Skip to content

Instantly share code, notes, and snippets.

@msoranno

msoranno/credential_kubernetes_plugin.md

Last active May 3, 2019 11:19
Show Gist options
  • Save msoranno/f66e862e32106409e118141e8d330272 to your computer and use it in GitHub Desktop.
Save msoranno/f66e862e32106409e118141e8d330272 to your computer and use it in GitHub Desktop.
Download ZIP
External jenkins - kubernetes cluster
Raw
credential_kubernetes_plugin.md

  1. kubectl create namespace kubernetes-plugin-test

  2. kubectl apply -n kubernetes-plugin-test -f service-account.yml

  • service-account.yml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: jenkins
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: jenkins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: jenkins
subjects:
- kind: ServiceAccount
  name: jenkins
  1. Extract ca.crt and token from secret using this script
#!/bin/bash 

SERVICE_ACCOUNT="jenkins"
NAMESPACE="kubernetes-plugin-test"

SECRET=$(kubectl get serviceaccount $SERVICE_ACCOUNT -n $NAMESPACE -o json | jq -Mr '.secrets[].name | select(contains("token"))')

TOKEN=$(kubectl get secret $SECRET -n $NAMESPACE -o json | jq -Mr '.data.token' | base64 -d)
echo
echo $TOKEN
echo

kubectl get secret $SECRET -n $NAMESPACE -o json | jq -Mr '.data["ca.crt"]' | base64 -d > /tmp/ca.crt
cat /tmp/ca.crt
  • the output script will be something like
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLXBsdWdpbi10ZXN0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImplbmtpbnMtdG9rZW4tdmxmaDgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiamVua2lucyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImQ1NTVkN2Q5LTZkOGMtMTFlOS04MDZjLTA4MDAyNzcwYTMzNyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLXBsdWdpbi10ZXN0OmplbmtpbnMifQ.pGqSNoN3cgctv_FlzYMSLZX94vHgR4qNuORzYGaXmcy-VpjW4U6CJpvOKgJ0wzHOlb0aESH1kgumiFqsti-41yB_woTJIqQ3OY_-SwBXISP6razdGL5d0KJcFk0dIjLQAViWgqFeP09CAU1-eR3atJrVGCBiUI79uo1fSZ3sKRRRievcX4pu0ec-IxOvgJ399ePTfIo4adp54SbGTAsaSyapIU53wg15y2fGcurvPcb1JAdk7Ryq7T4VoCA5mV-Xcewe7SG6N4cknFyQVFqVII-JPaa2__loqOyjG0dLxUfW4fKpA_Op0eXxsYUoyBEK57c6yRGc5D0Easju9xM3SQ

-----BEGIN CERTIFICATE-----
MIIC5zCCAc+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
a3ViZUNBMB4XDTE4MDYxMjA3MjEyM1oXDTI4MDYwOTA3MjEyM1owFTETMBEGA1UE
AxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALFp
Tw/HoXvVdUQgfIMhAUu5JMCtoLTi22NMHEnZgjxXYQ+zev/e4wOEuShp/9fyITox
5TJg47s97uQzmwZzFxI3iixbnnyGigcgvEZ+VBXng3ka17bSgb5fakJl/WcKTVrT
RM+cC6U6ymyqr21+hWhNliG3ZEAJ8zlnQIrCSsZZ7YY24Ux+opL7ivH+D42KivRh
2AYOMwz+J/YLE5vUL1cjuIAIlvx8SBnXIY0Fxo/g1FQTyX++0SpVFAYG/mADQhBL
hdTQWY4RyMUOVnNqEalUQnaSoDRYfEJapuQxGUIXBbAykmHPobwXpGzDz4Zt3TcF
2C6VT7Ml7KX47N3NoF0CAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4IBAQCXrA6na+UIgYJRsrTrbSqimrZzz3067KlLVBpGQHdWx45LAmo5
aeekpFXHlgh4+pXmoME/QW0d8rz2DCbWl9+/P9h3zNeMG+K6ZiMnvsBVrqatp+h3
P+bIj8p9neQQruTuZcYUA8BNpCcmPIHz4TaRn4rI4SQsIObgjOcYynF6rVDnP8nk
+4SVu8nI/My3jqwhB7uYydwgWSVGkuaED0AJ5YexjiZ+NcD3F9VlrYHxcjqevtlS
H/heMiUyFhjps7q8Rli8H0fLX7K0GK8V9vO9XT5+7DN0dAvXnGHijuRYgm6lfpDF
m5DtzckYlHxbj1hIEnEMaIVRn+mLTXluLxTd
-----END CERTIFICATE-----

  1. Create a jenkins credential "Secret Text" type, and put the token in there.

  2. Go to the kubernetes plugin configuration on jenkins and paste the certificate and select the credential

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment