Managing Jenkins X secrets


Warning
Configuring CloudBees Jenkins X Distribution with Vault is not secure as Vault does not have a secure (HTTPS) connection and is exposed through Ingress over plain HTTP. Use of Vault is not recommended for highly secure data at this time.

In traditional computing infrastructures, all of the resources and components (hardware, networking, availability, security and deployment) as well as associated labor costs are locally managed. Third-party computing environments such as cloud service providers and Git hosts offer decentralized solutions with distinct advantages in service reliability and costs over the traditional solutions.

However, one issue with using cloud services, distributed storage, and remote repositories is the lack of trusted networks, vetted hardware, and other closely observed security measures practiced in locally-hosted infrastructure. For the sake of convenience, users often store sensitive information like authentication credentials in open, public repositories, exposed to potential malicious activity.

Hashicorp Vault is one tool that centralizes the management of secrets: resources that provide authentication to your computing environment such as tokens, keys, passwords, and certificates.

CloudBees Jenkins X Distribution handles security and authentication resources through the integration of Vault. Users can deploy Vault to securely store and manage all aspects of their development platform.

CloudBees Jenkins X Distribution installs and configures Vault for your cluster by default through the cluster creation process. Refer to Creating a Jenkins X cluster for more information.

Vault features

Vault is a suite of commands, libraries, and log files that stores and grants access to user secrets. It manages the complexity of secure resource access:

  • Storing secrets - Vault places secrets in an encrypted format on your local disk or remote storage bucket.

  • Secret creation and deletion - Vault creates secrets for dynamic access to storage buckets, ephemeral access that are created/destroyed as needed for temporary data access, and generating keys for database authentication.

  • Encrypting data - Vault stores secrets on local disk or remote storage buckets in secure directories using strong encryption.

Using Vault with CloudBees Jenkins X Distribution

CloudBees Jenkins X Distribution interacts with Vault via the jx command line program. There are commands for creating, deleting, and managing secrets and vaults.

CloudBees Jenkins X Distribution uses Vault to store all Jenkins X secrets, such as the GitHub personal access token generated for the pipeline bot when creating a Jenkins X cluster. It also stores any GitOps secrets, such as passwords for storage buckets, and keys for secure server access.

Secrets can be retrieved by the pipeline or via command-line if logged into the account associated with the kubernetes service as well as any secrets stored in the jx namespace for the pipeline.

Vaults are provisioned in kubernetes using vault-operator, a Hashicorp command-line tool installed when Vault is configured during cluster creation and Jenkins X installation on the cluster.

Creating a Vault

A vault is created by default using the Cluster creation process to create your cluster, unless you specified during the cluster configuration not to create the vault. In this case, you can create one post-installation with the jx create command-line interface:

jx create vault
  1. The program will ask you the name you want for your vault (for example, acmevault)

  2. The program will ask you for your Google Cloud Zone of choice. Refer to Regions and Zones in the Google Cloud documentation for more information. In this example, us-east1-c is chosen for proximity to Acme Headquarters.

  3. If you have a storage bucket account configured from creating a cluster with jx boot, then the jx create vault command will scan your installation for Vault-related storage buckets and, if found, prompt you to approve deleting and recreating the Vault from scratch.

  4. The program will ask you the Expose type for your vault in order to create rules and routes for cluster load balancer and other services. Default is Ingress.

  5. The program will ask for a cluster domain. Default is the one created in the Cluster creation process such as 192.168.1.100.nip.io.

  6. The program will ask for an URLTemplate. Press Enter to use the default value.

  7. The program will verify your answers to the previous questions in summary and prompt you to approve the Vault creation (default is Yes).

Retrieving Vault secrets

If you need to recall your secrets (such as a password, keypair, or token) you can run the jx get command to find the Vault Address to open in your browser and the Vault Token for logging into the Vault.

jx get vault-config

The output is in the form of export statements. For example:

export VAULT_ADDR=http://acmevault1.jx.192.168.1.100.nip.io
export VAULT_TOKEN=t.lBNBWR9JIMwwH9AXD95grlwmn

These export statements can be used to run Vault’s own client command-line tools, or they can be copied from the command-line and pasted in a web browser to retrieve stored secrets.

Deleting a Vault

If you need to delete your vault due to misconfiguration or changes in the authentication protocols of 3rd party resources, you can delete a Vault using the jx delete command and the name of the Vault to remove all associated secrets stored in the Vault.

jx delete vault acmevault

If you have any questions or feedback on the CloudBees Jenkins X Distribution documentation, send them to jx-feedback@cloudbees.com.