Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/cyberark/conjur-credentials-plugin
Conjur plugin for securely providing credentials to Jenkins jobs
https://github.com/cyberark/conjur-credentials-plugin
conjbot-notify conjur jenkins jenkins-plugin secrets
Last synced: 3 months ago
JSON representation
Conjur plugin for securely providing credentials to Jenkins jobs
- Host: GitHub
- URL: https://github.com/cyberark/conjur-credentials-plugin
- Owner: cyberark
- License: apache-2.0
- Created: 2018-09-21T18:29:51.000Z (over 6 years ago)
- Default Branch: main
- Last Pushed: 2023-08-09T07:38:28.000Z (over 1 year ago)
- Last Synced: 2024-06-12T04:52:56.613Z (8 months ago)
- Topics: conjbot-notify, conjur, jenkins, jenkins-plugin, secrets
- Language: Java
- Size: 2.25 MB
- Stars: 12
- Watchers: 22
- Forks: 25
- Open Issues: 6
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Security: SECURITY.md
Awesome Lists containing this project
README
# conjur-credentials-plugin
**This repo is no longer maintained. See https://github.com/jenkinsci/conjur-credentials-plugin for the latest code!**
This Conjur plugin securely provides credentials that are stored in Conjur to Jenkins jobs.
## Reference
* [SECURING SECRETS ACROSS THE CI/CD PIPELINE](https://www.conjur.org/use-cases/ci-cd-pipelines/)
* [CI/CD Servers Know All Your Plumbing Secrets](https://www.conjur.org/blog/ci-cd-servers-know-all-your-plumbing-secrets/)
## Usage
After installing the plugin and restarting Jenkins, you are ready to start.
### Conjur Login Credential
The first step is to store the credential required for Jenkins to connect to Conjur. Click the **Credentials** tab.
Define the credential as a standard "Username with password" credential. In the example below, the credentials are a Conjur host and its API key:
* **Username** is host/frontend/frontend-01. The host must already be defined as a host in Conjur policy.
* **Password** is the API key for that host. The API key is the value returned by Conjur when the host is loaded in policy.
### Global Configuration
A global configuration allows any job to use the configuration, unless a folder-level configuration overrides the global configuration. Click the **Global Credentials** tab.
Define the Conjur Account and Appliance URL to use.
### Folder Property Configuration
To set the Conjur appliance information at the folder level, cLick the **FolderLevel** tab.
If the checkbox "Inherit from parent?" is checked, the values set here are ignored, and values are taken from the parent folder. If all folders up the hierarchy are set to inherit from its parent, the global configuration is used.
Requests to Conjur will fail unless:
* An SSL certificate is specified in the SSL certificate field.
**Note**: The SSL Certificate can be linked to a certificate already stored in Jenkins (defined as credentials).
* There is a certificate locally defined in the cacerts of the JVM sending the requests
* Conjur is not set up to use SSL.
### Conjur Secret Definition
The secrets that you want to obtain from Conjur must be defined explicitly. Use the **ConjurSecret** tab to define secrets. Define them as credentials of kind "Conjur Secret Credential".
### Usage from a Jenkins pipeline script
To reference Conjur secrets in a Jenkins script, use `withCredentials` and the symbol `conjurSecretCredential`.
Here is an example showing how to fetch the secret from a Jenkins job pipeline definition.
```groovy
node {
stage('Work') {
withCredentials([conjurSecretCredential(credentialsId: 'DB_PASSWORD',
variable: 'SECRET')]) {
echo 'Hello World $SECRET'
}
}
stage('Results') {
echo 'Finished!'
}
}
```
### Usage from a Jenkins Freestyle Project
To bind to Conjur secrets, use the option "Use secret text(s) or file(s)" in the "Build Environment" section of a Freestyle project.
Secrets are injected as environment variables to the build steps of the project.
## License
This repository is licensed under Apache License 2.0 - see [`LICENSE`](LICENSE) for more details.