Skip to content
Closed
Show file tree
Hide file tree
Changes from 40 commits
Commits
Show all changes
47 commits
Select commit Hold shift + click to select a range
406869c
jenkins: add Chainguard Jenkins demo with first sample pipeline
ericsmalling May 6, 2026
8bdba80
jenkins: add Adoptium Java 8 + Jetty/JSP runnable WAR sample
ericsmalling May 6, 2026
f2c2643
jenkins: add OpenJDK 21 + Gradle standalone JAR sample
ericsmalling May 6, 2026
b522422
jenkins: add Python 3.14 + uv Flask sample with OCI image push
ericsmalling May 6, 2026
3947c27
jenkins: add Python 3.12 + pip + Django sample with OCI image push
ericsmalling May 6, 2026
15c7ace
jenkins: add Node 22 + npm + Express sample with OCI image push
ericsmalling May 6, 2026
7fc8526
jenkins: add Node 25 + pnpm + Express sample on node:25-slim
ericsmalling May 6, 2026
09aafdb
jenkins: refresh README to reflect all 7 sample apps
ericsmalling May 6, 2026
927cce2
jenkins: make the Chainguard org configurable via .env / CHAINGUARD_ORG
ericsmalling May 6, 2026
56fe512
jenkins: replace hardcoded image strings with cgImage shared library
ericsmalling May 6, 2026
42bb37f
jenkins: pin cgImage catalog entries to image digests
ericsmalling May 6, 2026
68066cb
jenkins: add scheduled refresh-cgimages-digests job (every 4h)
ericsmalling May 7, 2026
951fabd
jenkins: replace pull-token auth with OIDC assumed identity
ericsmalling May 7, 2026
bad1bd6
jenkins: note OIDC↔Harbor relationship in PLAN.md future enhancements
ericsmalling May 7, 2026
bc81914
jenkins: add optional Harbor pull-through cache + push target (Modes …
ericsmalling May 7, 2026
bd5131a
jenkins: add top-level teardown.sh that reverses everything setup.sh did
ericsmalling May 7, 2026
fe72a1f
jenkins: serve Harbor UI over HTTPS to dodge gorilla/csrf v1.7.3 orig…
ericsmalling May 7, 2026
95e9b02
jenkins: cosign-sign and verify OCI images via the credentials store
ericsmalling May 7, 2026
f092927
jenkins: remove hardcoded smalls.xyz default, prompt for org + prefli…
ericsmalling May 7, 2026
b25190e
jenkins: preflight prints every image with green ✓ / red ✗ markers
ericsmalling May 7, 2026
b98b695
jenkins: drop ttl.sh/smalls default from the push-target prompt
ericsmalling May 7, 2026
7a19af1
jenkins: cgSign/cgVerify pick the RepoDigest matching the pushed image
ericsmalling May 7, 2026
17b6714
jenkins: add pipeline-graph-view plugin for cleaner stage display
ericsmalling May 7, 2026
4d028cc
jenkins: fix refresh-cgimages-digests under Mode B/C
ericsmalling May 7, 2026
3c3902a
Digest bumps to cgr images
ericsmalling May 8, 2026
f8ea5fb
jenkins: fix node25-pnpm-express stash failure on stale workspace
ericsmalling May 8, 2026
a521df0
jenkins/iac: fix doc inaccuracies about bootstrap flow + jenkins_issu…
ericsmalling May 11, 2026
10b6ebc
Fix typos
ericsmalling May 11, 2026
cfb31c8
jenkins: fix shell-injection risk in cgSign/cgVerify image arg
ericsmalling May 11, 2026
04af03a
jenkins: let JENKINS_ADMIN_PASSWORD actually be overridden
ericsmalling May 11, 2026
c98dfeb
jenkins: route cosign/crane helper images via PULL_REGISTRY
ericsmalling May 11, 2026
36bb12c
jenkins: harden cgLogin base64, setup.sh quoting/perms, error paths
ericsmalling May 11, 2026
ea86799
jenkins: fix kubectl --selector, bash-3.2 portability, expiration def…
ericsmalling May 11, 2026
f6e7483
jenkins: log actual PUSH_REGISTRY in Mode B, fix DinD→DooD comment
ericsmalling May 11, 2026
f08d5dc
jenkins: drop stale PLAN.md, fix push-target docs, surface teardown f…
ericsmalling May 12, 2026
8b352b0
jenkins: harden update_env, cgLogin Mode B, teardown output, env defa…
ericsmalling May 12, 2026
65969e4
jenkins: mkdir DOCKER_CONFIG in cgLogin Mode B, harden django smoke test
ericsmalling May 12, 2026
d24f252
jenkins: read cosign passphrase from file, fix doc digest example
ericsmalling May 12, 2026
ed4eacd
jenkins: HARBOR_ADMIN_PASSWORD env, cosign 600 perms, ttl.sh expiry docs
ericsmalling May 12, 2026
66e9b6d
jenkins: filter RepoDigests in Push-stage log lines
ericsmalling May 12, 2026
bdba2e9
jenkins: fileExists check, preserve tfstate on failure, JSON pull-token
ericsmalling May 12, 2026
e16c497
jenkins: validate setup.sh inputs, pipefail in cgSign/Verify, lockfil…
ericsmalling May 12, 2026
8977a1b
jenkins: validate HARBOR_ADMIN_PASSWORD, guard cgImage against null org
ericsmalling May 12, 2026
397a51b
jenkins: envsubst allowlists, chmod 600 .env, tighten Django defaults
ericsmalling May 12, 2026
14fdb1f
jenkins: use repo-relative JCasC path in cgSign/cgVerify error messages
ericsmalling May 12, 2026
518f673
jenkins: COSIGN_PASSWORD via inherited env, compose-down failure hand…
ericsmalling May 12, 2026
1c8fa68
jenkins: fix pipefail+grep-no-match abort, add setup.sh dep check
ericsmalling May 12, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions jenkins/.env.example
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
# Chainguard org under cgr.dev/ to pull images from. docker-compose passes
# it to the controller's image build and runtime env; pipelines reference
# it via env.CHAINGUARD_ORG; per-app Dockerfiles use it as a build ARG;
# setup.sh uses it when creating the Chainguard assumed identity via
# Terraform.
#
# Leave commented out (or set to empty) and setup.sh will prompt for it
# on first run, then persist your answer here. Re-runs reuse the persisted
# value without prompting.
#
# Examples:
# CHAINGUARD_ORG=chainguard # the public Chainguard catalog
# CHAINGUARD_ORG=your-org.example.com
#
# CHAINGUARD_ORG=

# The remaining variables in this file are written by setup.sh based on
# the answers you give to its three prompts. You normally don't edit them
# directly — re-run setup.sh to switch modes.

# Where pipelines pull Chainguard images from. Either:
# cgr.dev/<org> (Mode A — direct cgr.dev)
# localhost/cgr-proxy/<org> (Modes B/C — Harbor proxy cache)
# PULL_REGISTRY=

# Where the Python/Node OCI-image pipelines push their built images. Either:
# ttl.sh/<prefix> (Modes A/B default — anonymous, 24h TTL)
# localhost/library (Mode C — Harbor)
# PUSH_REGISTRY=

# Whether Harbor is the active pull-through cache. cgLogin reads this and
# skips the OIDC chainctl exchange when true (Harbor pulls are anonymous).
# HARBOR_ENABLED=false

# Harbor admin password. Default is the chart's own default ("Harbor12345")
# so the demo works out of the box. setup.sh writes this when Harbor is
# enabled; the value drives:
# - the Helm chart's harborAdminPassword
# - the Terraform harbor provider (used for the cgr-proxy project)
# - cgLogin's Mode C push-auth (cgr-proxy admin docker config)
# Override before running setup.sh to use a different password.
# HARBOR_ADMIN_PASSWORD=Harbor12345

# Note: the Chainguard assumed identity UIDP (Mode A) is NOT stored here.
# setup.sh writes it to shared-libraries/cg-images/IDENTITY (filesystem-SCM
# live-loaded; cgLogin reads it at build time).
16 changes: 16 additions & 0 deletions jenkins/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# Local environment overrides (e.g. CHAINGUARD_ORG). Bootstrapped from .env.example.
.env

# Identity UIDP file — generated by setup.sh, ephemeral, must not be committed.
shared-libraries/cg-images/IDENTITY

# Maven build outputs — produced when running pipelines locally for verification.
apps/*/target/

# Gradle build outputs and local caches — produced when running pipelines locally.
apps/*/build/
apps/*/.gradle/

# Node module dirs — produced when running npm/pnpm install locally.
apps/*/node_modules/
apps/*/.pnpm-store/
37 changes: 37 additions & 0 deletions jenkins/Dockerfile.jenkins
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# Multi-stage build:
# 1. docker-cli stage: source for the docker client binary
# 2. plugins stage: use the -dev jenkins variant (has shell) to run jenkins-plugin-cli
# 3. final stage: ship on the standard jenkins image with plugins baked in

# Required build-arg, supplied by docker-compose from .env. No default —
# CHAINGUARD_ORG must be set explicitly so that we don't accidentally build
# against the wrong catalog. setup.sh prompts for this on first run.
ARG CHAINGUARD_ORG
FROM cgr.dev/${CHAINGUARD_ORG}/docker-cli:29 AS docker

# chainctl binary, used by pipelines (via the cgLogin shared-library var) to
# exchange Jenkins-issued OIDC tokens for short-lived Chainguard sessions.
ARG CHAINGUARD_ORG
FROM cgr.dev/${CHAINGUARD_ORG}/chainctl:latest-dev AS chainctl

ARG CHAINGUARD_ORG
FROM cgr.dev/${CHAINGUARD_ORG}/jenkins:2-lts-jdk21-dev AS plugins
USER 0
COPY jenkins/plugins.txt /tmp/plugins.txt
RUN jenkins-plugin-cli --plugin-file /tmp/plugins.txt --verbose

ARG CHAINGUARD_ORG
FROM cgr.dev/${CHAINGUARD_ORG}/jenkins:2-lts-jdk21-dev
USER 0
COPY --from=docker /usr/bin/docker /usr/local/bin/docker
COPY --from=chainctl /usr/bin/chainctl /usr/local/bin/chainctl
COPY --from=plugins --chown=1000:1000 /usr/share/jenkins/ref/plugins/ /usr/share/jenkins/ref/plugins/
# `chainctl auth configure-docker` adds a credential helper for cgr.dev to
# the user's docker config.json — but the helper itself is a symlink in PATH
# called `docker-credential-cgr` that points back at chainctl. We pre-create
# it here as root so per-build chainctl runs (uid 1000) don't need write
# access to /usr/local/bin.
RUN ln -s /usr/local/bin/chainctl /usr/local/bin/docker-credential-cgr
USER 1000
ENV JAVA_OPTS="-Djenkins.install.runSetupWizard=false"
ENV CASC_JENKINS_CONFIG=/var/jenkins_home/casc
Loading
Loading