Jenkins Integration Quick Start
This section describes how to configure SPIRL to provide SPIFFE identities to your Jenkins pipelines.
In this guide we are going to use Jenkins running on a Kubernetes cluster.
Set up Jenkins to run in K8s Cluster
First set up Jenkins to provide OIDC JWT tokens to builds with https://spirl.com
as the audience. Here is an example values.yaml
file that installs the necessary Jenkins plugins, creates an OIDC Token credential to make the JWT token accessible to the builds, and changes the admin password to admin
.
controller:
installPlugins:
- kubernetes
- workflow-aggregator
- git
- configuration-as-code
- oidc-provider
JCasC:
defaultConfig: true
configUrls: []
configScripts:
oidc-jwt-credential: |
credentials:
system:
domainCredentials:
- credentials:
- IdTokenStringCredentials:
scope: GLOBAL
id: oidc-jwt-credential-id
description: "oidc jwt credentials"
audience: "https://spirl.com"
securityRealm: |-
local:
allowsSignup: false
enableCaptcha: false
users:
- id: "admin"
name: "Jenkins Admin"
password: "admin"
We can use this values files and helm to install Jenkins on a Kubernetes cluster:
NAMESPACE="jenkins"
helm install jenkins \
--namespace "${NAMESPACE}" \
--create-namespace \
-f values.yaml \
jenkins-repo/jenkins
Then set up port-forwarding to access Jenkins on http://localhost:8080
kubectl --namespace ${NAMESPACE} port-forward svc/jenkins 8080:8080
Configure a CI/CD Profile and register a cluster with SPIRL
See how to configure a CI/CD Profile and link it to a cluster in Issuing SVIDs to CI/CD Jobs.
Then install the spirl-agent in your K8s cluster as described in this guide.
Create a Jenkins Pipeline
Go to localhost:8080
and login to Jenkins using username admin
and password admin
. Create a sample Jenkins Pipeline by copying and pasting the content below into a new pipeline script.
pipeline {
agent {
kubernetes {
yaml '''
apiVersion: v1
kind: Pod
metadata:
labels:
k8s.spirl.com/spiffe-csi: enabled
spec:
containers:
- name: shell
image: ubuntu
command:
- sleep
args:
- infinity
- name: spiffecli
image: ghcr.io/spirl/spiffecli:latest
command:
- sleep
args:
- infinity
'''
defaultContainer 'shell'
}
}
stages {
stage('identity'){
steps{
withCredentials([string(credentialsId: 'oidc-jwt-credential-id', variable: 'IDTOKEN')]){
container('spiffecli'){
script {
env.SPIFFE_JWT_SVID = sh(script: '/ko-app/spiffecli get jwt-svid --audiences https://example.com --identity-exchange-token ${IDTOKEN} --decode', returnStdout: true).trim()
}
}
}
}
}
stage('Main') {
steps {
sh 'echo $SPIFFE_JWT_SVID'
}
}
}
}