# Jenkins This walkthrough will guide you through using Jenkins with CloudTruth enabling you to manage your multiple environments parameters and secrets from a centralized location. ## Prerequisites * You have created one or more [CloudTruth Parameters](https://github.com/cloudtruth/ctdocs/blob/live/integrations/broken-reference/README.md). * You have created a [CloudTruth API Access token](https://github.com/cloudtruth/ctdocs/blob/live/integrations/broken-reference/README.md). * Working knowledge of [Jenkins](https://www.jenkins.io/doc/book/installing/). * [Docker](https://docs.docker.com/) installed ## Install Jenkins with a Dockerfile This example will install Jenkins as a [Docker image](https://www.jenkins.io/doc/book/installing/docker/) based on the official Jenkins guide. The Dockerfile will be customized to install the [CloudTruth CLI ](/configuration-management/cli-and-api/cloudtruth-cli.md#installation)in the official [Jenkins image](https://hub.docker.com/r/jenkins/jenkins/). Secrets and variables will be passed directly into Jenkins pipelines with the CloudTruth CLI. Create a [bridge network](https://docs.docker.com/network/bridge/) in Docker using the following command: ``` docker network create jenkins ``` Customize the official Jenkins Docker image: ``` FROM jenkins/jenkins:2.303.2-jdk11 USER root RUN apt-get update && apt-get install -y apt-transport-https \ ca-certificates curl gnupg2 \ software-properties-common RUN curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add - RUN apt-key fingerprint 0EBFCD88 RUN add-apt-repository \ "deb [arch=amd64] https://download.docker.com/linux/debian \ $(lsb_release -cs) stable" RUN apt-get update && apt-get install -y docker-ce-cli # Install the CloudTruth CLI RUN (curl -sL https://github.com/cloudtruth/cloudtruth-cli/releases/latest/download/install.sh || wget -qO- https://github.com/cloudtruth/cloudtruth-cli/releases/latest/download/install.sh) | sh USER jenkins RUN jenkins-plugin-cli --plugins "blueocean:1.25.0 docker-workflow:1.26" ``` Build a new docker image from this dockerfile: ``` docker build -t jenkins-cloudtruth:1 . ``` Run the customized image: ``` docker run --name jenkins-blueocean --rm --detach \ --network jenkins --env DOCKER_HOST=tcp://docker:2376 \ --env DOCKER_CERT_PATH=/certs/client --env DOCKER_TLS_VERIFY=1 \ --publish 8080:8080 --publish 50000:50000 \ --volume jenkins-data:/var/jenkins_home \ --volume jenkins-docker-certs:/certs/client:ro \ jenkins-cloudtruth:1 ``` Obtain the admin password for your deploy once the container is running: ``` sudo docker exec jenkins-blueocean cat /var/jenkins_home/secrets/initialAdminPassword ``` Navigate to [http://localhost:8080](http://localhost:8080/) to login and customize Jenkins with a username of `admin` and the password you obtained from the previous step. You can Install Suggested plugins from this screen to complete setup and skip the rest of the configuration. ## Provide Jenkins Access to CloudTruth Adding a [Jenkins global credential](https://www.jenkins.io/doc/book/using/using-credentials/#adding-new-global-credentials) for the CloudTruth API key allows a Jenkins pipeline to securely access parameters and secrets stored in CloudTruth. Navigate to Dashboard -> Manage Credentials -> Jenkins store -> Global credentials -> Add: Select the Credential Kind as `Secret text`. Fill in the **Secret** field with a [generated CloudTruth API Access token](/org-management/access-control/access-tokens.md) as a Jenkins Global Credential. Add a description which is used to reference the key in the pipeline then click OK. ![](/files/nyoClooruvGl8umBaiMn) ## Configure a Jenkins Pipeline with CloudTruth #### Create a new pipeline From the Jenkins dashboard select `New Item`. Provide a name, select pipeline and hit OK: ![](/files/EWKUSIkUL8oonnhcWEKI) #### Configure the CloudTruth API Key as a pipeline parameter Select `This project is parameterized` and add a [`Credentials Parameter`](https://www.jenkins.io/doc/book/using/using-credentials/). ![](/files/giwJ3Klgj8qis4GOtqaj) Provide the parameter Name as `CLOUDTRUTH_API_KEY`. The CloudTruth CLI uses this variable to pull secrets and parameters from CloudTruth. Select Default value as the [Global Credential](#provide-jenkins-access-to-cloudtruth) we created as the value for `CLOUDTRUTH_API_KEY` and mark the parameter as required. ![](/files/EAWVzMM7Me9O6iZqrPyg) #### Create pipeline environment variables from CloudTruth Add the following pipeline script and click Save: ``` pipeline { environment { CLOUDTRUTH_API_KEY = credentials('CLOUDTRUTH_API_KEY') CLOUDTRUTH_PARAMETER = sh(script:'cloudtruth --project MyFirstProject --env default parameters get jenkins', returnStdout: true).trim() } agent any stages { stage('CloudTruth') { steps { echo "Retrieve Parameter from CloudTruth: ${env.CLOUDTRUTH_PARAMETER}" } } } } ``` This groovy script sets the `CLOUDTRUTH_API_KEY` using the Jenkins [credential](https://www.jenkins.io/doc/book/using/using-credentials/) value we specified as a pipeline parameter. It then populates an environment variable `CLOUDTRUTH_PARAMETER` with a sh script that calls the CLI. This allows variables to be used in downstream stages. You can update the CLI command with your own parameter or create a parameter named `jenkins` in `MyFirstProject`. You can use these CLI commands to set the variables used in this example: ``` cloudtruth --project MyFirstProject parameter set jenkins -v pipeline cloudtruth --project MyFirstProject parameter set secret -v masked --secret true ``` {% hint style="info" %} The environment variable for CLI access in the pipeline script must be named: `CLOUDTRUTH_API_KEY` {% endhint %} ![](/files/nMrW9cTo0BC5cxEMJQ39) #### Build pipeline with parameters From the pipeline click `Build with Parameters` and select `CloudTruth API Key` then click Build. ![](/files/bjUMpMmzG0VTpKOlXdTn) From the build page view the Console Output. The parameter value `pipeline` is successfully set and echoed in our pipeline stage! ![](/files/b8rpji51ui40M71BkGh4) ### Masking external secrets in a Jenkins Pipeline Jenkins will automatically mask built in [credentials parameters](https://www.jenkins.io/doc/book/using/using-credentials/) like the CloudTruth API key. When using external secret stores we will call the [Mask Passwords](https://plugins.jenkins.io/mask-passwords/) plugin. From the Plugin Manager search for Mask Passwords. Select the plugin and Install with a restart of Jenkins. ![](/files/KMuuTWM3wqhbia9mMVWe) We can now use the `MaskPasswordsBuildWrapper` and `withEnv` to wrap the CloudTruth secret returned from our CLI call. The pipeline is built with the CloudTruth API key as described in [configuring a Jenkins pipeline](#configure-a-jenkins-pipeline-with-cloudtruth). We set a variable from a CloudTruth parameter called `secret` . The following groovy is an example pipeline script that sets a masked environment variable using the plugin wrapper. ``` pipeline { environment { CLOUDTRUTH_API_KEY = credentials('CLOUDTRUTH_API_KEY') } agent any stages { stage('CloudTruth') { steps { script{ CLOUDTRUTH_SECRET = sh(script:'cloudtruth --project MyFirstProject --env default parameters get secret', returnStdout: true).trim() wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: CLOUDTRUTH_SECRET]]]) { withEnv(["SECRET=${CLOUDTRUTH_SECRET}"]){ sh 'echo Retrieve Secret from CloudTruth: $SECRET' sh 'printenv' } } } } } } } ``` As a result when viewing the console output the secret is masked in the echo. It is also masked when viewing an export of the current environment variables for the step. ![](/files/ZvrwKyHcQhvRvtToVd0x) With this technique the secrets are also masked in Blue Ocean build details. ![](/files/yGDSWxjftiTxMjmp9WQI) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.cloudtruth.com/configuration-management/integrations/jenkins.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.