Install and run Jenkins in Openshift is easy, but where do you store your secrets, tokens or other sensitive data for use in your Jenkins pipelines.
I will show you the easy way and keep you away from the pitfalls.
Openshift secrets
The Secret object type provides a mechanism to hold sensitive information such as passwords, OpenShift Container Platform client configuration files, dockercfg files, private source repository credentials, and so on.
The value in the type field indicates the structure of the secret’s key names and values. The type can be used to enforce the presence of user names and keys in the secret object. If you do not want validation, use the opaque type, which is the default.
The username and password should be base64 encoded. Try en-/decode online, see https://www.base64encode.org
Jenkins Openshift Sync plugin
This Jenkins plugin keeps OpenShift BuildConfig and Build objects in sync with Jenkins Jobs and Builds. If you installed the Jenkins Persistent/Ephemeral image in Openshift, than the Openshift Sync plugin is already installed. Visit this openshift-sync link if you manually want to download the Openshift Sync plugin.
Changes to OpenShift secrets with the label “credential.sync.jenkins.openshift.io” set to “true” will result in those secrets getting converted into Jenkins Credentials that are registered with the Jenkins Credentials Plugin. Opaque/generic secrets where the data has a “username” key and a “password” key map to Jenkins Username/Password credentials.
Change your secret in Openshift so it will be synchronized with Jenkins. Changes done in Jenkins won’t be synchronized to Openshift.
Create your Openshift secret
There are several ways for creating a secret in Openshift. The first example shows a YAML secret configuration file and the second example shows how it’s done with the Openshift CLI commands.
In a few seconds after setting the label of the secret it will be available in Jenkins credentials.
Jenkins default synchronized the Openshift secret to the Jenkins credential name ‘namespace’-‘secret name’.
Use Openshift secret in Jenkins pipeline
Now at last here’s the example how to retrieve the synchronized Openshift secret within a Jenkins groovy pipeline.
The SLACK_TOKEN is available as an variable, but will be masked if you try to print it out any which way!
References
Check out these external links to gain more info related to this post.
- Jenkins Openshift Sync plugin – Manual download (all versions)
- Jenkins Openshift Sync plugin – Plugin site
- Red Hat Openshift Container Platform 3.7 – Developer Guide Secrets
Senior Integration Specialist with over 30 years of experience in IT. Professional focus on API Management, Container-based software development / management (Redhat OpenShift) and Message-oriented middleware (Redhat JBoss Fuse / Apache Camel.
Leave a Reply
Want to join the discussion?Feel free to contribute!