Red Hat SummitChapter 1. Configuring Jenkins with the appropriate credentials
To set up Jenkins for seamless integration with ACS, Quay, and GitOps, you need to configure it with the required credentials. This setup allows Jenkins to perform essential security tasks such as vulnerability scanning, image signing, and attestations. Proper configuration ensures that your pipeline runs securely and efficiently.
Prerequisites
- You must have the necessary permissions to create and manage Jenkins jobs.
- You must have appropriate ACS, Quay, and GitOps credentials.
-
You must have the Cosign private key, Cosign public key, and Cosign password, which together are referred to as the “Cosign signing secret”. The values used for these credentials are already Base64-encoded, so you do not need to convert them. You can find these credentials in your
~/install_values.txtfile.
Procedure
- Open your Jenkins instance in a web browser and log in with your admin credentials.
- Select on your username at the top right corner of the Jenkins dashboard.
- From the left sidebar, select Credentials.
- Choose the appropriate domain where you want to add the credentials. Typically, it’s Global credentials (unrestricted).
- Select Add Credentials.
- From the Kind drop-down list, select Secret text.
- Keep the default value in the Scope drop-down list as Global (Jenkins).
- In the Secret field, enter your ACS API token.
-
In the ID field, enter
ROX_API_TOKEN. - In the Description field, enter an appropriate description for the credentials.
Repeat steps 5-10 for the following credentials:
Expand ID
Secret
ROX_CENTRAL_ENDPOINTThe route to your ACS instance. If not provided, the ACS task in the pipeline will operates as a NOOP (No Operation).
GITOPS_AUTH_PASSWORDThe token the system uses to update the GitOps repository for newly built images.
GITOPS_AUTH_USERNAME(optional)The parameter required for Jenkins to work with GitLab.
You also need to uncomment a line with this parameter in a Jenkinsfile:
GITOPS_AUTH_USERNAME = credentials('GITOPS_AUTH_USERNAME'). By default, this line is commented out.QUAY_IO_CREDSThe credentials for Quay used to push the images.
COSIGN_SECRET_KEYThe signing secret used to sign images and attestations.
COSIGN_PUBLIC_KEYThe public key used to verify images created by your build pipeline.
COSIGN_SECRET_PASSWORDThe password required to use the signing secret for signing images.
Now Jenkins is ready with the credentials needed for secure builds.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}