Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 1. Adding secrets and environment variables to Jenkins for integration with external tools

When you select Jenkins as your CI provider while creating an application, you must add secrets and environment variables to Jenkins for secure integration with external tools. This enables Jenkins to perform essential tasks, such as vulnerability scanning, image signing, and attestation generation.

Prerequisites

  • You must have the necessary permissions to create and manage Jenkins jobs, variables, and CI pipelines.
  • You must have the username and password for the image registry, such as Quay.io, Jfrog Artifactory, or Sonatype Nexus.
  • You must have appropriate GitOps credentials.

  • You must have the following information for specific tasks that you want Jenkins pipeline to perform:

    • For ACS tasks:

      • ROX Central server endpoint and token

    • For SBOM tasks:

      • Cosign signing key password, private key, and public key
      • Trustification API and issuer URL, client ID, client secret, and supported CycloneDX version
    Note

    The values used for these credentials are already Base64-encoded, so you do not need to convert them. You can find these credentials in your private.env file.

1.1. Adding secrets to Jenkins

Follow the procedure to add required credentials using UI on the Jenkins server.

Procedure

  1. Open your Jenkins instance in a web browser and log in with your admin credentials.
  2. Select your username at the top right corner of the Jenkins dashboard.
  3. From the left sidebar, select Manage Jenkins.
  4. In the Security section select Credentials.
  5. Under Stores scoped to Jenkins select System.
  6. Choose a domain where you want to add the credentials. Typically, it’s Global credentials (unrestricted), click this domain name.
  7. Select Add Credentials.
  8. From the Kind drop-down list, select Secret text.
  9. Keep the default value in the Scope drop-down list as Global (Jenkins…​).
  10. Enter information related to your secret in the UI fields.
  11. Select Create.

  12. Repeat steps 7-11 to add the following credentials:

    Note

    For image registries, Quay is the default option. To use JFrog Artifactory or Sonatype Nexus, uncomment lines with corresponding variables in 2 Jenkinsfiles in both the gitops-template and source-repo folders in your cloned tssc-sample-templates GitHub repository.

    Table 1.1. Image registry and GitOps secrets
    VariableDescription

    QUAY_IO_CREDS

    Username and password for accessing your Quay.io repository. This is the default option that is uncommented in Jenkinsfiles.

    ARTIFACTORY_IO_CREDS

    Username and password for accessing your JFrog Artifactory repository.

    NEXUS_IO_CREDS

    Username and password for accessing your Sonatype Nexus repository.

    GITOPS_AUTH_PASSWORD

    The token the system uses to update the GitOps repository for newly built images.

    Table 1.2. Secrets required for ACS and SBOM tasks
    VariableDescription

    ROX_API_TOKEN

    API token for accessing the ROX server.

    COSIGN_SECRET_PASSWORD

    Password for Cosign signing key.

    COSIGN_SECRET_KEY

    Private key for Cosign.

    TRUSTIFICATION_OIDC_CLIENT_SECRET

    Client secret used alongside the client ID to authenticate to the Trustification Bombastic API.

  13. Rerun the last pipeline run.

    1. Alternatively, switch to you application’s source repository in GitHub, make a minor change, and commit it to trigger a new pipeline run.

1.2. Adding environment variables to Jenkins

After adding all required secrets, follow this procedure to add the environment variables using UI on the Jenkins server.

Procedure

  1. From the left sidebar, select Manage Jenkins.
  2. In the System Configuration section select System.
  3. On the System page scroll down to find the Global properties section.
  4. Select Environment variables > Add

  5. Add key-value pairs for the following environment variables:

    Table 1.3. GitOps variable
    VariableDescription

    GITOPS_AUTH_USERNAME (optional)

    The variable required for Jenkins to work with GitLab.

    Table 1.4. Variables required for ACS and SBOM tasks
    VariableDescription

    ROX_CENTRAL_ENDPOINT

    Endpoint for the ROX Central server.

    COSIGN_PUBLIC_KEY

    Public key for Cosign.

    TRUSTIFICATION_BOMBASTIC_API_URL

    URL for Trustification Bombastic API used in SBOM generation.

    TRUSTIFICATION_OIDC_ISSUER_URL

    OIDC issuer URL used for authentication when interacting with the Trustification Bombastic API.

    TRUSTIFICATION_OIDC_CLIENT_ID

    Client ID for authenticating to the Trustification Bombastic API using OIDC.

    TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION

    Specifies the CycloneDX SBOM version that is supported and generated by the system.

    Optional: Set the Rekor and TUF variables if Jenkins doesn’t run on a local OpenShift instance, and the Rekor and TUF services are on different clusters. Also, uncomment lines with Rekor and TUF variables in a Jenkinsfile in your cloned tssc-sample-templates repository.

    Table 1.5. Rekor and TUF variables
    VariableDescription

    REKOR_HOST

    URL of your Rekor server.

    TUF_MIRROR

    URL of your TUF service.

  1. When you added all variables, select Save.
  2. Rerun the last pipeline run.

Additional resources

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat, Inc.