SupportConsoleDevelopersStart a trialContact

Chapter 1. Adding secrets to Jenkins for secure integration with external tools

When you select Jenkins as your CI provider while creating an application, you must add secrets to Jenkins for secure integration with external tools. This enables Jenkins to perform essential tasks, such as vulnerability scanning, image signing, and attestation generation.

Prerequisites

  • You must have the necessary permissions to create and manage Jenkins jobs, variables, and CI pipelines.
  • You must have the username and password for the image registry, such as Quay.io, Jfrog Artifactory, or Sonatype Nexus, to and pull container images.
  • You must have appropriate GitOps credentials.

  • You must have the following information for specific tasks that you want Jenkins pipeline to perform:

    • For ACS tasks:

      • ROX Central server endpoint and token

    • For SBOM tasks:

      • Cosign signing keys password, private key, and public key
      • Trustification URL, client ID, secret, and supported CycloneDX version
    Note

    The values used for these credentials are already Base64-encoded, so you do not need to convert them. You can find these credentials in your private.env file.

Procedure

  1. Open your Jenkins instance in a web browser and log in with your admin credentials.
  2. Select on your username at the top right corner of the Jenkins dashboard.
  3. From the left sidebar, select Credentials.
  4. Choose the appropriate domain where you want to add the credentials. Typically, it’s Global credentials (unrestricted).
  5. Select Add Credentials.
  6. From the Kind drop-down list, select Secret text.
  7. Keep the default value in the Scope drop-down list as Global (Jenkins).
  8. In the Secret field, enter your ACS API token.
  9. In the ID field, enter ROX_API_TOKEN.
  10. In the Description field, enter an appropriate description for the credentials.

  11. Repeat steps 5-10 for the following credentials:

    VariableDescription

    Provide image registry credentials for only one image registry.

    QUAY_IO_CREDS_USR

    Username for accessing Quay.io repository.

    QUAY_IO_CREDS_PSW

    Password for accessing Quay.io repository.

    ARTIFACTORY_IO_CREDS_USR

    Username for accessing JFrog Artifactory repository.

    ARTIFACTORY_IO_CREDS_PSW

    Password for accessing JFrog Artifactory repository.

    NEXUS_IO_CREDS_USR

    Username for accessing Sonatype Nexus repository.

    NEXUS_IO_CREDS_PSW

    Password for accessing Sonatype Nexus repository.

    Set these variables if Jenkins runs on a non-local OpenShift instance, and the Rekor and TUF services are on different clusters.

    REKOR_HOST

    URL of your Rekor server.

    TUF_MIRROR

    URL of your TUF service.

    GitOps configuration for Jenkins

    GITOPS_AUTH_PASSWORD

    The token the system uses to update the GitOps repository for newly built images.

    GITOPS_AUTH_USERNAME (optional)

    The parameter required for Jenkins to work with GitLab. You also need to uncomment a line with this parameter in a Jenkinsfile: GITOPS_AUTH_USERNAME = credentials('GITOPS_AUTH_USERNAME'). By default, this line is commented out.

    Variable required for ACS tasks.

    ROX_CENTRAL_ENDPOINT

    Endpoint for the ROX Central server.

    ROX_API_TOKEN

    API token for accessing the ROX server.

    Variables required for SBOM tasks.

    COSIGN_SECRET_PASSWORD

    Password for Cosign signing key.

    COSIGN_SECRET_KEY

    Private key for Cosign.

    COSIGN_PUBLIC_KEY

    Public key for Cosign.

    TRUSTIFICATION_BOMBASTIC_API_URL

    URL for Trustification Bombastic API used in SBOM generation.

    TRUSTIFICATION_OIDC_ISSUER_URL

    OIDC issuer URL used for authentication when interacting with the Trustification Bombastic API.

    TRUSTIFICATION_OIDC_CLIENT_ID

    Client ID for authenticating to the Trustification Bombastic API using OIDC.

    TRUSTIFICATION_OIDC_CLIENT_SECRET

    Client secret used alongside the client ID to authenticate to the Trustification Bombastic API.

    TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION

    Specifies the CycloneDX SBOM version that is supported and generated by the system.

  12. Rerun the last pipeline run.

    1. Alternatively, switch to you application’s source repository in GitHub, make a minor change, and commit it to trigger a new pipeline run.

Additional resources

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.