Getting started
Jenkins is one of the most popular automation servers for continous integration, automation, scheduling jobs and for generic pipelining. It has an extensive set of plugins that extend or provide additional functionality including the kubernetes credentials plugin. This plugin takes kubernetes secrets and creates Jenkins credentials from them removing the need for manual entry of secrets, local storage and manual secret rotation.
Examples
The Jenkins credentials plugin uses labels and annotations on a kubernetes secret to create a Jenkins credential.
The different types of Jenkins credentials that can be created are SecretText, privateSSHKey, UsernamePassword.
SecretText
Here are some examples of SecretText with the Hashicorp Vault and AWS External Secrets providers:
Hashicorp Vault
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
name: sonarqube-api-token
namespace: ci
spec:
refreshInterval: 1m
secretStoreRef:
name: vault-backend
kind: ClusterSecretStore
target:
name: sonarqube-api-token
template:
metadata:
labels:
"jenkins.io/credentials-type": "secretText"
annotations:
"jenkins.io/credentials-description": "sonarqube api token"
data:
text: >-
{{ printf "{{ .password | toString }}" }}
data:
- secretKey: password
remoteRef:
key: jenkins-credentials
property: sonarqube-api-token
AWS Secrets Manager
---
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
name: sonarqube-api-token
namespace: ci
spec:
refreshInterval: 1m
secretStoreRef:
name: cluster-secrets-store
kind: ClusterSecretStore
target:
name: sonarqube-api-token
template:
metadata:
labels:
"jenkins.io/credentials-type": "secretText"
annotations:
"jenkins.io/credentials-description": "Sonar API token"
data:
- secretKey: text
remoteRef:
key: service/sonarqube/apiToken
UsernamePassword
Here are some examples of UsernamePassword credentials with the Hashicorp Vault and AWS External Secrets providers:
Hashicorp Vault
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
name: harbor-chart-robot
namespace: ci
spec:
refreshInterval: 1m
secretStoreRef:
name: vault-backend
kind: ClusterSecretStore
target:
name: harbor-chart-robot
template:
metadata:
labels:
"jenkins.io/credentials-type": "usernamePassword"
annotations:
"jenkins.io/credentials-description": "harbor chart robot"
data:
username: >-
{{ printf "{{ .username | toString }}" }}
password: >-
{{ printf "{{ .password | toString }}" }}
data:
- secretKey: username
remoteRef:
key: my-kv
property: harbor-chart-robot-username
- secretKey: password
remoteRef:
key: my-kv
property: harbor-chart-robot-token
AWS Secrets Manager
---
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
name: harbor-chart-robot
namespace: ci
spec:
refreshInterval: 1m
secretStoreRef:
name: cluster-secrets-store
kind: ClusterSecretStore
target:
name: harbor-chart-robot
template:
metadata:
labels:
"jenkins.io/credentials-type": "usernamePassword"
annotations:
"jenkins.io/credentials-description": "harbor chart robot access"
data:
- secretKey: password
remoteRef:
key: service/harbor/chartRobot
property: password
- secretKey: username
remoteRef:
key: service/harbor/chartRobot
property: username
basicSSHUserPrivateKey
Here are some examples of basicSSHUserPrivateKey credentials with the Hashicorp Vault and AWS External Secrets providers:
Hashicorp Vault
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
name: github-ssh-access
namespace: ci
spec:
refreshInterval: 1m
secretStoreRef:
name: vault-backend
kind: ClusterSecretStore
target:
name: github-ssh-access
template:
metadata:
labels:
"jenkins.io/credentials-type": "basicSSHUserPrivateKey"
annotations:
"jenkins.io/credentials-description": "github-ssh-access key"
data:
username: >-
{{ printf "{{ .username | toString }}" }}
privateKey: >-
{{ printf "{{ .privateKey | toString }}" }}
data:
- secretKey: username
remoteRef:
key: my-kv
property: github-ssh-access-username
- secretKey: privateKey
remoteRef:
key: my-kv
property: github-ssh-access-private-key
AWS Secrets Manager
---
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
name: github-ssh-access
namespace: ci
spec:
refreshInterval: 1m
secretStoreRef:
name: cluster-parameter-store
kind: ClusterSecretStore
target:
name: github-ssh-access
template:
metadata:
labels:
"jenkins.io/credentials-type": "basicSSHUserPrivateKey"
annotations:
"jenkins.io/credentials-description": "github-ssh-access key"
data:
- secretKey: username
remoteRef:
key: /service/github/sshUserPrivateKeyUserName
- secretKey: privateKey
remoteRef:
key: /service/github/sshUserPrivateKey