-        cloud.jenkinsTunnel = "jenkins:50000"
-    }
-    if ((System.getenv("JENKINS_K8S_TOKEN") ?: "").trim()) {
-        cloud.credentialsId = "k8s-sa-token"
-    }
-    j.save()
-    return true
-}
-
 def runK8(image, branchName, config, axis, steps=config.steps) {
 
     def cloudName = image.cloud ?: getConfigVal(config, ['kubernetes', 'cloud'], null)
@@ -956,7 +900,6 @@ def runK8(image, branchName, config, axis, steps=config.steps) {
     def namespace = image.namespace ?: getConfigVal(config, ['kubernetes', 'namespace'], "default")
     def tolerations = image.tolerations ?: getConfigVal(config, ['kubernetes', 'tolerations'], "[]")
     def imagePullSecrets = parseImagePullSecrets(getConfigVal(config, ['kubernetes', 'imagePullSecrets'], "[]"))
-    ensureK8sCloud(cloudName, namespace)
     def yaml = """
 spec:
   containers:
@@ -1481,7 +1424,6 @@ def build_docker_on_k8(image, config) {
     def namespace = image.namespace ?: getConfigVal(config, ['kubernetes', 'namespace'], "default")
     def tolerations = image.tolerations ?: getConfigVal(config, ['kubernetes', 'tolerations'], "[]")
     def imagePullSecrets = parseImagePullSecrets(getConfigVal(config, ['kubernetes', 'imagePullSecrets'], "[]"))
-    ensureK8sCloud(cloudName, namespace)
     def yaml = """
 spec:
   containers: