I am trying to integrate Jenkins with K8 secrets in a dedicated namespace but even after creating the service account and secret, I still see Test Connection failures.
You need to create the jenkins global credential with the secret for the cluster to be authenticated. Do try using default namespace initially. Also double check your k8 url by running #kubectl cluster-info.
Related
How can I deploy aws resources using external jenkins and terraform. (I don`t like my jenkins running in ec2 or in aws) because it may terminate at any time and every time I have to build from ami or all steps that I do on first time. I mean to say save all settings and credentials etc. So, I looking for some solution to install it on my VM/virtual box and then run pipeline job there and build aws resources/ services using terraform.
You can run terraform or jenkins from anywhere to create resources in AWS.
Jenkins is just an orchestrator tool which will use terraform to create resources.
We only need to change how terraform interact with your AWS environment.
if you are having terraform on one of the AWS EC2 you can utilize EC2 metadata to interact/authenticate with AWS.
now as you move towards your local system or VM you have to change the way how you authenticate with terraform.
you can use below code in terraform to authenticate with AWS
provider "aws" {
region = "us-west-2"
access_key = "my-access-key"
secret_key = "my-secret-key"
}
please refer terraform documentation for more authentication methods
https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication-and-configuration
I'm using Bitbucket as a source control service and I'm interested to start using its pipelines capability to build and deploy my app. I'm using AWS CodeArtifact to host my Java artifacts.
The thing I'm struggle with is how to authenticate AWS CodeArtifact from the Bitbucket pipelines.
How to run
aws sso login --profile XXXX
export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token ....
Is there a best practice to deal with this??
I think the exportation of the CODEARTIFACT_AUTH_TOKEN env var is quite fine. For the first authentication to AWS, you probably want to take a look into Bitbucket OIDC capabilities:
https://bitbucket.org/blog/bitbucket-pipelines-and-openid-connect-no-more-secret-management
https://support.atlassian.com/bitbucket-cloud/docs/deploy-on-aws-using-bitbucket-pipelines-openid-connect/
Essentially, setting up an identity provider in you AWS account that will let your pipelines assume a role by just declaring
- step:
name: My pipeline
oidc: true
...
(also exporting an AWS_ROLE_ARN somewhere)
Identities and the assumed roles can be set up to granular clearance levels per repository, deployment stage, etc
Setting up an OIDC identity provider can be cumbersome. You might be interested in giving https://registry.terraform.io/modules/calidae/bitbucket-oidc/aws/latest a look, even if you weren't using terraform.
I'm new to Jenkins world, I have a usecase where I have setup a jenkins pipeline using JenkinsFile. As part of deployment stage, we will invoke a few ansible script in the backend to get the image deployed into Kubernetes cluster running in cloud environment. The script expects few secrets in environment variable, so I like to understand which is the best option to handle secret in Jenkins, do I need them to enter into jenkins credentials and read them in jenkins environment tag like below. Or It is safe to get the value from the user using input plugin when executing the pipeline, but if I get from user then I would not able to completely automate pipeline will wait until user input the secret. Could you help in safe way to handle credentials.
pipeline{
agent any {
environment {
SECRET_VALUE=credentials('SECRET_VALUE_FROM_JENKINS_CREDENTIALS')
}
}
}
It depends on your use case, Indeed both approaches as you mentioned above will work.
There shouldn't be any problem in keeping your secrets as Jenkins credentials, in my case, all my secrets are in the Hashicorp vault and my Jenkins credentials point to the vault location as an example...
- usernamePassword:
scope: GLOBAL
id: serviceUser
username: svc_admin
password: "${secret/xyz/service_user/password}"
description: My secret service user
The Jenkins deployment is via JCasC.
As jenkins admin I can say it is safe to store credentials in jenkins.
Just create credentials in jenkins and use in a pipeline. Also it's nice to have mask password plugin installed in jenkins, which will mask credentials in jenkins jobs' output.
what's the process of create cloudant service that is resource group specific in jenkins. how can we made connection in jenkins of resource group of bluemix. I had tried and create service using cloud foundry plugins that is org and space specific but resource group services is not created Please guide
As part of a Jenkins pipeline to build and deploy an app to Google's Kubernetes service (GKE), I've created a script to carry out the following deployment to GKE:
checkout code
setup authentication to gcloud and
create the deployment and service using kubectl:
Detailed steps implemented by the script are as follows:
a) Create the docker registry authentication file (.json)
b) login to the google docker registry using the authentication file
c) initialise a git repo in the current directory
d) add the remote origin in prep for code pull
e) pull the source code for the microservice container
f) Create a kubectl configurtion file and directory to authenticate to the kubernetes cluster in Gcloud
g) Create a keyfile for a Gcloud service account that needs to authenticate to the container service
h) Activate the service account
i) Get the credentials for the container cluster from Gcloud
j) Run kubectl apply to create the kubernetes services
Full, tested, script at: https://pastebin.com/sZPrQuzD
If I put this sequence of steps in a scripts on an AWS EC2 instance and run it manually it works. However,the Jenkins build step fails at the the point kubectl is invoked to run the service, with the following error:
gcloud container clusters get-credentials jenkins-cd --zone europe-west1-b --project noon-prod
Fetching cluster endpoint and auth data.
ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=403, message=Request had insufficient authentication scopes.
Build step 'Execute shell' marked build as failure
The full error dump from the Jenkins run is as follows:
https://pastebin.com/pSWPQ5Ei
My questions:
a) How to fix this? Surely it can't be that difficult to get authentication running from Jenkins?
b) Is this the correct way to authenticate to the gcloud container service from a Jenkins system which is not on Gcloud infrastructure at all?
Many thanks in advance for any help!
Traiano
We're working on an open source project called Jenkins X which is a proposed sub project of the Jenkins foundation aimed at automating CI/CD on Kubernetes using Jenkins and GitOps for promotion.
We worked around some of the issues you've been having by running the Jenkins pipelines inside the kubernetes cluster; so there's no need to authenticate with GKE.
When you merge a change to the master branch, Jenkins X creates a new semantically versioned distribution of your app (pom.xml, jar, docker image, helm chart). The pipeline then automates the generation of Pull Requests to promote your application through all of the Environments via GitOps.
Here's a demo of how to automate CI/CD with multiple environments on Kubernetes using GitOps for promotion between environments and Preview Environments on Pull Requests - using Spring Boot and nodejs apps (but we support many languages + frameworks).