Skip to main content

Jenkins Integration Quick Start

This section describes how to configure SPIRL to provide SPIFFE identities to your Jenkins pipelines.

In this guide we are going to use Jenkins running on a Kubernetes cluster.

Set up Jenkins to run in K8s Cluster

First set up Jenkins to provide OIDC JWT tokens to builds with https://spirl.com as the audience. Here is an example values.yaml file that installs the necessary Jenkins plugins, creates an OIDC Token credential to make the JWT token accessible to the builds, and changes the admin password to admin.

controller:
    installPlugins:
        - kubernetes
        - workflow-aggregator
        - git
        - configuration-as-code
        - oidc-provider
    JCasC:
        defaultConfig: true
        configUrls: []
        configScripts:
          oidc-jwt-credential: |
            credentials:
              system:
                domainCredentials:
                  - credentials:
                      - IdTokenStringCredentials:
                          scope: GLOBAL
                          id: oidc-jwt-credential-id
                          description: "oidc jwt credentials"
                          audience: "https://spirl.com"
        securityRealm: |-
         local:
           allowsSignup: false
           enableCaptcha: false
           users:
           - id: "admin"
             name: "Jenkins Admin"
             password: "admin"

We can use this values files and helm to install Jenkins on a Kubernetes cluster:

NAMESPACE="jenkins"
helm install jenkins \
    --namespace "${NAMESPACE}" \
    --create-namespace \
    -f values.yaml \
    jenkins-repo/jenkins

Then set up port-forwarding to access Jenkins on http://localhost:8080

kubectl --namespace ${NAMESPACE} port-forward svc/jenkins 8080:8080

Add k8s cluster to SPIRL-managed trust domain

First create a new CI/CD profile on SPIRL specifying the issuer URL for Jenkins. For example, using SPIRL CLI:

spirlctl ci-cd profile create jenkins --type jenkins --issuer=http://jenkins:8080/oidc

Then add your k8s cluster to your SPIRL-managed trust domain using the profile just created.

spirlctl ci-cd cluster add production --trust-domain example.com --platform k8s --profile jenkins

Create a Jenkins Pipeline

Go to localhost:8080 and login to Jenkins using username admin and password admin. Create a sample Jenkins Pipeline by copying and pasting the content below into a new pipeline script.

pipeline {
    agent {
        kubernetes {
            yaml '''
apiVersion: v1
kind: Pod
metadata:
  labels:
    k8s.spirl.com/spiffe-csi: enabled
spec:
  containers:
  - name: shell
    image: ubuntu
    command:
    - sleep
    args:
    - infinity
  - name: spiffecli
    image: ghcr.io/spirl/spiffecli:latest
    command:
    - sleep
    args:
    - infinity
'''
            defaultContainer 'shell'
        }
    }
    stages {
        stage('identity'){
            steps{
                withCredentials([string(credentialsId: 'oidc-jwt-credential-id', variable: 'IDTOKEN')]){
                    container('spiffecli'){
                        script {
                            env.SPIFFE_JWT_SVID = sh(script: '/ko-app/spiffecli get jwt-svid --audiences https://example.com --identity-exchange-token ${IDTOKEN} --decode', returnStdout: true).trim()
                        }
                    }
                }
            }
        }
        stage('Main') {
            steps {
                sh 'echo $SPIFFE_JWT_SVID'
            }
        }
    }
}