Managing Secrets in Spinnaker – Loading Jenkins Credentials through Environment Variables

After adding a Jenkins master to Spinnaker through hal command, the ci part of the hal config looks like the following:

ci:
  jenkins:
    enabled: true
    masters:
    - name: opsmx-jenkins-master
      permissions: {}
      address: http://opsmx-jenkins.com/jenkins
      username: opsmx_username
      password: password_in_plain_text

Can we pass the Jenkins credentials as environment variables to Spinnaker? Yes. This blog explains how it can be achieved in two different ways:

    • Referring environment variables in hal config
    • Referring environment variables in igor-local.yml

Referring environment variables in hal config

Apart from setting the environment variables in the machine Spinnaker is running on(or igor pod, in case of distributed spinnaker), run the following hal command which uses environment variables(JENKINS_ADDRESS, JENKINS_USERNAME and JENKINS_PASSWORD) instead of actual jenkins credentials:

hal config ci jenkins master add opsmx-jenkins-master \
--address '${JENKINS_ADDRESS}' \
--username '${JENKINS_USERNAME}' \
--password '${JENKINS_PASSWORD}'

The hal config now looks like this:

ci:
  jenkins:
    enabled: true
    masters:
    - name: opsmx-jenkins-master
      permissions: {}
      address: ${JENKINS_ADDRESS}
      username: ${JENKINS_USERNAME}
      password: ${JENKINS_PASSWORD}

Now running “hal deploy apply” pushes this configuration to igor.yml and igor service substitutes the variables with actual credentials at runtime.

Referring environment variables in igor-local.yml

This method gives a flexibility to use the environment variables in igor-local.yml (or in spinnaker-local.yml) instead of directly using in hal config.

Hal command

Instead of passing the actual jenkins credentials in hal command, use the following:

hal config ci jenkins master add opsmx-jenkins-master \
--address '${jenkins.address}' \
--username '${jenkins.username}' \
--password '${jenkins.password}'

where jenkins.address, jenkins.username & jenkins.password are the configurations we will add in igor-local.yml.

Now the hal config looks like this:

ci:
  jenkins:
    enabled: true
    masters:
    - name: opsmx-jenkins-master
      permissions: {}
      address: ${jenkins.address}
      username: ${jenkins.username}
      password: ${jenkins.password}

Configure igor-local.yml

Along with any existing configuration, add the following to the igor-local.yml which is placed in ~/.hal/default/profiles directory. (If you are not seeing “default” directory inside .hal, it means no deployment happened yet. So create the directory structure manually or run “hal deploy apply” which creates the directory structure for you!!)

jenkins: 
  address: ${JENKINS_ADDRESS} 
  username: ${JENKINS_USERNAME} 
  password: ${JENKINS_PASSWORD}

where JENKINS_ADDRESS, JENKINS_USERNAME and JENKINS_PASSWORD are the environment variables.

Finally run “hal deploy apply” for the above configuration to take effect.

Coming soon…

Managing Secrets using Vault, Encrypting Secrets and more… coming soon…

 

Tagged , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *