CloudTruth Documentation
Sign InAPIIntegrationsGitHubVisit our website
  • Overview
  • Getting Started
  • Architecture
    • 🔒Security Overview
  • Copilot
  • 🏢Org management
    • Account Setup
    • Access Control
      • 🔑API Tokens
      • 🌐Protecting Projects and Environments
      • 👥Users
    • Audit Log
  • 🛠️Config Management
    • Projects
    • Parameters
      • Sharing Config Data
      • Parameter Management
        • Internal Values
          • Dynamic Values
        • External Values
          • Terraform Remote State Files
        • Parameter Override
        • Environment Value Override
      • Parameter and Parameter Value Inheritance
      • Value Comparison
      • Value History
      • Value Validation
      • Value Expiration
    • Environments and Tags
    • Templates
      • 📒Sample Templates
    • Actions
      • Import Actions
      • Push Actions
    • CLI & API
      • CloudTruth CLI
      • Rest API
    • Integrations
      • Argo CD
      • Atlassian Compass
      • AWS
        • AWS Connection
        • AWS Role
          • CloudFormation
          • Terrraform
          • AWS Console
        • Parameter Store (SSM)
        • S3
        • Secrets Manager
      • Azure Key Vault
      • Bitbucket Pipelines
      • Docker
      • Docker Compose
      • GitHub
      • GitHub Actions
      • GitLab
      • Harness
      • Jenkins
      • Kubernetes
      • Pulumi
      • Terraform
      • Terragrunt
      • Explorer
      • Circle CI
    • Events, Notifications, Webhooks
    • Types
  • 🔎REPORTING
    • Compare
    • History
    • Expirations
  • 🚀PRODUCT
    • What is CloudTruth?
    • Interactive Demo
    • Kubernetes
    • Terraform
    • CI/CD Pipeline Configuration
    • Cloud CMDB
    • Secrets Management
    • GitOps
    • Our Manifesto
    • Open Source
    • FAQs
    • Our Mission
  • 📚Reference
    • 🎓Quick Start Videos
      • What is CloudTruth?
      • CloudTruth in Action
      • Environments and Projects
      • Secrets, Parameters, ENV variables
      • Audit Logs, RBAC, SSO
      • Containers - Kubernetes, Docker
      • Infrastructure as Code (IaC) - Terraform, Cloudformation, CDK, Azure Bicep, Pulumi
      • CICD Pipelines - GitHub Actions, ArgoCD, Jenkins, CircleCI, Harness, GitLab Pipelines
      • AWS Videos - Secret Manager, Parameter Store, S3, IAM
      • Azure Videos - Azure DevOps, Azure Bicep, PowerShell
    • Knowledge Base
      • Best Practices
        • Versioned Releases
      • CLI
        • History comparison of deleted parameters with null values
      • Integrations
        • Advanced AWS IAM policy permissions
        • K8s pull image from private Docker registry
        • S3 Region Selection
      • Templates
        • Templates render quotations in key values as quot
    • Roadmap and New Features
    • JMESPath Reference
    • REST API
Powered by GitBook

Copyright© 2023 CloudTruth

On this page
  • Prerequisites
  • Install Jenkins with a Dockerfile
  • Provide Jenkins Access to CloudTruth
  • Configure a Jenkins Pipeline with CloudTruth
  • Masking external secrets in a Jenkins Pipeline

Was this helpful?

  1. Config Management
  2. Integrations

Jenkins

PreviousHarnessNextKubernetes

Last updated 2 years ago

Was this helpful?

This walkthrough will guide you through using Jenkins with CloudTruth enabling you to manage your multiple environments parameters and secrets from a centralized location.

Prerequisites

  • You have created one or more .

  • You have created a .

  • Working knowledge of .

  • installed

Install Jenkins with a Dockerfile

This example will install Jenkins as a based on the official Jenkins guide. The Dockerfile will be customized to install the in the official . Secrets and variables will be passed directly into Jenkins pipelines with the CloudTruth CLI.

Create a in Docker using the following command:

docker network create jenkins

Customize the official Jenkins Docker image:

FROM jenkins/jenkins:2.303.2-jdk11
USER root
RUN apt-get update && apt-get install -y apt-transport-https \
       ca-certificates curl gnupg2 \
       software-properties-common
RUN curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
RUN apt-key fingerprint 0EBFCD88
RUN add-apt-repository \
       "deb [arch=amd64] https://download.docker.com/linux/debian \
       $(lsb_release -cs) stable"

RUN apt-get update && apt-get install -y docker-ce-cli

# Install the CloudTruth CLI
RUN (curl -sL https://github.com/cloudtruth/cloudtruth-cli/releases/latest/download/install.sh || wget -qO- https://github.com/cloudtruth/cloudtruth-cli/releases/latest/download/install.sh) | sh

USER jenkins
RUN jenkins-plugin-cli --plugins "blueocean:1.25.0 docker-workflow:1.26"

Build a new docker image from this dockerfile:

docker build -t jenkins-cloudtruth:1 .

Run the customized image:

 docker run --name jenkins-blueocean --rm --detach \
 --network jenkins --env DOCKER_HOST=tcp://docker:2376 \
 --env DOCKER_CERT_PATH=/certs/client --env DOCKER_TLS_VERIFY=1 \
 --publish 8080:8080 --publish 50000:50000 \
 --volume jenkins-data:/var/jenkins_home \
 --volume jenkins-docker-certs:/certs/client:ro \
 jenkins-cloudtruth:1

Obtain the admin password for your deploy once the container is running:

sudo docker exec jenkins-blueocean cat /var/jenkins_home/secrets/initialAdminPassword

Provide Jenkins Access to CloudTruth

Navigate to Dashboard -> Manage Credentials -> Jenkins store -> Global credentials -> Add:

Select the Credential Kind as Secret text.

Configure a Jenkins Pipeline with CloudTruth

Create a new pipeline

From the Jenkins dashboard select New Item. Provide a name, select pipeline and hit OK:

Configure the CloudTruth API Key as a pipeline parameter

Provide the parameter Name as CLOUDTRUTH_API_KEY. The CloudTruth CLI uses this variable to pull secrets and parameters from CloudTruth.

Create pipeline environment variables from CloudTruth

Add the following pipeline script and click Save:

pipeline {
    environment {
        CLOUDTRUTH_API_KEY = credentials('CLOUDTRUTH_API_KEY')
        CLOUDTRUTH_PARAMETER = sh(script:'cloudtruth --project MyFirstProject --env default parameters get jenkins', returnStdout: true).trim()

    }
    agent any

    stages {
        stage('CloudTruth') {
            steps {
                echo "Retrieve Parameter from CloudTruth: ${env.CLOUDTRUTH_PARAMETER}"
                }
            }
        }
    }

You can update the CLI command with your own parameter or create a parameter named jenkins in MyFirstProject.

You can use these CLI commands to set the variables used in this example:

cloudtruth --project MyFirstProject parameter set jenkins -v pipeline
cloudtruth --project MyFirstProject parameter set secret -v masked --secret true

The environment variable for CLI access in the pipeline script must be named: CLOUDTRUTH_API_KEY

Build pipeline with parameters

From the pipeline click Build with Parameters and select CloudTruth API Key then click Build.

From the build page view the Console Output. The parameter value pipeline is successfully set and echoed in our pipeline stage!

Masking external secrets in a Jenkins Pipeline

From the Plugin Manager search for Mask Passwords. Select the plugin and Install with a restart of Jenkins.

We can now use the MaskPasswordsBuildWrapper and withEnv to wrap the CloudTruth secret returned from our CLI call.

The following groovy is an example pipeline script that sets a masked environment variable using the plugin wrapper.

pipeline {
    environment {
        CLOUDTRUTH_API_KEY = credentials('CLOUDTRUTH_API_KEY')
    }
    agent any

    stages {
        stage('CloudTruth') {
            steps {
            script{
                CLOUDTRUTH_SECRET = sh(script:'cloudtruth --project MyFirstProject --env default parameters get secret', returnStdout: true).trim()
                wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: CLOUDTRUTH_SECRET]]]) {  
                  withEnv(["SECRET=${CLOUDTRUTH_SECRET}"]){
                  sh 'echo Retrieve Secret from CloudTruth: $SECRET'
                  sh 'printenv'
            }
          }
        }
      }
    }
  }
}

As a result when viewing the console output the secret is masked in the echo. It is also masked when viewing an export of the current environment variables for the step.

With this technique the secrets are also masked in Blue Ocean build details.

Navigate to to login and customize Jenkins with a username of admin and the password you obtained from the previous step. You can Install Suggested plugins from this screen to complete setup and skip the rest of the configuration.

Adding a for the CloudTruth API key allows a Jenkins pipeline to securely access parameters and secrets stored in CloudTruth.

Fill in the Secret field with a as a Jenkins Global Credential. Add a description which is used to reference the key in the pipeline then click OK.

Select This project is parameterized and add a .

Select Default value as the we created as the value for CLOUDTRUTH_API_KEY and mark the parameter as required.

This groovy script sets the CLOUDTRUTH_API_KEY using the Jenkins value we specified as a pipeline parameter. It then populates an environment variable CLOUDTRUTH_PARAMETER with a sh script that calls the CLI. This allows variables to be used in downstream stages.

Jenkins will automatically mask built in like the CloudTruth API key. When using external secret stores we will call the plugin.

The pipeline is built with the CloudTruth API key as described in . We set a variable from a CloudTruth parameter called secret .

🛠️
http://localhost:8080
Jenkins global credential
generated CloudTruth API Access token
Credentials Parameter
credential
credentials parameters
Mask Passwords
Global Credential
configuring a Jenkins pipeline
CloudTruth Parameters
CloudTruth API Access token
Jenkins
Docker
Docker image
Jenkins image
bridge network
CloudTruth CLI