Skip to content

Getting started

Jenkins is one of the most popular automation servers for continuous integration, automation, scheduling jobs and for generic pipelining. It has an extensive set of plugins that extend or provide additional functionality including the kubernetes credentials plugin. This plugin takes kubernetes secrets and creates Jenkins credentials from them removing the need for manual entry of secrets, local storage and manual secret rotation.

Examples

The Jenkins credentials plugin uses labels and annotations on a kubernetes secret to create a Jenkins credential.

The different types of Jenkins credentials that can be created are SecretText, privateSSHKey, UsernamePassword.

SecretText

Here are some examples of SecretText with the Hashicorp Vault and AWS External Secrets providers:

Hashicorp Vault

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: sonarqube-api-token
  namespace: ci
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-backend
    kind: ClusterSecretStore
  target:
    name: sonarqube-api-token
    template:
      metadata:
        labels:
          "jenkins.io/credentials-type": "secretText"
        annotations:
          "jenkins.io/credentials-description": "sonarqube api token"
      data:
        text: >-
          {{ printf "{{ .password | toString }}" }}
  data:
    - secretKey: password
      remoteRef:
        key: jenkins-credentials
        property: sonarqube-api-token

AWS Secrets Manager

---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: sonarqube-api-token
  namespace: ci
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: cluster-secrets-store
    kind: ClusterSecretStore
  target:
    name: sonarqube-api-token
    template:
      metadata:
        labels:
          "jenkins.io/credentials-type": "secretText"
        annotations:
          "jenkins.io/credentials-description": "Sonar API token"
  data:
    - secretKey: text
      remoteRef:
        key: service/sonarqube/apiToken

UsernamePassword

Here are some examples of UsernamePassword credentials with the Hashicorp Vault and AWS External Secrets providers:

Hashicorp Vault

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: harbor-chart-robot
  namespace: ci
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-backend
    kind: ClusterSecretStore
  target:
    name: harbor-chart-robot
    template:
      metadata:
        labels:
          "jenkins.io/credentials-type": "usernamePassword"
        annotations:
          "jenkins.io/credentials-description": "harbor chart robot"
      data:
        username: >-
          {{ printf "{{ .username | toString }}" }}
        password: >-
          {{ printf "{{ .password | toString }}" }}
  data:
    - secretKey: username
      remoteRef:
        key: my-kv
        property: harbor-chart-robot-username
    - secretKey: password
      remoteRef:
        key: my-kv
        property: harbor-chart-robot-token

AWS Secrets Manager

---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: harbor-chart-robot
  namespace: ci
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: cluster-secrets-store
    kind: ClusterSecretStore
  target:
    name: harbor-chart-robot
    template:
      metadata:
        labels:
          "jenkins.io/credentials-type": "usernamePassword"
        annotations:
          "jenkins.io/credentials-description": "harbor chart robot access"
  data:
    - secretKey: password
      remoteRef:
        key: service/harbor/chartRobot
        property: password
    - secretKey: username
      remoteRef:
        key: service/harbor/chartRobot
        property: username

basicSSHUserPrivateKey

Here are some examples of basicSSHUserPrivateKey credentials with the Hashicorp Vault and AWS External Secrets providers:

Hashicorp Vault

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: github-ssh-access
  namespace: ci
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: vault-backend
    kind: ClusterSecretStore
  target:
    name: github-ssh-access
    template:
      metadata:
        labels:
          "jenkins.io/credentials-type": "basicSSHUserPrivateKey"
        annotations:
          "jenkins.io/credentials-description": "github-ssh-access key"
      data:
        username: >-
          {{ printf "{{ .username | toString }}" }}
        privateKey: >-
          {{ printf "{{ .privateKey | toString }}" }}
  data:
    - secretKey: username
      remoteRef:
        key: my-kv
        property: github-ssh-access-username
    - secretKey: privateKey
      remoteRef:
        key: my-kv
        property: github-ssh-access-private-key

AWS Secrets Manager

---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: github-ssh-access
  namespace: ci
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: cluster-parameter-store
    kind: ClusterSecretStore
  target:
    name: github-ssh-access
    template:
      metadata:
        labels:
          "jenkins.io/credentials-type": "basicSSHUserPrivateKey"
        annotations:
          "jenkins.io/credentials-description": "github-ssh-access key"
  data:
    - secretKey: username
      remoteRef:
        key: /service/github/sshUserPrivateKeyUserName
    - secretKey: privateKey
      remoteRef:
        key: /service/github/sshUserPrivateKey