Skip to main content

Jenkins Integration Quick Start

This section describes how to configure SPIRL to provide SPIFFE identities to your Jenkins pipelines.

In this guide we are going to use Jenkins running on a Kubernetes cluster.

Set up Jenkins to run in K8s Cluster

First set up Jenkins to provide OIDC JWT tokens to builds with https://spirl.com as the audience. Here is an example values.yaml file that installs the necessary Jenkins plugins, creates an OIDC Token credential to make the JWT token accessible to the builds, and changes the admin password to admin.

controller:
    installPlugins:
        - kubernetes
        - workflow-aggregator
        - git
        - configuration-as-code
        - oidc-provider
    JCasC:
        defaultConfig: true
        configUrls: []
        configScripts:
          oidc-jwt-credential: |
            credentials:
              system:
                domainCredentials:
                  - credentials:
                      - IdTokenStringCredentials:
                          scope: GLOBAL
                          id: oidc-jwt-credential-id
                          description: "oidc jwt credentials"
                          audience: "https://spirl.com"
        securityRealm: |-
         local:
           allowsSignup: false
           enableCaptcha: false
           users:
           - id: "admin"
             name: "Jenkins Admin"
             password: "admin"

We can use this values files and helm to install Jenkins on a Kubernetes cluster:

NAMESPACE="jenkins"
helm install jenkins \
    --namespace "${NAMESPACE}" \
    --create-namespace \
    -f values.yaml \
    jenkins-repo/jenkins

Then set up port-forwarding to access Jenkins on http://localhost:8080

kubectl --namespace ${NAMESPACE} port-forward svc/jenkins 8080:8080

Configure a CI/CD Profile and register a cluster with SPIRL

See how to configure a CI/CD Profile and link it to a cluster in Issuing SVIDs to CI/CD Jobs.

Then install the spirl-agent in your K8s cluster as described in this guide.

Create a Jenkins Pipeline

Go to localhost:8080 and login to Jenkins using username admin and password admin. Create a sample Jenkins Pipeline by copying and pasting the content below into a new pipeline script.

pipeline {
    agent {
        kubernetes {
            yaml '''
apiVersion: v1
kind: Pod
metadata:
  labels:
    k8s.spirl.com/spiffe-csi: enabled
spec:
  containers:
  - name: shell
    image: ubuntu
    command:
    - sleep
    args:
    - infinity
  - name: spiffecli
    image: ghcr.io/spirl/spiffecli:latest
    command:
    - sleep
    args:
    - infinity
'''
            defaultContainer 'shell'
        }
    }
    stages {
        stage('identity'){
            steps{
                withCredentials([string(credentialsId: 'oidc-jwt-credential-id', variable: 'IDTOKEN')]){
                    container('spiffecli'){
                        script {
                            env.SPIFFE_JWT_SVID = sh(script: '/ko-app/spiffecli get jwt-svid --audiences https://example.com --identity-exchange-token ${IDTOKEN} --decode', returnStdout: true).trim()
                        }
                    }
                }
            }
        }
        stage('Main') {
            steps {
                sh 'echo $SPIFFE_JWT_SVID'
            }
        }
    }
}