Integrating OpenShift Authentication into Jenkins
Posted: October 19th, 2016 | Author: sabre1041 | Filed under: Technology | Tags: Authentication, Jenkins, OAuth, OpenShift | 1 Comment »The alternate method for configuring the OpenShift Login plugin within Jenkins to facilitate single sign on against OpenShift is to use a service account to act as a constrained form of an OAuth client. Recent versions of the OpenShift templates for Jenkins automatically configure a service account specifically tailored for Jenkins called jenkins. Its’ presence can be validated by executing the following command:
oc get sa jenkins
If an error occurs, the service account does not exist. Since a service account will be used to facilitate a trust between Jenkins and OpenShift, it is recommended that it be created along with utilizing it to run the Jenkins pod instead of using the default service account. If the service account does not exist, execute the following command to create a new service account:
oc create serviceaccount jenkins
After the service account has been created, patch the DeploymentConfig API object to specify the newly created jenkins service account as the service account that will be used to run the Jenkins pod:
oc patch dc jenkins -p '{ "spec": { "template": { "spec": { "serviceAccount": "jenkins","serviceAccountName": "jenkins" } } } }'
Similar to how the OAuthClient in the previous method needed to be configured with a Redirect URI to specify the location the user will be redirected after the authentication process completes, the service account itself can be annotated with annotation named serviceaccounts.openshift.io/oauth-redirecturi containing this value. Since redirect uri’s can contain multiple addresses, the first address is given the annotation serviceaccounts.openshift.io/oauth-redirecturi.one. Execute the following command to annotate the jenkins service account with redirect uri:
oc annotate sa jenkins serviceaccounts.openshift.io/oauth-redirecturi.one=`oc get route jenkins --template='{{if .spec.tls }}https{{ else }}http{{ end }}://{{ .spec.host }}/securityRealm/finishLogin'`
Confirm the annotation was successfully applied by executing the following command:
oc export sa jenkins
With the service account configured, login to a Jenkins environment that has the OpenShift Login plugin installed, but is using another security realm. Navigate to the Jenkins overview page and click Manage Jenkins and then Configure Global Security. Once again, select the Login with OpenShift radio button to expose the configurable options. Enter the same values for the OpenShift Server Prefix and OpenShift redirect URL as configured in the previous section.
Since the service account that is being used to run the pod is being used to facilitate the OAuth process, no further configuration is required. The OpenShift Login plugin will use the service account that is being used to run the pod as the client id and locate the preconfigured OAuth token that is generated upon service account creation from the file that is automatically injected into each pod. Click Save to apply the changes. Click the log out link at the top righthand side of the page trigger a new OAuth flow.
Enter your OpenShift username and password when the OpenShift login page is displayed and click Login. This time, you are presented with a prompt as to whether you want to trust the jenkins service account to access account information on your behalf.
This is a similar process that you may have encountered on other web sites, such as Facebook, when utilizing third party applications. You are also presented with the types of permissions the service account will attempt to utilize. After reviewing the details, select Allow selected permissions which will allow the OAuth process to continue and upon successful authentication, the browser will be redirected to the Jenkins homepage.
The inclusion of the Jenkins OpenShift Login plugin is another example of the continued effort to integrate more systems and applications with the OpenShift ecosystem. Continuous Integration and Continuous Delivery have become the framework for how organizations iterate rapidly and deploy software in a repeatable manner and it is only natural that the OpenShift Container Platform provides a deeper level of integration with one of the most popular Continuous Integration servers on the market. The entire installation and configuration of the Jenkins OpenShift Login plugin is expected to be streamlined once it and the corresponding Jenkins image from Red Hat are officially bundled in a future release of OpenShift.
The majority of the functionality to enable the dynamic capabilities between Jenkins and OpenShift is through the use of several Jenkins plugins. Plugins can be installed in Jenkins by logging onto the master web interface and selecting the Manage Jenkins link on the lefthand side, and then selecting Manage Plugins.