One of the most anticipated Operator Service features is finally here! The Operator Service for Jenkins becomes integrated with the most broadly adopted identity providers. If your organization relies on GitHub or Google for authentication this feature will bring your Jenkins to be fully in line with your organizational standards.
Until now, setting up authentication in Operator Service GitOps style required writing custom Groovy Scripts and mounting them into Jenkins. Even then this was not always possible due to architectural limitations. On the other hand, all the changes made through the UI were volatile.
Now, thanks to the newly introduced Custom Resource, only a small amount of basic information is required for an effortless authentication process. The status-watching and friendly logging, in addition to descriptive documentation, greatly simplify the setup process.
Let’s take a look at the JenkinsAuthentication Custom Resource:
apiVersion: operator-service.com/v1beta1 kind: JenkinsAuthentication metadata: name: oauth namespace: default labels: operator-service.com/jenkins: example spec: type: githubOAuth githubOAuth: clientSecretRef: namespace: default name: authn-secret clientID: <github-client-id> scopes: - "read:org" - "user:email" webURI: "https://github.com" APIURI: "https://api.github.com"
The only required fields here are clientID and a secret reference. The remaining fields are optional and are filled with defaults written in the example. Apart from this you also need to create the secret you are referencing:
apiVersion: v1 kind: Secret metadata: namespace: default name: authn-secret labels: operator-service.com/jenkins-authentication: oauth stringData: clientSecret: <client-secret-from-github>
Now you’re all set to start using GitHub as an Identity Provider. Similarly you can use Google authentication, where except for the client ID and client secret, you eventually need the Jenkins public domain.
apiVersion: operator-service.com/v1beta1 kind: JenkinsAuthentication metadata: name: oauth namespace: default labels: operator-service.com/jenkins: example spec: type: googleOAuth googleOAuth: clientSecretRef: namespace: default name: authn-secret clientID: <client-ID-from-google>
Please, keep in mind that Jenkins supports only 1 authentication method at a time.
This is only the first step toward guaranteeing the most seamless experience and application of security standards in your CI/CD. We are currently working on connecting it with authorization mechanisms, to provide fine-grained access control inside Jenkins. And that’s not all we have up our sleeves!
Check out our newest features and stay tuned to see what’s coming next!