Skip to main content

Jenkins Integration Quick Start

This section describes how to configure Defakto to provide SPIFFE identities to your Jenkins pipelines.

In this guide we are going to use Jenkins running on a Kubernetes cluster.

Set up Jenkins to run in K8s Cluster

First set up Jenkins to provide OIDC JWT tokens to builds with https://spirl.com as the audience. Here is an example values.yaml file that installs the necessary Jenkins plugins, creates an OIDC Token credential to make the JWT token accessible to the builds, and changes the admin password to admin.

controller:
    installPlugins:
        - kubernetes
        - workflow-aggregator
        - git
        - configuration-as-code
        - oidc-provider
    JCasC:
        defaultConfig: true
        configUrls: []
        configScripts:
          oidc-jwt-credential: |
            credentials:
              system:
                domainCredentials:
                  - credentials:
                      - IdTokenStringCredentials:
                          scope: GLOBAL
                          id: oidc-jwt-credential-id
                          description: "oidc jwt credentials"
                          audience: "https://spirl.com"
        securityRealm: |-
         local:
           allowsSignup: false
           enableCaptcha: false
           users:
           - id: "admin"
             name: "Jenkins Admin"
             password: "admin"

We can use this values files and helm to install Jenkins on a Kubernetes cluster:

NAMESPACE="jenkins"
helm install jenkins \
    --namespace "${NAMESPACE}" \
    --create-namespace \
    -f values.yaml \
    jenkins-repo/jenkins

Then set up port-forwarding to access Jenkins on http://localhost:8080

kubectl --namespace ${NAMESPACE} port-forward svc/jenkins 8080:8080

Configure JWT Workload Attestation

Add your Jenkins instance as a trusted issuer in the WorkloadAttestation managed config for the cluster:

section: WorkloadAttestation
schema: v1
spec:
  jwt:
    enabled: true
    allowedIssuers:
      - issuer: https://my-jenkins.example.com

Apply it to your cluster:

spirlctl config set cluster --id <cluster-id> workload-attestation.yaml

See the JWT Workload Attestor reference for all configuration options, and Issuing SVIDs to CI/CD Jobs for path template configuration.

Then install the spirl-agent in your K8s cluster as described in this guide.

Create a Jenkins Pipeline

Go to localhost:8080 and login to Jenkins using username admin and password admin. Create a sample Jenkins Pipeline by copying and pasting the content below into a new pipeline script.

pipeline {
    agent {
        kubernetes {
            yaml '''
apiVersion: v1
kind: Pod
metadata:
  labels:
    k8s.spirl.com/spiffe-csi: enabled
spec:
  containers:
  - name: shell
    image: ubuntu
    command:
    - sleep
    args:
    - infinity
  - name: spiffecli
    image: ghcr.io/spirl/spiffecli:latest
    command:
    - sleep
    args:
    - infinity
'''
            defaultContainer 'shell'
        }
    }
    stages {
        stage('identity'){
            steps{
                withCredentials([string(credentialsId: 'oidc-jwt-credential-id', variable: 'IDTOKEN')]){
                    container('spiffecli'){
                        script {
                            env.SPIFFE_JWT_SVID = sh(script: '/ko-app/spiffecli get jwt-svid --audiences https://example.com --identity-exchange-token ${IDTOKEN} --decode', returnStdout: true).trim()
                        }
                    }
                }
            }
        }
        stage('Main') {
            steps {
                sh 'echo $SPIFFE_JWT_SVID'
            }
        }
    }
}