Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Configuring Jenkins

Red Hat Trusted Application Pipeline 1.4

Learn how to configure Jenkins for secure CI/CD workflows.

Red Hat Trusted Application Pipeline Documentation Team

Abstract

This document provides instructions on setting up Jenkins to perform essential security tasks, such as vulnerability scanning, image signing, and attestation generation.

Preface

To enable your Jenkins pipeline to perform essential tasks, such as vulnerability scanning, image signing, and attestation, follow these steps. The table outlines the actions you need to take and when you need to complete them.

Action

When to complete

Adding secrets to Jenkins for secure integration with external tools

Before you use secure software templates to create an application, add secrets to Jenkins. This ensures seamless integration with ACS, Quay, and GitOps.

Add your application to Jenkins

After creating the application and source repositories, add them to Jenkins. This enables you to review various aspects of the Jenkins pipeline on the Red Hat Developer Hub platform.

By completing these steps, you enable Jenkins to integrate seamlessly with ACS (Advanced Cluster Security), Quay, and GitOps, and utilize Cosign for signing and verifying container images.

Chapter 1. Adding secrets to Jenkins for secure integration with external tools

When you select Jenkins as your CI provider while creating an application, you must add secrets to Jenkins for secure integration with external tools. This enables Jenkins to perform essential tasks, such as vulnerability scanning, image signing, and attestation generation.

Prerequisites

  • You must have the necessary permissions to create and manage Jenkins jobs, variables, and CI pipelines.
  • You must have the username and password for the image registry, such as Quay.io, Jfrog Artifactory, or Sonatype Nexus, to and pull container images.
  • You must have appropriate GitOps credentials.

  • You must have the following information for specific tasks that you want Jenkins pipeline to perform:

    • For ACS tasks:

      • ROX Central server endpoint and token

    • For SBOM tasks:

      • Cosign signing keys password, private key, and public key
      • Trustification URL, client ID, secret, and supported CycloneDX version
    Note

    The values used for these credentials are already Base64-encoded, so you do not need to convert them. You can find these credentials in your private.env file.

Procedure

  1. Open your Jenkins instance in a web browser and log in with your admin credentials.
  2. Select on your username at the top right corner of the Jenkins dashboard.
  3. From the left sidebar, select Credentials.
  4. Choose the appropriate domain where you want to add the credentials. Typically, it’s Global credentials (unrestricted).
  5. Select Add Credentials.
  6. From the Kind drop-down list, select Secret text.
  7. Keep the default value in the Scope drop-down list as Global (Jenkins).
  8. In the Secret field, enter your ACS API token.
  9. In the ID field, enter ROX_API_TOKEN.
  10. In the Description field, enter an appropriate description for the credentials.

  11. Repeat steps 5-10 for the following credentials:

    VariableDescription

    Provide image registry credentials for only one image registry.

    QUAY_IO_CREDS_USR

    Username for accessing Quay.io repository.

    QUAY_IO_CREDS_PSW

    Password for accessing Quay.io repository.

    ARTIFACTORY_IO_CREDS_USR

    Username for accessing JFrog Artifactory repository.

    ARTIFACTORY_IO_CREDS_PSW

    Password for accessing JFrog Artifactory repository.

    NEXUS_IO_CREDS_USR

    Username for accessing Sonatype Nexus repository.

    NEXUS_IO_CREDS_PSW

    Password for accessing Sonatype Nexus repository.

    Set these variables if Jenkins runs on a non-local OpenShift instance, and the Rekor and TUF services are on different clusters.

    REKOR_HOST

    URL of your Rekor server.

    TUF_MIRROR

    URL of your TUF service.

    GitOps configuration for Jenkins

    GITOPS_AUTH_PASSWORD

    The token the system uses to update the GitOps repository for newly built images.

    GITOPS_AUTH_USERNAME (optional)

    The parameter required for Jenkins to work with GitLab. You also need to uncomment a line with this parameter in a Jenkinsfile: GITOPS_AUTH_USERNAME = credentials('GITOPS_AUTH_USERNAME'). By default, this line is commented out.

    Variable required for ACS tasks.

    ROX_CENTRAL_ENDPOINT

    Endpoint for the ROX Central server.

    ROX_API_TOKEN

    API token for accessing the ROX server.

    Variables required for SBOM tasks.

    COSIGN_SECRET_PASSWORD

    Password for Cosign signing key.

    COSIGN_SECRET_KEY

    Private key for Cosign.

    COSIGN_PUBLIC_KEY

    Public key for Cosign.

    TRUSTIFICATION_BOMBASTIC_API_URL

    URL for Trustification Bombastic API used in SBOM generation.

    TRUSTIFICATION_OIDC_ISSUER_URL

    OIDC issuer URL used for authentication when interacting with the Trustification Bombastic API.

    TRUSTIFICATION_OIDC_CLIENT_ID

    Client ID for authenticating to the Trustification Bombastic API using OIDC.

    TRUSTIFICATION_OIDC_CLIENT_SECRET

    Client secret used alongside the client ID to authenticate to the Trustification Bombastic API.

    TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION

    Specifies the CycloneDX SBOM version that is supported and generated by the system.

  12. Rerun the last pipeline run.

    1. Alternatively, switch to you application’s source repository in GitHub, make a minor change, and commit it to trigger a new pipeline run.

Additional resources

Chapter 2. Adding your application to Jenkins

When you select Jenkins as your CI provider while creating an application, you must add your application to Jenkins. Proper integration ensures that your pipeline aligns with your CI/CD workflows and operates seamlessly.

Prerequisites

  • You must have installed and configured Jenkins in your environment.
  • You must have the necessary permissions to create and manage Jenkins jobs.
  • You must have added correct credentials for the Jenkins pipeline during the post RHTAP install phase.
  • Review the Jenkinsfile and ensure it aligns with your Jenkins configuration. For example, you may need to update the agent settings to limit where the pipeline can run.
  • Ensure that the Jenkins agent has the necessary binaries installed: git, curl, jq, yq, buildah, syft, cosign, python3, and tree. If the pipeline run fails at the start, it likely indicates that one or more binaries are missing.

Procedure

  1. Log in to your Jenkins instance.
  2. From the Jenkins dashboard, select New Item.

  3. Enter a name for your pipeline job and select Pipeline project (for example, secure-jenkins).

    Note

    The name of your pipeline job must match the name of the application for which you are adding Jenkins CI. If the names do not match, the pipeline will run on Jenkins but will not be visible on RHDH.

    1. (Optional) If you want to use a different pipeline name, update the jenkins.io/job-full-name field in the catalog-info.yaml file in the source repository with the pipeline name you choose.
  4. Select OK to create the job.
  5. On the Configure > General page, navigate to the Pipeline section, and from the Definition drop-down list, select Pipeline script from SCM.
  6. From the SCM drop-down list, select Git.

  7. In the Repository URL field, enter the Jenkins source repository URL.

    1. On the Red Hat Developer Hub platform, from the Catalog, select an appropriate application.
    2. Go to the Overview tab and select View Source to open the repository where your application’s source code is housed.
  8. In the Branches to build section, enter */main.
  9. Select Save. The system displays the live-jenkins (name of your job) page.

  10. Select Build Now. The system starts the build pipeline. Wait until the build is complete.

    1. In the Stage View section, select Pipeline Overview to visualize the pipeline run.
    2. Select Pipeline Console to review the live logs of each stage of the pipeline run.

Verification

After integrating your application with Jenkins, review various aspects of the Jenkins pipeline on the Red Hat Developer Hub platform.

  1. From the Catalog, select the appropriate application or component.

    • Go to the CI tab to view the Jenkins project. For the appropriate Jenkins job, using the Actions column, you can view, rerun, and view history of the job. The system displays the job overview with the status of latest run.
    • Go to the CD tab and select the appropriate card to view deployment details, such as the commit message, author name, and deployment history managed by ArgoCD and GitOps.
    • In the Catalog, from the Kind dropdown list, select Resource. The system displays Jenkins GitOps jobs. Select and review the appropriate GitOps resource.
    • Go to the Topology tab to visualize your application’s deployment within the development namespace.

Completing these steps ensures seamless integration of your application with Jenkins, enabling efficient and reliable CI/CD workflows.





Revised on 2025-02-06 18:02:18 UTC

Legal Notice

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.