Red Hat SummitChapter 1. Adding secrets to Jenkins for integration with external tools
When you select Jenkins as your CI provider while creating an application, you must add secrets to Jenkins for secure integration with external tools. This enables Jenkins to perform essential tasks, such as vulnerability scanning, image signing, and attestation generation.
Prerequisites
- You must have the necessary permissions to create and manage Jenkins jobs, variables, and CI pipelines.
- You must have the username and password for the image registry, such as Quay.io, Jfrog Artifactory, or Sonatype Nexus.
- You must have appropriate GitOps credentials.
You must have the following information for specific tasks that you want Jenkins pipeline to perform:
For ACS tasks:
- ROX Central server endpoint and token
For SBOM tasks:
- Cosign signing key password, private key, and public key
Trustification API and issuer URL, client ID, client secret, and supported CycloneDX version
NoteThe values used for these credentials are already Base64-encoded, so you do not need to convert them. You can find these credentials in your
private.envfile.
Procedure
If you have already installed Trusted Software Supply Chain (TSSC) on an OpenShift cluster you will be able to configure all the secrets and variables automatically by running the
ci-set-org-vars.shscript packaged in thetssc-cliimage.- Make sure you have an integration secret for jenkins as described in Integrating Jenkins
- Follow instruction to run the installation container described in Download the installation program image
Once inside the installation container, run the following command:
bash-5.1$ ./scripts/ci-set-org-vars.sh -b jenkins
$ bash-5.1$ ./scripts/ci-set-org-vars.sh -b jenkinsCopy to Clipboard Copied! Toggle word wrap Toggle overflow The script creates the required jenkins credentials and environment variables with all the required variables and secrets described in the following steps.
- Open your Jenkins instance in a web browser and log in with your admin credentials.
- Select your username at the top right corner of the Jenkins dashboard.
- From the left sidebar, select Manage Jenkins.
- In the Security section select Credentials.
- Under Stores scoped to Jenkins select System.
- Choose a domain where you want to add the credentials. Typically, it’s Global credentials (unrestricted), click this domain name.
- Select Add Credentials.
- From the Kind drop-down list, select Secret text.
- Keep the default value in the Scope drop-down list as Global (Jenkins…).
- Enter information related to your secret in the UI fields.
- Select Create.
Repeat steps 7-11 to add the following credentials:
NoteFor image registries, Quay is the default option. To use JFrog Artifactory or Sonatype Nexus, uncomment lines with corresponding variables in 2 Jenkinsfiles in both the gitops-template and source-repo folders in your cloned tssc-sample-templates GitHub repository.
Expand Table 1.1. Image registry and GitOps secrets Variable Description QUAY_IO_CREDSUsername and password for accessing your Quay.io repository. This is the default option that is uncommented in Jenkinsfiles.
ARTIFACTORY_IO_CREDSUsername and password for accessing your JFrog Artifactory repository.
NEXUS_IO_CREDSUsername and password for accessing your Sonatype Nexus repository.
GITOPS_AUTH_PASSWORDThe token the system uses to update the GitOps repository for newly built images.
Expand Table 1.2. Secrets required for ACS and SBOM tasks Variable Description ROX_API_TOKENAPI token for accessing the ROX server.
COSIGN_SECRET_PASSWORDPassword for Cosign signing key.
COSIGN_SECRET_KEYPrivate key for Cosign.
TRUSTIFICATION_OIDC_CLIENT_SECRETClient secret used alongside the client ID to authenticate to the Trustification Bombastic API.
- Rerun the last pipeline run. Alternatively, switch to you application’s source repository in GitHub, make a minor change, and commit it to trigger a new pipeline run.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}