이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Setting up Jenkins for security integrations
Learn how to configure Jenkins for secure CI/CD workflows.
Abstract
Preface
To enable your Jenkins pipeline to perform essential tasks, such as vulnerability scanning, image signing, and attestation, follow these steps. The table outlines the actions you need to take and when you need to complete them.
Action | When to complete |
Configure Jenkins with the relevant credentials | Before you use secure software templates to create an application, configure Jenkins with the appropriate credentials. This ensures seamless integration with ACS, Quay, and GitOps. |
Add your application to Jenkins | After creating the application and source repositories, add them to Jenkins. This enables you to review various aspects of the Jenkins pipeline on the Red Hat Developer Hub platform. |
By completing these steps, you enable Jenkins to integrate seamlessly with ACS (Advanced Cluster Security), Quay, and GitOps, and utilize Cosign for signing and verifying container images.
Chapter 1. Configuring Jenkins with the appropriate credentials
To set up Jenkins for seamless integration with ACS, Quay, and GitOps, you need to configure it with the required credentials. This setup allows Jenkins to perform essential security tasks such as vulnerability scanning, image signing, and attestations. Proper configuration ensures that your pipeline runs securely and efficiently.
Prerequisites
- You must have the necessary permissions to create and manage Jenkins jobs.
- You must have appropriate ACS, Quay, and GitOps credentials.
-
You must have the Cosign private key, Cosign public key, and Cosign password, which together are referred to as the “Cosign signing secret”. The values used for these credentials are already Base64-encoded, so you do not need to convert them. You can find these credentials in your
~/install_values.txt
file.
Procedure
- Open your Jenkins instance in a web browser and log in with your admin credentials.
- Select on your username at the top right corner of the Jenkins dashboard.
- From the left sidebar, select Credentials.
- Choose the appropriate domain where you want to add the credentials. Typically, it’s Global credentials (unrestricted).
- Select Add Credentials.
- From the Kind drop-down list, select Secret text.
- Keep the default value in the Scope drop-down list as Global (Jenkins).
- In the Secret field, enter your ACS API token.
-
In the ID field, enter
ROX_API_TOKEN
. - In the Description field, enter an appropriate description for the credentials.
Repeat steps 5-10 for the following credentials:
ID
Secret
ROX_CENTRAL_ENDPOINT
The route to your ACS instance. If not provided, the ACS task in the pipeline will operates as a NOOP (No Operation).
GITOPS_AUTH_PASSWORD
The token the system uses to update the GitOps repository for newly built images.
GITOPS_AUTH_USERNAME
(optional)The parameter required for Jenkins to work with GitLab.
You also need to uncomment a line with this parameter in a Jenkinsfile:
GITOPS_AUTH_USERNAME = credentials('GITOPS_AUTH_USERNAME')
. By default, this line is commented out.QUAY_IO_CREDS
The credentials for Quay used to push the images.
COSIGN_SECRET_KEY
The signing secret used to sign images and attestations.
COSIGN_PUBLIC_KEY
The public key used to verify images created by your build pipeline.
COSIGN_SECRET_PASSWORD
The password required to use the signing secret for signing images.
Now Jenkins is ready with the credentials needed for secure builds.
Additional resources
- If you selected Jenkins Continuous Integration (CI) when building your application, add your application to Jenkins.
Chapter 2. Adding your application to Jenkins
If you select Jenkins as a Continuous Integration (CI) provider when building your application, you need to integrate your application with Jenkins. Proper integration ensures that your pipeline aligns with your CI/CD workflows and operates seamlessly.
Prerequisites
- You must have installed and configured Jenkins in your environment.
- You must have the necessary permissions to create and manage Jenkins jobs.
- You must have added correct credentials for the Jenkins pipeline during the post RHTAP install phase.
-
Review the
Jenkinsfile
and ensure it aligns with your Jenkins configuration. For example, you may need to update the agent settings to limit where the pipeline can run. -
Ensure that the Jenkins agent has the necessary binaries installed:
git
,curl
,jq
,yq
,buildah
,syft
,cosign
,python3
, andtree
. If the pipeline run fails at the start, it likely indicates that one or more binaries are missing.
Procedure
- Log in to your Jenkins instance.
- From the Jenkins dashboard, select New Item.
Enter a name for your pipeline job and select Pipeline project (for example,
secure-jenkins
).NoteThe name of your pipeline job must match the name of the application for which you are adding Jenkins CI. If the names do not match, the pipeline will run on Jenkins but will not be visible on RHDH.
-
(Optional) If you want to use a different pipeline name, update the
jenkins.io/job-full-name
field in thecatalog-info.yaml
file in the source repository with the pipeline name you choose.
-
(Optional) If you want to use a different pipeline name, update the
- Select OK to create the job.
- On the Configure > General page, navigate to the Pipeline section, and from the Definition drop-down list, select Pipeline script from SCM.
- From the SCM drop-down list, select Git.
In the Repository URL field, enter the Jenkins source repository URL.
- On the Red Hat Developer Hub platform, from the Catalog, select an appropriate application.
- Go to the Overview tab and select View Source to open the repository where your application’s source code is housed.
-
In the Branches to build section, enter
*/main
. - Select Save. The system displays the live-jenkins (name of your job) page.
Select Build Now. The system starts the build pipeline. Wait until the build is complete.
- In the Stage View section, select Pipeline Overview to visualize the pipeline run.
- Select Pipeline Console to review the live logs of each stage of the pipeline run.
Verification
After integrating your application with Jenkins, review various aspects of the Jenkins pipeline on the Red Hat Developer Hub platform.
From the Catalog, select the appropriate application or component.
- Go to the CI tab to view the Jenkins project. For the appropriate Jenkins job, using the Actions column, you can view, rerun, and view history of the job. The system displays the job overview with the status of latest run.
- Go to the CD tab and select the appropriate card to view deployment details, such as the commit message, author name, and deployment history managed by ArgoCD and GitOps.
- In the Catalog, from the Kind dropdown list, select Resource. The system displays Jenkins GitOps jobs. Select and review the appropriate GitOps resource.
- Go to the Topology tab to visualize your application’s deployment within the development namespace.
Completing these steps ensures seamless integration of your application with Jenkins, enabling efficient and reliable CI/CD workflows.
Revised on 2024-12-13 16:47:44 UTC