feat: anchore and jenkins guides with snippets (#682)

Co-authored-by: Lucas Severo Alves <lucassalves65@gmail.com>
Co-authored-by: Surjit Bains <surjit.bains@gmail.com>

docs/examples-anchore-engine-credentials.md

@@ -0,0 +1,31 @@
+# Getting started
+
+Anchore Engine is an open-source project that provides a centralized service for inspection, analysis, and certification of container images. With Kubernetes, it also brings nice features like preventing unscanned images from being deployed into your clusters
+
+## Installing with Helm
+
+There are several parts of the installation that require credentials these being :-
+
+ANCHORE_ADMIN_USERNAME
+ANCHORE_ADMIN_PASSWORD
+ANCHORE_DB_PASSWORD
+db-url
+db-user
+postgres-password
+
+
+Creating the following external secret ensure the credentials are drawn from the backend provider of choice. The example shown here works with Hashicorp Vault and AWS Secrets Manager providers.
+
+#### Hashicorp Vault
+
+``` yaml
+{% include 'vault-anchore-engine-access-credentials-external-secret.yaml' %}
+```
+
+
+#### AWS Secrets Manager
+
+``` yaml
+{% include 'aws-anchore-engine-access-credentials-external-secret.yaml' %}
+```
+

docs/examples-jenkins-kubernetes-credentials.md

@@ -0,0 +1,65 @@
+# Getting started
+
+Jenkins is one of the most popular automation servers for continous integration, automation, scheduling jobs and for generic pipelining. It has an extensive set of plugins that extend or provide additional functionality including the [kubernetes credentials plugin](https://github.com/jenkinsci/kubernetes-credentials-provider-plugin). This plugin takes kubernetes secrets and creates Jenkins credentials from them removing the need for manual entry of secrets, local storage and manual secret rotation.
+
+## Examples
+
+The Jenkins credentials plugin uses labels and annotations on a kubernetes secret to create a Jenkins credential.
+
+The different types of Jenkins credentials that can be created are SecretText, privateSSHKey, UsernamePassword.
+
+
+### SecretText
+
+Here are some examples of SecretText with the Hashicorp Vault and AWS External Secrets providers:
+
+
+#### Hashicorp Vault
+
+``` yaml
+{% include 'vault-jenkins-credential-sonarqube-api-token-external-secret.yaml' %}
+```
+
+#### AWS Secrets Manager
+
+``` yaml
+{% include 'aws-jenkins-credential-sonarqube-api-token-external-secret.yaml' %}
+```
+
+
+### UsernamePassword
+
+Here are some examples of UsernamePassword credentials with the Hashicorp Vault and AWS External Secrets providers:
+
+
+#### Hashicorp Vault
+
+``` yaml
+{% include 'vault-jenkins-credential-harbor-chart-robot-external-secret.yaml' %}
+```
+
+#### AWS Secrets Manager
+
+``` yaml
+{% include 'aws-jenkins-credentials-harbor-chart-robot-external-secret.yaml' %}
+```
+
+
+
+### basicSSHUserPrivateKey
+
+Here are some examples of basicSSHUserPrivateKey credentials with the Hashicorp Vault and AWS External Secrets providers:
+
+
+#### Hashicorp Vault
+
+``` yaml
+{% include 'vault-jenkins-credential-github-ssh-access-external-secret.yaml' %}
+```
+
+#### AWS Secrets Manager
+
+``` yaml
+{% include 'aws-jenkins-credential-github-ssh-external-secret.yaml' %}
+```
+

docs/snippets/aws-anchore-engine-access-credentials-external-secret.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: anchore-access-credentials
+  namespace: ci
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    name: cluster-secrets-store
+    kind: ClusterSecretStore
+  target:
+    name: anchore-access-credentials
+  dataFrom:
+  - key: service/anchore-engine/engineAccess

docs/snippets/aws-jenkins-credential-github-ssh-external-secret.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: github-ssh-access
+  namespace: ci
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    name: cluster-parameter-store
+    kind: ClusterSecretStore
+  target:
+    name: github-ssh-access
+    template:
+      metadata:
+        labels:
+          "jenkins.io/credentials-type": "basicSSHUserPrivateKey"
+        annotations:
+          "jenkins.io/credentials-description": "github-ssh-access key"
+  data:
+    - secretKey: username
+      remoteRef:
+        key: /service/github/sshUserPrivateKeyUserName
+    - secretKey: privateKey
+      remoteRef:
+        key: /service/github/sshUserPrivateKey
+

docs/snippets/aws-jenkins-credential-sonarqube-api-token-external-secret.yaml

@@ -0,0 +1,23 @@
+---
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: sonarqube-api-token
+  namespace: ci
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    name: cluster-secrets-store
+    kind: ClusterSecretStore
+  target:
+    name: sonarqube-api-token
+    template:
+      metadata:
+        labels:
+          "jenkins.io/credentials-type": "secretText"
+        annotations:
+          "jenkins.io/credentials-description": "Sonar API token"
+  data:
+    - secretKey: text
+      remoteRef:
+        key: service/sonarqube/apiToken

docs/snippets/aws-jenkins-credentials-harbor-chart-robot-external-secret.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: harbor-chart-robot
+  namespace: ci
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    name: cluster-secrets-store
+    kind: ClusterSecretStore
+  target:
+    name: harbor-chart-robot
+    template:
+      metadata:
+        labels:
+          "jenkins.io/credentials-type": "usernamePassword"
+        annotations:
+          "jenkins.io/credentials-description": "harbor chart robot access"
+  data:
+    - secretKey: password
+      remoteRef:
+        key: service/harbor/chartRobot
+        property: password
+    - secretKey: username
+      remoteRef:
+        key: service/harbor/chartRobot
+        property: username

docs/snippets/vault-anchore-engine-access-credentials-external-secret.yaml

@@ -0,0 +1,55 @@
+{% raw %}
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: anchore-access-credentials
+  namespace: security
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: anchore-access-credentials
+    template:
+
+      data:
+        ANCHORE_ADMIN_USERNAME: >-
+          {{ printf "{{ .username | toString }}" }}
+        ANCHORE_ADMIN_PASSWORD: >-
+          {{ printf "{{ .password | toString }}" }}
+        ANCHORE_DB_PASSWORD: >-
+          {{ printf "{{ .dbPassword | toString }}" }}
+        db-url: >-
+          {{ printf "{{ .dbUrl | toString }}" }}
+        db-user: >-
+          {{ printf "{{ .dbUser | toString }}" }}
+        postgres-password: >-
+          {{ printf "{{ .postgresPassword | toString }}" }}
+
+  data:
+    - secretKey: password
+      remoteRef:
+        key: anchore-engine
+        property: ANCHORE_ADMIN_PASSWORD
+    - secretKey: username
+      remoteRef:
+        key: anchore-engine
+        property: ANCHORE_ADMIN_USERNAME
+    - secretKey: dbPassword
+      remoteRef:
+        key: anchore-engine
+        property: ANCHORE_DB_PASSWORD
+    - secretKey: dbUrl
+      remoteRef:
+        key: anchore-engine
+        property: db-url
+    - secretKey: dbUser
+      remoteRef:
+        key: anchore-engine
+        property: db-user
+    - secretKey: postgresPassword
+      remoteRef:
+        key: anchore-engine
+        property: postgres-password
+{% endraw %}

docs/snippets/vault-jenkins-credential-github-ssh-access-external-secret.yaml

@@ -0,0 +1,34 @@
+{% raw %}
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: github-ssh-access
+  namespace: ci
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: github-ssh-access
+    template:
+      metadata:
+        labels:
+          "jenkins.io/credentials-type": "basicSSHUserPrivateKey"
+        annotations:
+          "jenkins.io/credentials-description": "github-ssh-access key"
+      data:
+        username: >-
+          {{ printf "{{ .username | toString }}" }}
+        privateKey: >-
+          {{ printf "{{ .privateKey | toString }}" }}
+  data:
+    - secretKey: username
+      remoteRef:
+        key: my-kv
+        property: github-ssh-access-username
+    - secretKey: privateKey
+      remoteRef:
+        key: my-kv
+        property: github-ssh-access-private-key
+{% endraw %}

docs/snippets/vault-jenkins-credential-harbor-chart-robot-external-secret.yaml

@@ -0,0 +1,34 @@
+{% raw %}
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: harbor-chart-robot
+  namespace: ci
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: harbor-chart-robot
+    template:
+      metadata:
+        labels:
+          "jenkins.io/credentials-type": "usernamePassword"
+        annotations:
+          "jenkins.io/credentials-description": "harbor chart robot"
+      data:
+        username: >-
+          {{ printf "{{ .username | toString }}" }}
+        password: >-
+          {{ printf "{{ .password | toString }}" }}
+  data:
+    - secretKey: username
+      remoteRef:
+        key: my-kv
+        property: harbor-chart-robot-username
+    - secretKey: password
+      remoteRef:
+        key: my-kv
+        property: harbor-chart-robot-token
+{% endraw %}

docs/snippets/vault-jenkins-credential-sonarqube-api-token-external-secret.yaml

@@ -0,0 +1,28 @@
+{% raw %}
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: sonarqube-api-token
+  namespace: ci
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: sonarqube-api-token
+    template:
+      metadata:
+        labels:
+          "jenkins.io/credentials-type": "secretText"
+        annotations:
+          "jenkins.io/credentials-description": "sonarqube api token"
+      data:
+        text: >-
+          {{ printf "{{ .password | toString }}" }}
+  data:
+    - secretKey: password
+      remoteRef:
+        key: jenkins-credentials
+        property: sonarqube-api-token
+{% endraw %}

hack/api-docs/mkdocs.yml

@@ -41,7 +41,6 @@ nav:
     - Multi Tenancy: guides-multi-tenancy.md
     - Metrics: guides-metrics.md
     - Using Latest Image: guides-using-latest-image.md
-    - GitOps using FluxCD: guides-gitops-using-fluxcd.md
   - Provider:
     - AWS:
       - Secrets Manager: provider-aws-secrets-manager.md
@@ -62,6 +61,10 @@ nav:
       - Oracle Vault: provider-oracle-vault.md
     - Webhook: provider-webhook.md
     - Fake: provider-fake.md
+  - Examples:
+    - FluxCD: examples-gitops-using-fluxcd.md
+    - Anchore Engine: examples-anchore-engine-credentials.md
+    - Jenkins: examples-jenkins-kubernetes-credentials.md
   - References:
     - API specification: spec.md
   - Contributing: