Jenkins
This walkthrough will guide you through using Jenkins with CloudTruth enabling you to manage your multiple environments parameters and secrets from a centralized location.
This example will install Jenkins as a Docker image based on the official Jenkins guide. The Dockerfile will be customized to install the CloudTruth CLI in the official Jenkins image. Secrets and variables will be passed directly into Jenkins pipelines with the CloudTruth CLI.
docker network create jenkins
Customize the official Jenkins Docker image:
FROM jenkins/jenkins:2.303.2-jdk11
USER root
RUN apt-get update && apt-get install -y apt-transport-https \
ca-certificates curl gnupg2 \
software-properties-common
RUN curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
RUN apt-key fingerprint 0EBFCD88
RUN add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/debian \
$(lsb_release -cs) stable"
RUN apt-get update && apt-get install -y docker-ce-cli
# Install the CloudTruth CLI
RUN (curl -sL https://github.com/cloudtruth/cloudtruth-cli/releases/latest/download/install.sh || wget -qO- https://github.com/cloudtruth/cloudtruth-cli/releases/latest/download/install.sh) | sh
USER jenkins
RUN jenkins-plugin-cli --plugins "blueocean:1.25.0 docker-workflow:1.26"
Build a new docker image from this dockerfile:
docker build -t jenkins-cloudtruth:1 .
Run the customized image:
docker run --name jenkins-blueocean --rm --detach \
--network jenkins --env DOCKER_HOST=tcp://docker:2376 \
--env DOCKER_CERT_PATH=/certs/client --env DOCKER_TLS_VERIFY=1 \
--publish 8080:8080 --publish 50000:50000 \
--volume jenkins-data:/var/jenkins_home \
--volume jenkins-docker-certs:/certs/client:ro \
jenkins-cloudtruth:1
Obtain the admin password for your deploy once the container is running:
sudo docker exec jenkins-blueocean cat /var/jenkins_home/secrets/initialAdminPassword
Navigate to http://localhost:8080 to login and customize Jenkins with a username of
admin and the password you obtained from the previous step. You can Install Suggested plugins from this screen to complete setup and skip the rest of the configuration.Adding a Jenkins global credential for the CloudTruth API key allows a Jenkins pipeline to securely access parameters and secrets stored in CloudTruth.
Navigate to Dashboard -> Manage Credentials -> Jenkins store -> Global credentials -> Add:
Select the Credential Kind as
Secret text.Fill in the Secret field with a generated CloudTruth API Access token as a Jenkins Global Credential. Add a description which is used to reference the key in the pipeline then click OK.
From the Jenkins dashboard select
New Item. Provide a name, select pipeline and hit OK:Provide the parameter Name as
CLOUDTRUTH_API_KEY. The CloudTruth CLI uses this variable to pull secrets and parameters from CloudTruth.Select Default value as the Global Credential we created as the value for
CLOUDTRUTH_API_KEY and mark the parameter as required.Add the following pipeline script and click Save:
pipeline {
environment {
CLOUDTRUTH_API_KEY = credentials('CLOUDTRUTH_API_KEY')
CLOUDTRUTH_PARAMETER = sh(script:'cloudtruth --project MyFirstProject --env default parameters get jenkins', returnStdout: true).trim()
}
agent any
stages {
stage('CloudTruth') {
steps {
echo "Retrieve Parameter from CloudTruth: ${env.CLOUDTRUTH_PARAMETER}"
}
}
}
}
This groovy script sets the
CLOUDTRUTH_API_KEY using the Jenkins credential value we specified as a pipeline parameter. It then populates an environment variable CLOUDTRUTH_PARAMATER with a sh script that calls the CLI. This allows variables to be used in downstream stages.You can update the CLI command with your own parameter or create a parameter named
jenkins in MyFirstProject.You can use these CLI commands to set the variables used in this example:
cloudtruth --project MyFirstProject parameter set jenkins -v pipeline
cloudtruth --project MyFirstProject parameter set secret -v masked --secret true
The environment variable for CLI access in the pipeline script must be named:
CLOUDTRUTH_API_KEYFrom the pipeline click
Build with Parameters and select CloudTruth API Key then click Build.From the build page view the Console Output. The parameter value
pipeline is successfully set and echoed in our pipeline stage!Jenkins will automatically mask built in credentials parameters like the CloudTruth API key. When using external secret stores we will call the Mask Passwords plugin.
From the Plugin Manager search for Mask Passwords. Select the plugin and Install with a restart of Jenkins.
We can now use the
MaskPasswordsBuildWrapper and withEnv to wrap the CloudTruth secret returned from our CLI call.The pipeline is built with the CloudTruth API key as described in configuring a Jenkins pipeline. We set a variable from a CloudTruth parameter called
secret .The following groovy is an example pipeline script that sets a masked environment variable using the plugin wrapper.
pipeline {
environment {
CLOUDTRUTH_API_KEY = credentials('CLOUDTRUTH_API_KEY')
}
agent any
stages {
stage('CloudTruth') {
steps {
script{
CLOUDTRUTH_SECRET = sh(script:'cloudtruth --project MyFirstProject --env default parameters get secret', returnStdout: true).trim()
wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: CLOUDTRUTH_SECRET]]]) {
withEnv(["SECRET=${CLOUDTRUTH_SECRET}"]){
sh 'echo Retrieve Secret from CloudTruth: $SECRET'
sh 'printenv'
}
}
}
}
}
}
}
As a result when viewing the console output the secret is masked in the echo. It is also masked when viewing an export of the current environment variables for the step.
With this technique the secrets are also masked in Blue Ocean build details.
Last modified 2mo ago