Skip to content

Instantly share code, notes, and snippets.

@infamousjoeg

infamousjoeg/runbook.md

Last active July 22, 2022 19:05
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save infamousjoeg/5dc75826ccf7b83ef748d993276b2913 to your computer and use it in GitHub Desktop.
Save infamousjoeg/5dc75826ccf7b83ef748d993276b2913 to your computer and use it in GitHub Desktop.
Download ZIP
Runbook for Jenkins Integration with Conjur POC - Conjur Configurator
Raw
runbook.md

Conjur POC

Jenkins Integration Runbook

Conjur Configurator

Enable JWT Authenticator for Jenkins

  1. Run ./setup.sh.
  2. Select 1 to Import Previous Configuration.
  3. Select 8 to Enable JWT for Jenkins.
  4. Enter the URL to access Jenkins.
  5. Enter the Conjur admin password.
  6. Instructions will be printed after successfully enabling the authenticator and loading policy into Conjur.
  7. Copy the instructions & save for Jenkins Admin.

Import Conjur SSL Certificate into Jenkins Java Keystore

  1. Login as a sudo-capable user to the Jenkins host server.
  2. Set the Conjur Leader host name to an environment variable by running the command export CONJUR_LEADER=conjurleader.dns, where conjurleader.dns is the DNS for your Conjur Leader host.
  3. Copy the Conjur SSL Certificate locally by running the command: openssl s_client -showcerts -connect $CONJUR_LEADER:443 < /dev/null 2> /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > conjur.pem
  4. With conjur.pem now located on the local file system, the keytool will be used to import into the Java keystore: sudo keytool -importcert -file conjur.pem -cacerts -keypass changeit -storepass changeit -noprompt -alias conjur
  5. If Step #4 failed, find the cacerts keystore file and use the following command instead: sudo keytool -import -alias conjur -keystore /etc/ssl/certs/java/cacerts -file conjur.pem

Example of Instructions Given

----------Instructions----------
Please fill in the Jenkins plugin configuration with this information:
Conjur Appliance
Account - conjurpoc
Appliance URL - https://ec2-52-21-56-50.compute-1.amazonaws.com
Conjur Auth Credential - Leave Blank
Conjur SSL Certificate - Import Cert directly into Jenkins keystore

Conjur JWT Authentication
Enable JWT Key Set endpoint? - checked
Auth WebServiceID - authn-jwt/jenkins1
JWT Audience - https://ec2-52-21-56-50.compute-1.amazonaws.com
Signing Key Lifetime In Minutes - 5
JWT Token Duration In Seconds - 60
Enable Context Aware Credential Stores? - checked
Identity Field Name - conjur_host
Identity Format Fields - jenkins_name
Identity Fields Separator - "-"

Create a folder with the name - Dev-Team-1
Create a folder with the name - Dev-team-2
Create Pipeline Jobs within each folder called - Job1 and Job2
----------End----------

Jenkins

Install Conjur Secrets Plugin

  1. Login to Jenkins UI as admin or a user with administrative privileges.
  2. Select Manage Jenkins from the left sidebar menu.
  3. Select Manage Plugins from the new page that loads.
  4. Select Available tab from the Plugin Manager page that loads.
  5. In the Search bar, search for Conjur Secrets.
  6. Check the box next to the returned result Conjur Secrets and click the button Download now and install after restart.
  7. On the install page that loads, check the box at the very bottom that says, Restart Jenkins when installation is complete and no jobs are running. The plugin will not work properly unti Jenkins is restarted.

Configure Conjur Secrets Plugin

  1. Be sure you have the instructions that were returned after enabling JWT for Jenkins in Conjur as they will be needed for this section.
  2. Login to Jenkins UI as admin or a user with administrative privileges.
  3. Select Manage Jenkins from the left sidebar menu.
  4. Select Configure System from the new page that loads.
  5. Scroll down until you find the section titled Conjur Appliance.
  6. For the Account, put the value given in the instructions for Account.
  7. For the Appliance URL, put the value given in the instructions for Appliance URL.
  8. For both Conjur Auth Credential and Conjur SSL Certificate, we will keep those values the same, which should be - none -. The Conjur SSL Certificate was imported into the Jenkins host's Java keystore in a previous step.
  9. Scroll down a bit further to the section titled, Conjur JWT Authentication.
  10. Check the box for Enable JWT Key Set Endpoint to activate the JWT capabilities of Jenkins for Conjur.
  11. For the Auth WebService ID, put the value given in the instructions for Auth WebService ID.
  12. For the JWT Audience, put the value given in the instructions for JWT Audience.
  13. For the Signing Key Lifetime in Minutes, change the value to 5.
  14. For the JWT Token Duration in Seconds, change the value to 60.
  15. Check the box for Enable Context Aware Credential Stores to activate auto-creation of authorized secrets into the Conjur Credential Store for each resource in Jenkins.
  16. For the Identity Field Name set it to conjur_host.
  17. For the Identity Format Fields and Identity Fields Separator, it will remain the same.
  18. Click the Save button at the bottom to save all the configuration changes made.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment