I am trying to integrate azure key vault with spinnaker and didn't find any links/resources. Essentially my jobs should be able to access the secrets which are stored in azure keyvault.
Has anyone tried it ?
Right now Spinnaker integrates with Vault only for secret management.
One way i found to integrate Spinnaker with AWS Secrets manager is through the use of Cloud Formation templates that resolve the secret at runtime.
You could try with terraform and the spinnaker terraformer.
If you ever need you might need to create a simple Java plugin in spinnaker to achieve this. There is guidance in the following medium.com article.
Related
I'm using Bitbucket as a source control service and I'm interested to start using its pipelines capability to build and deploy my app. I'm using AWS CodeArtifact to host my Java artifacts.
The thing I'm struggle with is how to authenticate AWS CodeArtifact from the Bitbucket pipelines.
How to run
aws sso login --profile XXXX
export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token ....
Is there a best practice to deal with this??
I think the exportation of the CODEARTIFACT_AUTH_TOKEN env var is quite fine. For the first authentication to AWS, you probably want to take a look into Bitbucket OIDC capabilities:
https://bitbucket.org/blog/bitbucket-pipelines-and-openid-connect-no-more-secret-management
https://support.atlassian.com/bitbucket-cloud/docs/deploy-on-aws-using-bitbucket-pipelines-openid-connect/
Essentially, setting up an identity provider in you AWS account that will let your pipelines assume a role by just declaring
- step:
name: My pipeline
oidc: true
...
(also exporting an AWS_ROLE_ARN somewhere)
Identities and the assumed roles can be set up to granular clearance levels per repository, deployment stage, etc
Setting up an OIDC identity provider can be cumbersome. You might be interested in giving https://registry.terraform.io/modules/calidae/bitbucket-oidc/aws/latest a look, even if you weren't using terraform.
I am trying to integrate Jenkins with K8 secrets in a dedicated namespace but even after creating the service account and secret, I still see Test Connection failures.
You need to create the jenkins global credential with the secret for the cluster to be authenticated. Do try using default namespace initially. Also double check your k8 url by running #kubectl cluster-info.
I am using the Azure Devops CLI on one of my pipelines. In order to use the CLI I need first login (authenticate). Unlike using the REST API, I can't use the OAuth token that is available to me.
So here's my understanding of my options:
I can do an "az login" using a PAT that I map to this environment variable:
AZURE_DEVOPS_EXT_PAT
THIS IS THE WAY I'm doing it now.
Apparently you can use a Service Principal. I like this the most because I should theoretically be able to have this principal apply to everyone on my team. Is that correct?
Use "az login" with a user/password. This is least desirable way to doing it because it involves passing around credentials. Too messy.
Although my pipeline has the OAuth token expost (System.AccessToken), it cannot be use by the CLI. For example is I try to assign the value of the OAuth token to the AZURE_DEVOPS_EXT_PAT it fails (AZURE_DEVOPS_EXT_PAT=$System.AccessToken).
Questions:
Is it possible to use the OAuth token to log in to the CLI?
Is the Service Principal the best way to go?
Additional Info:
I do not have subscriptions only a tenant-id, we're not creating any Azure resources, we're an AWS shop that happens to be using ADO only for CICD.
Use az devops login instead of az login
From your pipeline use:
- script: echo $(AccessToken) | az devops login
env:
AccessToken: $(System.AccessToken)
Few interesting notes:
Secrets (like System.AccessToken) are available to scripts unless you pass them in explicitly as environment variables
the System.AccessToken variable is the default access token of the build agent
there is a project-specific build agent and a project-collection build agent. The one you use is actually controlled by the 'limit access to current project scope' flag in the Pipeline settings for the project.
you may need to elevate permissions for the build agent if you're trying to manipulate objects. For example, you could grant the Create Tag permission on a repository if you wanted the build agent to update the repository.
you can also create your own PAT token with permissions that you specify.
Is there a way to add global tool configurations for artifactory and aws in jenkins through cli?
I'm trying to write chef cookbook for automating creation of Jenkins job, but I don't know how to add credentials for tools.
Credentials don't depend on the tools which will use them.
You can register credentials in general through the JENKINS Credentials Plugin API: see for instance
How to create jenkins credentials via the REST API? (similar to jenkins_api_client issue 162)
update Jenkins credentials by script
You can then use those credentials in association with a Jenkins Job.
Your question is twofold.
Credentials
The Jenkins chef cookbook offers a jenkins_credentials resource, which allows you to pipe credentials (using Jenkins API internally) into your Jenkins instance.
Global Tool Configuration
You can use the jenkins_script resource of the same cookbook to execute any Groovy script. This allows you to configure your Jenkins instance. You now just have to figure out exactly, what the code is to, e.g., select the previously defined credentials. But the code looks similarly to the example given in the cookbook's README.
I am working on a Jenkins plugin that uses the new Bitbucket Build Status API. The best way to access the API is using oauth.
What is the best way of building oauth into my Jenkins plugin? Should I use a oauth Java library or is there another Jenkins plugin I can depend my plugin on?
How would the process of "connecting" Jenkins and my plugin to the Bitbucket account (granting access and storing the tokens)?
There is already a plugin for Jenkins that does extacly what you need I guess and use OAuth for authentication. Just take a look to the plugin.