Red Hat SummitThis documentation is for a release that is no longer maintained
See documentation for the latest supported version.Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 1. Adding secrets to Jenkins for secure integration with external tools
When you select Jenkins as your CI provider while creating an application, you must add secrets to Jenkins for secure integration with external tools. This enables Jenkins to perform essential tasks, such as vulnerability scanning, image signing, and attestation generation.
Prerequisites
- You must have the necessary permissions to create and manage Jenkins jobs, variables, and CI pipelines.
- You must have the username and password for the image registry, such as Quay.io, Jfrog Artifactory, or Sonatype Nexus, to and pull container images.
- You must have appropriate GitOps credentials.
You must have the following information for specific tasks that you want Jenkins pipeline to perform:
For ACS tasks:
- ROX Central server endpoint and token
For SBOM tasks:
- Cosign signing keys password, private key, and public key
- Trustification URL, client ID, secret, and supported CycloneDX version
NoteThe values used for these credentials are already Base64-encoded, so you do not need to convert them. You can find these credentials in your
private.envfile.
Procedure
- Open your Jenkins instance in a web browser and log in with your admin credentials.
- Select on your username at the top right corner of the Jenkins dashboard.
- From the left sidebar, select Credentials.
- Choose the appropriate domain where you want to add the credentials. Typically, it’s Global credentials (unrestricted).
- Select Add Credentials.
- From the Kind drop-down list, select Secret text.
- Keep the default value in the Scope drop-down list as Global (Jenkins).
- In the Secret field, enter your ACS API token.
-
In the ID field, enter
ROX_API_TOKEN. - In the Description field, enter an appropriate description for the credentials.
Repeat steps 5-10 for the following credentials:
Expand Variable Description Provide image registry credentials for only one image registry.
QUAY_IO_CREDS_USRUsername for accessing Quay.io repository.
QUAY_IO_CREDS_PSWPassword for accessing Quay.io repository.
ARTIFACTORY_IO_CREDS_USRUsername for accessing JFrog Artifactory repository.
ARTIFACTORY_IO_CREDS_PSWPassword for accessing JFrog Artifactory repository.
NEXUS_IO_CREDS_USRUsername for accessing Sonatype Nexus repository.
NEXUS_IO_CREDS_PSWPassword for accessing Sonatype Nexus repository.
Set these variables if Jenkins runs on a non-local OpenShift instance, and the Rekor and TUF services are on different clusters.
REKOR_HOSTURL of your Rekor server.
TUF_MIRRORURL of your TUF service.
GitOps configuration for Jenkins
GITOPS_AUTH_PASSWORDThe token the system uses to update the GitOps repository for newly built images.
GITOPS_AUTH_USERNAME(optional)The parameter required for Jenkins to work with GitLab. You also need to uncomment a line with this parameter in a Jenkinsfile: GITOPS_AUTH_USERNAME = credentials('GITOPS_AUTH_USERNAME'). By default, this line is commented out.
Variable required for ACS tasks.
ROX_CENTRAL_ENDPOINTEndpoint for the ROX Central server.
ROX_API_TOKENAPI token for accessing the ROX server.
Variables required for SBOM tasks.
COSIGN_SECRET_PASSWORDPassword for Cosign signing key.
COSIGN_SECRET_KEYPrivate key for Cosign.
COSIGN_PUBLIC_KEYPublic key for Cosign.
TRUSTIFICATION_BOMBASTIC_API_URLURL for Trustification Bombastic API used in SBOM generation.
TRUSTIFICATION_OIDC_ISSUER_URLOIDC issuer URL used for authentication when interacting with the Trustification Bombastic API.
TRUSTIFICATION_OIDC_CLIENT_IDClient ID for authenticating to the Trustification Bombastic API using OIDC.
TRUSTIFICATION_OIDC_CLIENT_SECRETClient secret used alongside the client ID to authenticate to the Trustification Bombastic API.
TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSIONSpecifies the CycloneDX SBOM version that is supported and generated by the system.
Rerun the last pipeline run.
- Alternatively, switch to you application’s source repository in GitHub, make a minor change, and commit it to trigger a new pipeline run.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}