Jenkins

This walkthrough will guide you through using Jenkins with CloudTruth enabling you to manage your multiple environments parameters and secrets from a centralized location.

Prerequisites

You have created one or more CloudTruth Parameters.
You have created a CloudTruth API Access token.
Working knowledge of Jenkins.
Docker installed

Install Jenkins with a Dockerfile

This example will install Jenkins as a Docker image based on the official Jenkins guide. The Dockerfile will be customized to install the CloudTruth CLI in the official Jenkins image. Secrets and variables will be passed directly into Jenkins pipelines with the CloudTruth CLI.

Create a bridge network in Docker using the following command:

docker network create jenkins

Customize the official Jenkins Docker image:

FROM jenkins/jenkins:2.303.2-jdk11
USER root
RUN apt-get update && apt-get install -y apt-transport-https \
       ca-certificates curl gnupg2 \
       software-properties-common
RUN curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
RUN apt-key fingerprint 0EBFCD88
RUN add-apt-repository \
       "deb [arch=amd64] https://download.docker.com/linux/debian \
       $(lsb_release -cs) stable"

RUN apt-get update && apt-get install -y docker-ce-cli

# Install the CloudTruth CLI
RUN (curl -sL https://github.com/cloudtruth/cloudtruth-cli/releases/latest/download/install.sh || wget -qO- https://github.com/cloudtruth/cloudtruth-cli/releases/latest/download/install.sh) | sh

USER jenkins
RUN jenkins-plugin-cli --plugins "blueocean:1.25.0 docker-workflow:1.26"

Build a new docker image from this dockerfile:

docker build -t jenkins-cloudtruth:1 .

Run the customized image:

 docker run --name jenkins-blueocean --rm --detach \
 --network jenkins --env DOCKER_HOST=tcp://docker:2376 \
 --env DOCKER_CERT_PATH=/certs/client --env DOCKER_TLS_VERIFY=1 \
 --publish 8080:8080 --publish 50000:50000 \
 --volume jenkins-data:/var/jenkins_home \
 --volume jenkins-docker-certs:/certs/client:ro \
 jenkins-cloudtruth:1

Obtain the admin password for your deploy once the container is running:

sudo docker exec jenkins-blueocean cat /var/jenkins_home/secrets/initialAdminPassword

Navigate to http://localhost:8080 to login and customize Jenkins with a username of admin and the password you obtained from the previous step. You can Install Suggested plugins from this screen to complete setup and skip the rest of the configuration.

Provide Jenkins Access to CloudTruth

Adding a Jenkins global credential for the CloudTruth API key allows a Jenkins pipeline to securely access parameters and secrets stored in CloudTruth.

Navigate to Dashboard -> Manage Credentials -> Jenkins store -> Global credentials -> Add:

Select the Credential Kind as Secret text.

Fill in the Secret field with a generated CloudTruth API Access token as a Jenkins Global Credential. Add a description which is used to reference the key in the pipeline then click OK.

Configure a Jenkins Pipeline with CloudTruth

Create a new pipeline

From the Jenkins dashboard select New Item. Provide a name, select pipeline and hit OK:

Configure the CloudTruth API Key as a pipeline parameter

Select This project is parameterized and add a Credentials Parameter.

Provide the parameter Name as CLOUDTRUTH_API_KEY. The CloudTruth CLI uses this variable to pull secrets and parameters from CloudTruth.

Select Default value as the Global Credential we created as the value for CLOUDTRUTH_API_KEY and mark the parameter as required.

Create pipeline environment variables from CloudTruth

Add the following pipeline script and click Save:

pipeline {
    environment {
        CLOUDTRUTH_API_KEY = credentials('CLOUDTRUTH_API_KEY')
        CLOUDTRUTH_PARAMETER = sh(script:'cloudtruth --project MyFirstProject --env default parameters get jenkins', returnStdout: true).trim()

    }
    agent any

    stages {
        stage('CloudTruth') {
            steps {
                echo "Retrieve Parameter from CloudTruth: ${env.CLOUDTRUTH_PARAMETER}"
                }
            }
        }
    }

This groovy script sets the CLOUDTRUTH_API_KEY using the Jenkins credential value we specified as a pipeline parameter. It then populates an environment variable CLOUDTRUTH_PARAMETER with a sh script that calls the CLI. This allows variables to be used in downstream stages.

You can update the CLI command with your own parameter or create a parameter named jenkins in MyFirstProject.

You can use these CLI commands to set the variables used in this example:

cloudtruth --project MyFirstProject parameter set jenkins -v pipeline
cloudtruth --project MyFirstProject parameter set secret -v masked --secret true

The environment variable for CLI access in the pipeline script must be named: CLOUDTRUTH_API_KEY

Build pipeline with parameters

From the pipeline click Build with Parameters and select CloudTruth API Key then click Build.

From the build page view the Console Output. The parameter value pipeline is successfully set and echoed in our pipeline stage!

Masking external secrets in a Jenkins Pipeline

Jenkins will automatically mask built in credentials parameters like the CloudTruth API key. When using external secret stores we will call the Mask Passwords plugin.

From the Plugin Manager search for Mask Passwords. Select the plugin and Install with a restart of Jenkins.

We can now use the MaskPasswordsBuildWrapper and withEnv to wrap the CloudTruth secret returned from our CLI call.

The pipeline is built with the CloudTruth API key as described in configuring a Jenkins pipeline. We set a variable from a CloudTruth parameter called secret .

The following groovy is an example pipeline script that sets a masked environment variable using the plugin wrapper.

pipeline {
    environment {
        CLOUDTRUTH_API_KEY = credentials('CLOUDTRUTH_API_KEY')
    }
    agent any

    stages {
        stage('CloudTruth') {
            steps {
            script{
                CLOUDTRUTH_SECRET = sh(script:'cloudtruth --project MyFirstProject --env default parameters get secret', returnStdout: true).trim()
                wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: CLOUDTRUTH_SECRET]]]) {  
                  withEnv(["SECRET=${CLOUDTRUTH_SECRET}"]){
                  sh 'echo Retrieve Secret from CloudTruth: $SECRET'
                  sh 'printenv'
            }
          }
        }
      }
    }
  }
}

As a result when viewing the console output the secret is masked in the echo. It is also masked when viewing an export of the current environment variables for the step.

With this technique the secrets are also masked in Blue Ocean build details.

PreviousHarness NextKubernetes

Last updated 1 year ago