Jenkins

Last updated 2 years ago

Was this helpful?

Jenkins

This walkthrough will guide you through using Jenkins with CloudTruth enabling you to manage your multiple environments parameters and secrets from a centralized location.

Prerequisites

You have created one or more .
You have created a .
Working knowledge of .
installed

Install Jenkins with a Dockerfile

This example will install Jenkins as a based on the official Jenkins guide. The Dockerfile will be customized to install the in the official . Secrets and variables will be passed directly into Jenkins pipelines with the CloudTruth CLI.

Create a in Docker using the following command:

docker network create jenkins

Customize the official Jenkins Docker image:

FROM jenkins/jenkins:2.303.2-jdk11
USER root
RUN apt-get update && apt-get install -y apt-transport-https \
       ca-certificates curl gnupg2 \
       software-properties-common
RUN curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
RUN apt-key fingerprint 0EBFCD88
RUN add-apt-repository \
       "deb [arch=amd64] https://download.docker.com/linux/debian \
       $(lsb_release -cs) stable"

RUN apt-get update && apt-get install -y docker-ce-cli

# Install the CloudTruth CLI
RUN (curl -sL https://github.com/cloudtruth/cloudtruth-cli/releases/latest/download/install.sh || wget -qO- https://github.com/cloudtruth/cloudtruth-cli/releases/latest/download/install.sh) | sh

USER jenkins
RUN jenkins-plugin-cli --plugins "blueocean:1.25.0 docker-workflow:1.26"

Build a new docker image from this dockerfile:

docker build -t jenkins-cloudtruth:1 .

Run the customized image:

 docker run --name jenkins-blueocean --rm --detach \
 --network jenkins --env DOCKER_HOST=tcp://docker:2376 \
 --env DOCKER_CERT_PATH=/certs/client --env DOCKER_TLS_VERIFY=1 \
 --publish 8080:8080 --publish 50000:50000 \
 --volume jenkins-data:/var/jenkins_home \
 --volume jenkins-docker-certs:/certs/client:ro \
 jenkins-cloudtruth:1

Obtain the admin password for your deploy once the container is running:

sudo docker exec jenkins-blueocean cat /var/jenkins_home/secrets/initialAdminPassword

Provide Jenkins Access to CloudTruth

Navigate to Dashboard -> Manage Credentials -> Jenkins store -> Global credentials -> Add:

Select the Credential Kind as Secret text.

Configure a Jenkins Pipeline with CloudTruth

Create a new pipeline

From the Jenkins dashboard select New Item. Provide a name, select pipeline and hit OK:

Configure the CloudTruth API Key as a pipeline parameter

Provide the parameter Name as CLOUDTRUTH_API_KEY. The CloudTruth CLI uses this variable to pull secrets and parameters from CloudTruth.

Create pipeline environment variables from CloudTruth

Add the following pipeline script and click Save:

pipeline {
    environment {
        CLOUDTRUTH_API_KEY = credentials('CLOUDTRUTH_API_KEY')
        CLOUDTRUTH_PARAMETER = sh(script:'cloudtruth --project MyFirstProject --env default parameters get jenkins', returnStdout: true).trim()

    }
    agent any

    stages {
        stage('CloudTruth') {
            steps {
                echo "Retrieve Parameter from CloudTruth: ${env.CLOUDTRUTH_PARAMETER}"
                }
            }
        }
    }

You can update the CLI command with your own parameter or create a parameter named jenkins in MyFirstProject.

You can use these CLI commands to set the variables used in this example:

cloudtruth --project MyFirstProject parameter set jenkins -v pipeline
cloudtruth --project MyFirstProject parameter set secret -v masked --secret true

The environment variable for CLI access in the pipeline script must be named: CLOUDTRUTH_API_KEY

Build pipeline with parameters

From the pipeline click Build with Parameters and select CloudTruth API Key then click Build.

From the build page view the Console Output. The parameter value pipeline is successfully set and echoed in our pipeline stage!

Masking external secrets in a Jenkins Pipeline

From the Plugin Manager search for Mask Passwords. Select the plugin and Install with a restart of Jenkins.

We can now use the MaskPasswordsBuildWrapper and withEnv to wrap the CloudTruth secret returned from our CLI call.

The following groovy is an example pipeline script that sets a masked environment variable using the plugin wrapper.

pipeline {
    environment {
        CLOUDTRUTH_API_KEY = credentials('CLOUDTRUTH_API_KEY')
    }
    agent any

    stages {
        stage('CloudTruth') {
            steps {
            script{
                CLOUDTRUTH_SECRET = sh(script:'cloudtruth --project MyFirstProject --env default parameters get secret', returnStdout: true).trim()
                wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: CLOUDTRUTH_SECRET]]]) {  
                  withEnv(["SECRET=${CLOUDTRUTH_SECRET}"]){
                  sh 'echo Retrieve Secret from CloudTruth: $SECRET'
                  sh 'printenv'
            }
          }
        }
      }
    }
  }
}

As a result when viewing the console output the secret is masked in the echo. It is also masked when viewing an export of the current environment variables for the step.

With this technique the secrets are also masked in Blue Ocean build details.

PreviousHarness NextKubernetes

Last updated 2 years ago

Was this helpful?