Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Configuring Jenkins

Red Hat Trusted Application Pipeline 1.5

Learn how to configure Jenkins for secure CI/CD workflows.

Red Hat Trusted Application Pipeline Documentation Team

Abstract

This document provides instructions on setting up Jenkins to perform essential security tasks, such as vulnerability scanning, image signing, and attestation generation.

Preface
Copy link

To enable your Jenkins pipeline to perform essential tasks, such as vulnerability scanning, image signing, and attestation, follow these steps. The table outlines the actions you need to take and when you need to complete them.

Expand
ActionWhen to complete

Adding secrets to Jenkins for secure integration with external tools

Before you use secure software templates to create an application, add secrets to Jenkins. This ensures seamless integration with ACS, Quay, and GitOps.

Add your application to Jenkins

After creating the application and source repositories, add them to Jenkins. This enables you to review various aspects of the Jenkins pipeline on the Red Hat Developer Hub platform.

By completing these steps, you enable Jenkins to integrate seamlessly with ACS (Advanced Cluster Security), Quay, and GitOps, and utilize Cosign for signing and verifying container images.

When you select Jenkins as your CI provider while creating an application, you must add secrets and environment variables to Jenkins for secure integration with external tools. This enables Jenkins to perform essential tasks, such as vulnerability scanning, image signing, and attestation generation.

Prerequisites

  • You must have the necessary permissions to create and manage Jenkins jobs, variables, and CI pipelines.
  • You must have the username and password for the image registry, such as Quay.io, Jfrog Artifactory, or Sonatype Nexus.
  • You must have appropriate GitOps credentials.

  • You must have the following information for specific tasks that you want Jenkins pipeline to perform:

    • For ACS tasks:

      • ROX Central server endpoint and token

    • For SBOM tasks:

      • Cosign signing key password, private key, and public key
      • Trustification API and issuer URL, client ID, client secret, and supported CycloneDX version
    Note

    The values used for these credentials are already Base64-encoded, so you do not need to convert them. You can find these credentials in your private.env file.

1.1. Adding secrets to Jenkins
Copy link

Follow the procedure to add required credentials using UI on the Jenkins server.

Procedure

  1. Open your Jenkins instance in a web browser and log in with your admin credentials.
  2. Select your username at the top right corner of the Jenkins dashboard.
  3. From the left sidebar, select Manage Jenkins.
  4. In the Security section select Credentials.
  5. Under Stores scoped to Jenkins select System.
  6. Choose a domain where you want to add the credentials. Typically, it’s Global credentials (unrestricted), click this domain name.
  7. Select Add Credentials.
  8. From the Kind drop-down list, select Secret text.
  9. Keep the default value in the Scope drop-down list as Global (Jenkins…​).
  10. Enter information related to your secret in the UI fields.
  11. Select Create.

  12. Repeat steps 7-11 to add the following credentials:

    Note

    For image registries, Quay is the default option. To use JFrog Artifactory or Sonatype Nexus, uncomment lines with corresponding variables in 2 Jenkinsfiles in both the gitops-template and source-repo folders in your cloned tssc-sample-templates GitHub repository.

    Expand
    Table 1.1. Image registry and GitOps secrets
    VariableDescription

    QUAY_IO_CREDS

    Username and password for accessing your Quay.io repository. This is the default option that is uncommented in Jenkinsfiles.

    ARTIFACTORY_IO_CREDS

    Username and password for accessing your JFrog Artifactory repository.

    NEXUS_IO_CREDS

    Username and password for accessing your Sonatype Nexus repository.

    GITOPS_AUTH_PASSWORD

    The token the system uses to update the GitOps repository for newly built images.

    Expand
    Table 1.2. Secrets required for ACS and SBOM tasks
    VariableDescription

    ROX_API_TOKEN

    API token for accessing the ROX server.

    COSIGN_SECRET_PASSWORD

    Password for Cosign signing key.

    COSIGN_SECRET_KEY

    Private key for Cosign.

    TRUSTIFICATION_OIDC_CLIENT_SECRET

    Client secret used alongside the client ID to authenticate to the Trustification Bombastic API.

  13. Rerun the last pipeline run.

    1. Alternatively, switch to you application’s source repository in GitHub, make a minor change, and commit it to trigger a new pipeline run.

1.2. Adding environment variables to Jenkins
Copy link

After adding all required secrets, follow this procedure to add the environment variables using UI on the Jenkins server.

Procedure

  1. From the left sidebar, select Manage Jenkins.
  2. In the System Configuration section select System.
  3. On the System page scroll down to find the Global properties section.
  4. Select Environment variables > Add

  5. Add key-value pairs for the following environment variables:

    Expand
    Table 1.3. GitOps variable
    VariableDescription

    GITOPS_AUTH_USERNAME (optional)

    The variable required for Jenkins to work with GitLab.

    Expand
    Table 1.4. Variables required for ACS and SBOM tasks
    VariableDescription

    ROX_CENTRAL_ENDPOINT

    Endpoint for the ROX Central server.

    COSIGN_PUBLIC_KEY

    Public key for Cosign.

    TRUSTIFICATION_BOMBASTIC_API_URL

    URL for Trustification Bombastic API used in SBOM generation.

    TRUSTIFICATION_OIDC_ISSUER_URL

    OIDC issuer URL used for authentication when interacting with the Trustification Bombastic API.

    TRUSTIFICATION_OIDC_CLIENT_ID

    Client ID for authenticating to the Trustification Bombastic API using OIDC.

    TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION

    Specifies the CycloneDX SBOM version that is supported and generated by the system.

    Optional: Set the Rekor and TUF variables if Jenkins doesn’t run on a local OpenShift instance, and the Rekor and TUF services are on different clusters. Also, uncomment lines with Rekor and TUF variables in a Jenkinsfile in your cloned tssc-sample-templates repository.

    Expand
    Table 1.5. Rekor and TUF variables
    VariableDescription

    REKOR_HOST

    URL of your Rekor server.

    TUF_MIRROR

    URL of your TUF service.

  1. When you added all variables, select Save.
  2. Rerun the last pipeline run.

Chapter 2. Adding your application to Jenkins
Copy link

When you select Jenkins as your CI provider while creating an application, you must add your application to Jenkins. Proper integration ensures that your pipeline aligns with your CI/CD workflows and operates seamlessly.

Prerequisites

  • You must have installed and configured Jenkins in your environment.
  • You must have the necessary permissions to create and manage Jenkins jobs.
  • You must have added correct credentials for the Jenkins pipeline during the post RHTAP install phase.
  • Review the Jenkinsfile and ensure it aligns with your Jenkins configuration. For example, you may need to update the agent settings to limit where the pipeline can run.
  • Ensure that the Jenkins agent has the necessary binaries installed: git, curl, jq, yq, buildah, syft, cosign, python3, and tree. If the pipeline run fails at the start, it likely indicates that one or more binaries are missing.

Procedure

  1. Log in to your Jenkins instance.
  2. From the Jenkins dashboard, select New Item.

  3. Enter a name for your pipeline job and select Pipeline project (for example, secure-jenkins).

    Note

    The name of your pipeline job must match the name of the application for which you are adding Jenkins CI. If the names do not match, the pipeline will run on Jenkins but will not be visible on RHDH.

    1. (Optional) If you want to use a different pipeline name, update the jenkins.io/job-full-name field in the catalog-info.yaml file in the source repository with the pipeline name you choose.
  4. Select OK to create the job.
  5. On the Configure > General page, navigate to the Pipeline section, and from the Definition drop-down list, select Pipeline script from SCM.
  6. From the SCM drop-down list, select Git.

  7. In the Repository URL field, enter the Jenkins source repository URL.

    1. On the Red Hat Developer Hub platform, from the Catalog, select an appropriate application.
    2. Go to the Overview tab and select View Source to open the repository where your application’s source code is housed.
  8. In the Branches to build section, enter */main.
  9. Select Save. The system displays the live-jenkins (name of your job) page.

  10. Select Build Now. The system starts the build pipeline. Wait until the build is complete.

    1. In the Stage View section, select Pipeline Overview to visualize the pipeline run.
    2. Select Pipeline Console to review the live logs of each stage of the pipeline run.

Verification

After integrating your application with Jenkins, review various aspects of the Jenkins pipeline on the Red Hat Developer Hub platform.

  1. From the Catalog, select the appropriate application or component.

    • Go to the CI tab to view the Jenkins project. For the appropriate Jenkins job, using the Actions column, you can view, rerun, and view history of the job. The system displays the job overview with the status of latest run.
    • Go to the CD tab and select the appropriate card to view deployment details, such as the commit message, author name, and deployment history managed by ArgoCD and GitOps.
    • In the Catalog, from the Kind dropdown list, select Resource. The system displays Jenkins GitOps jobs. Select and review the appropriate GitOps resource.
    • Go to the Topology tab to visualize your application’s deployment within the development namespace.

Completing these steps ensures seamless integration of your application with Jenkins, enabling efficient and reliable CI/CD workflows.





Revised on 2025-04-30 03:55:47 UTC

Legal Notice
Copy link

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat