Codefresh CI/CD
How to integrate Codefresh CI/CD with Cloudsmith
Cloudsmith Integration with Codefresh
Codefresh is a CI/CD platform designed for Kubernetes and modern microservices, offering streamlined workflows for building, testing, and deploying applications with integrated Docker, Helm, and Kubernetes support.
Cloudsmith can seamlessly work with Codefresh to authenticate, consume, and publish artifacts from Cloudsmith in your Codefresh CI/CD pipelines.
Prerequisites:
- Cloudsmith Account: Ensure you have an active Cloudsmith account with a repository where your artifacts will be stored.
- Codefresh Account: Ensure you have an active Codefresh account.
Artifact management with Cloudsmith and Codefresh
To upload a package to a Cloudsmith repository via a Codefresh pipeline, you can do any of the following:
- Use the Cloudsmith Command-Line Interface.
- Use native package management tools such as gem push or cargo publish, if supported.
- Use Codefresh’s native Docker build and push steps for containerized workflows.
Authentication Options
- API Key: You can authenticate to Cloudsmith using an API key stored in Codefresh.
- OIDC Authentication: Alternatively, set up Codefresh as an OIDC provider to authenticate dynamically without manual credential management.
Adding Your Cloudsmith API Key in Codefresh
Steps to add encrypted variables in your Codefresh pipelines:
- Open your Codefresh pipeline and go to the Settings tab.
- Click on Environment Variables and select Add New Variable.
- Provide a name (e.g.,
CLOUDSMITH_API_KEY
), input the value, and toggle Encrypt Value to ensure it's secure. - You can reference the secret in your pipeline YAML like this:
${{CLOUDSMITH_API_KEY}}
.
For more security options, Codefresh offers a Vault plugin from the Step Marketplace to handle key-value pairs dynamically. Refer to Vault Secrets in the Pipeline for more details.
Setup OIDC
To authenticate securely, set up Codefresh as an OIDC provider for Cloudsmith.
OIDC Authentication
Codefresh does not support OIDC for Docker integrations natively. You can use OIDC for freestyle steps when using the Hybrid Runtime, which allows access to the Docker Daemon. From there, you can manually log in to Docker, build your image, and push it to Cloudsmith. However, this means you will not be able to use the built-in build and push steps provided by Codefresh. Instead, you'll need to handle the authentication and image operations within freestyle steps.
Add Codefresh as OIDC identity provider in Cloudsmith
Set up Codefresh as an OIDC provider for Cloudsmith. This allows your Codefresh pipelines to request Cloudsmith API tokens dynamically, without manual credential management.
- Create a Service Account in Cloudsmith (required for OIDC to work with Cloudsmith).
- Configure OpenID Connect in Cloudsmith:
- Provider URL:
https://oidc.codefresh.io
- Claims: For example add your Codefresh account ID to restrict access. For more information on claims consult the Codefresh documentation.
- Assign the service account you created earlier.
- Provider URL:
Obtain OIDC ID token from OIDC provider
Obtain the ID token from the Codefresh OIDC provider by using the obtain-oidc-id-token
Marketplace step.
Add the step to your Codefresh pipeline’s workflow.
version: '1.0'
steps:
obtain_id_token:
title: Obtain ID Token
type: obtain-oidc-id-token
For more details, refer to the Cloudsmith OIDC documentation and Codefresh OIDC documentation.
Example Pipeline: Publish a Python Package to Cloudsmith
This example demonstrates how to authenticate and publish a Python package to Cloudsmith using OIDC in a Codefresh pipeline::
version: "1.0"
steps:
obtain_id_token:
title: "Obtain ID Token"
type: obtain-oidc-id-token
authenticate_with_cloudsmith:
title: "Authenticate with Cloudsmith"
image: "curlimages/curl:7.82.0"
commands:
- echo "Installing jq"
- apk add --no-cache jq
- |
cloudsmith_token=$(curl -X POST -H "Content-Type: application/json" \
-d "{\"oidc_token\":\"$ID_TOKEN\", \"service_slug\":\"${{CS_SERVICE_USER_NAME}}\"}" \
https://api.cloudsmith.io/openid/${{CS_ORG}}/ | jq -r '.token')
echo "Setting PIP_INDEX_URL with the obtained Cloudsmith token"
export PIP_INDEX_URL="https://token:[email protected]/basic/${{CS_ORG}}/${{CS_REPO}}/python/simple/"
cf_export PIP_INDEX_URL=$PIP_INDEX_URL
Replace CS_SERVICE_USER_NAME
, CS_ORG
, and CS_REPO
with your service account, organization, and repository details. You can store these values as environment variables within your Codefresh pipeline.
Adding Cloudsmith as a Docker Registry in Codefresh
To add Cloudsmith as a Docker registry to Codefresh:
- Go to settings and select Pipeline Integrations
- Select Docker Registries and then click Add Registry Provider.
- Select Other Registries
- Define the following:
- Registry name: A unique name for this configuration.
- Username: Your Cloudsmith username.
- Password: Your Cloudsmith API Key or password.
- Domain: docker.cloudsmith.io
- Prefix: For a Cloudsmith organziation followed by the repository e.g.
CS_ORGANIZATION/CS_REPOSITORY
For more information consult the Docker Registry or Codefresh documentation.
Updated 24 days ago