이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Setting up Jenkins for security integrations


Red Hat Trusted Application Pipeline 1.3

Learn how to configure Jenkins for secure CI/CD workflows.

Red Hat Trusted Application Pipeline Documentation Team

Abstract

This document provides instructions on setting up Jenkins to perform essential security tasks, such as vulnerability scanning, image signing, and attestation generation.

Preface

To enable your Jenkins pipeline to perform essential tasks, such as vulnerability scanning, image signing, and attestation, follow these steps. The table outlines the actions you need to take and when you need to complete them.

Action

When to complete

Configure Jenkins with the relevant credentials

Before you use secure software templates to create an application, configure Jenkins with the appropriate credentials. This ensures seamless integration with ACS, Quay, and GitOps.

Add your application to Jenkins

After creating the application and source repositories, add them to Jenkins. This enables you to review various aspects of the Jenkins pipeline on the Red Hat Developer Hub platform.

By completing these steps, you enable Jenkins to integrate seamlessly with ACS (Advanced Cluster Security), Quay, and GitOps, and utilize Cosign for signing and verifying container images.

Chapter 1. Configuring Jenkins with the appropriate credentials

To set up Jenkins for seamless integration with ACS, Quay, and GitOps, you need to configure it with the required credentials. This setup allows Jenkins to perform essential security tasks such as vulnerability scanning, image signing, and attestations. Proper configuration ensures that your pipeline runs securely and efficiently.

Prerequisites

  • You must have the necessary permissions to create and manage Jenkins jobs.
  • You must have appropriate ACS, Quay, and GitOps credentials.
  • You must have the Cosign private key, Cosign public key, and Cosign password, which together are referred to as the “Cosign signing secret”. The values used for these credentials are already Base64-encoded, so you do not need to convert them. You can find these credentials in your ~/install_values.txt file.

Procedure

  1. Open your Jenkins instance in a web browser and log in with your admin credentials.
  2. Select on your username at the top right corner of the Jenkins dashboard.
  3. From the left sidebar, select Credentials.
  4. Choose the appropriate domain where you want to add the credentials. Typically, it’s Global credentials (unrestricted).
  5. Select Add Credentials.
  6. From the Kind drop-down list, select Secret text.
  7. Keep the default value in the Scope drop-down list as Global (Jenkins).
  8. In the Secret field, enter your ACS API token.
  9. In the ID field, enter ROX_API_TOKEN.
  10. In the Description field, enter an appropriate description for the credentials.
  11. Repeat steps 5-10 for the following credentials:

    ID

    Secret

    ROX_CENTRAL_ENDPOINT

    The route to your ACS instance. If not provided, the ACS task in the pipeline will operates as a NOOP (No Operation).

    GITOPS_AUTH_PASSWORD

    The token the system uses to update the GitOps repository for newly built images.

    GITOPS_AUTH_USERNAME (optional)

    The parameter required for Jenkins to work with GitLab.

    You also need to uncomment a line with this parameter in a Jenkinsfile: GITOPS_AUTH_USERNAME = credentials('GITOPS_AUTH_USERNAME'). By default, this line is commented out.

    QUAY_IO_CREDS

    The credentials for Quay used to push the images.

    COSIGN_SECRET_KEY

    The signing secret used to sign images and attestations.

    COSIGN_PUBLIC_KEY

    The public key used to verify images created by your build pipeline.

    COSIGN_SECRET_PASSWORD

    The password required to use the signing secret for signing images.

Now Jenkins is ready with the credentials needed for secure builds.

Additional resources

Chapter 2. Adding your application to Jenkins

If you select Jenkins as a Continuous Integration (CI) provider when building your application, you need to integrate your application with Jenkins. Proper integration ensures that your pipeline aligns with your CI/CD workflows and operates seamlessly.

Prerequisites

  • You must have installed and configured Jenkins in your environment.
  • You must have the necessary permissions to create and manage Jenkins jobs.
  • You must have added correct credentials for the Jenkins pipeline during the post RHTAP install phase.
  • Review the Jenkinsfile and ensure it aligns with your Jenkins configuration. For example, you may need to update the agent settings to limit where the pipeline can run.
  • Ensure that the Jenkins agent has the necessary binaries installed: git, curl, jq, yq, buildah, syft, cosign, python3, and tree. If the pipeline run fails at the start, it likely indicates that one or more binaries are missing.

Procedure

  1. Log in to your Jenkins instance.
  2. From the Jenkins dashboard, select New Item.
  3. Enter a name for your pipeline job and select Pipeline project (for example, secure-jenkins).

    Note

    The name of your pipeline job must match the name of the application for which you are adding Jenkins CI. If the names do not match, the pipeline will run on Jenkins but will not be visible on RHDH.

    1. (Optional) If you want to use a different pipeline name, update the jenkins.io/job-full-name field in the catalog-info.yaml file in the source repository with the pipeline name you choose.
  4. Select OK to create the job.
  5. On the Configure > General page, navigate to the Pipeline section, and from the Definition drop-down list, select Pipeline script from SCM.
  6. From the SCM drop-down list, select Git.
  7. In the Repository URL field, enter the Jenkins source repository URL.

    1. On the Red Hat Developer Hub platform, from the Catalog, select an appropriate application.
    2. Go to the Overview tab and select View Source to open the repository where your application’s source code is housed.
  8. In the Branches to build section, enter */main.
  9. Select Save. The system displays the live-jenkins (name of your job) page.
  10. Select Build Now. The system starts the build pipeline. Wait until the build is complete.

    1. In the Stage View section, select Pipeline Overview to visualize the pipeline run.
    2. Select Pipeline Console to review the live logs of each stage of the pipeline run.

Verification

After integrating your application with Jenkins, review various aspects of the Jenkins pipeline on the Red Hat Developer Hub platform.

  1. From the Catalog, select the appropriate application or component.

    • Go to the CI tab to view the Jenkins project. For the appropriate Jenkins job, using the Actions column, you can view, rerun, and view history of the job. The system displays the job overview with the status of latest run.
    • Go to the CD tab and select the appropriate card to view deployment details, such as the commit message, author name, and deployment history managed by ArgoCD and GitOps.
    • In the Catalog, from the Kind dropdown list, select Resource. The system displays Jenkins GitOps jobs. Select and review the appropriate GitOps resource.
    • Go to the Topology tab to visualize your application’s deployment within the development namespace.

Completing these steps ensures seamless integration of your application with Jenkins, enabling efficient and reliable CI/CD workflows.





Revised on 2024-12-13 16:47:44 UTC

Legal Notice

Copyright © 2024 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.