Automate the import of Openshift Secrets to Jenkins
/ 2 min read
I would like to share my experience on a challenge that I encountered when I had to mount a Jenkins instance inside Openshift via minishift. To allow Jenkins to communicate with GitHub, for example.
First attempt
Research
While doing some research on the internet, I came across the idea of using environment variables to pass my Openshift Secrets towards my Jenkins instance.
Evaluation
The idea did not appeal to me since it would be enough for someone who was ill-intentioned to try to print all the environment variables in the console in order to read my various passwords… I thought that even there, it would be necessary that the person have access to modify the configuration of my pods… Considering the security around our Openshift configuration, I opted for this solution.
Discovery
I quickly discovered on the beautiful Jenkins system page, the complete list of environment variable values …
The second attempt is the good one
Research
While doing some more research, I discovered some extensions allowing the synchronization between the secrets and the “credentials” of Jenkins. The idea seems excellent, but unfortunately because of security constraints out of my control I can’t and I’m not able, allowed do the installation of said extensions.
Evaluation
Because we can’t do the installation of extensions inside Jenkins, I decided to go with a nice little script that will be launched at the start of Jenkins via the folder init.groovy.d.
The script we talked about
So I came to the creation of a script that will search through the Openshift console to retrieve all “secret” objects that have been labeled with jenkins=true. The script will create a new credential entry in Jenkins each time it encounters a “secret” with that label. In addition, I took the opportunity to manage the description of my new “credentials” directly at the “secret” by adding this label jenkins-description=A-Simple-Description.
How it work
To use this script you will need to add the following two labels on your secrets: jenkins=true and jenkins-description=A-Simple-Description. To allow the script to determine the type of Credentials to create in Jenkins, you will need to name your fields contained in your secrets, this way:
Credential Jenkins of type “Username and Password”
| Secret Type | Named |
|---|---|
| opaque | username |
| opaque | password |
Credential Jenkins type “SecretText”
| Secret Type | Named |
|---|---|
| opaque | token |
Conclusion
This solution is not flawless of course, but it offers a simple, effective and discreet way to import your Openshift Secrets into Jenkins. There is room for improvement and I will be happy to add those from your feedbacks and from my next discoveries!