Setting up Jenkins as a Continuous Integration (CI) system within Spinnaker enables using Jenkins as a Pipeline Trigger, as well as the Run Script stage, which depends on Jenkins as a job executor.
You need a running Jenkins Master at version 1.x - 2.x reachable at a URL
$BASEURL) from whatever provider/environment Spinnaker will be
If Jenkins is secured, you need a username/password
$PASSWORD) pair able to authenticate against Jenkins using
HTTP Basic Auth.
Add your Jenkins master
First, make sure that your Jenkins master is enabled:
hal config ci jenkins enable
Next, add Jenkins master named
my-jenkins-master(an arbitrary, human-readable name), to your list of Jenkins masters:
echo $PASSWORD | hal config ci jenkins master add my-jenkins-master \ --address $BASEURL \ --username $USERNAME \ --password # password will be read from STDIN to avoid appearing # in your .bash_history
Note: If you use the GitHub OAuth plugin for authentication into Jenkins, you can use the GitHub $USERNAME, and use the OAuth token as the $PASSWORD.
Apply your changes:
hal deploy apply
Configure Jenkins and Spinnaker for CSRF protection
NOTE: Jenkins CSRF protection in Igor is only supported for Jenkins 2.x.
To enable Spinnaker and Jenkins to share a crumb to protect against CSRF…
1. Configure Halyard to enable the
hal config ci jenkins master edit MASTER --csrf true
MASTER is the name of the Jenkins master you’ve previously
configured. If you haven’t yet added your master, use
hal config ci
jenkins master add instead of
Here’s what your Jenkins master configuration looks like in your Hal config:
jenkins: enabled: true masters: - name: <jenkins master name> address: http://<jenkins ip>/jenkins username: <jenkins admin user> password: <admin password> csrf: true
Be sure to invoke
hal deploy apply to apply your changes.
2. Enable CSRF protection in Jenkins:
a. Under Manage Jenkins > Configure Global Security, select Prevent Cross Site Request Forgery exploits.
b. Under Crumb Algorithm, select Default Crumb Issuer.
Configure script stage
The Script stage lets you run an arbitrary shell, Python, or Groovy script on a Jenkins instance as a first class stage in Spinnaker. For example, you can use it to launch a test suite from a pipeline instead of doing it manually.
In order to configure a Script stage, you need:
- A running Spinnaker instance, with access to configuration files
- A running Jenkins instance at
$JENKINS_HOST, with a user profile set up with admin access
sshinto your Jenkins machine.
Download the raw job xml config file with the command:
curl -X GET \ -o "scriptJobConfig.xml" \ "https://storage.googleapis.com/jenkins-script-stage-config/scriptJobConfig.xml"
Create the Jenkins job where your script will run. To do this, you need the following information:
$JENKINS_HOST: your running Jenkins instance.
$JOB_NAME: the name of the Jenkins job where your script runs.
$USER: your Jenkins username.
$USER_API_TOKEN: the API token for your user. You can find this in Jenkins in the Configure page for your user.
Then, run the command:
curl -s -XPOST 'http://$JENKINS_HOST/createItem?name=$JOB_NAME' \ -u $USER:$USER_API_TOKEN --data-binary @scriptJobConfig.xml \ -H "Content-Type:text/xml"
Navigate to Jenkins » the job you just created » Configure and do two things:
- Add the GitHub repository containing your scripts.
- Either create a
Spinnakernode in which Jenkins will run all Script jobs, or de-select the Restrict where this project can be run checkbox.
At this point, you can manually run the script job in Jenkins (including manually adding necessary parameters) and see it succeed.
If your Jenkins master is named anything other than
masterin your Spinnaker configuration, you’ll need to add the following to
orca-local.ymlin order for Spinnaker to find it:
script: master: your-jenkins-master job: $JOB_NAME # from step #3
You can now use the Script stage in your pipelines.