Isolating Secrets for Pipelines in Jenkins

Question

We are implementing a GitOps like CI/CD in Jenkins. Where we are deploying to Openshift/Kubernetes. For sake of simplicity lets say we have only 2 repositories:

1. First with the application source code , there is also Jenkinsfile in the source that defines the build. (that also pushes images to a repository.)

2. We ha a second repository where the deployment pipeline is defined (jenkinsfile). This pipeline deploys image to production (think "kubectl apply").

The problem is that the pipeline (2) needs to access credentials that are used to authenticate (against kubernetes api) to productions. We thought to store these credentials in Jenkins. Where we don't want in same Jenkins the first (1) pipeline to have access to these production credentials.

How could we solve this with Jenkins? (How to store these credentials)

thank you

Answer 1

Just to capture from the comments, there's effectively an answer from @RRT in another thread ( https://stackoverflow.com/a/42721809/9705485 ) :

Using the Folders and Credentials Binding plugin, you can define credentials on the folder level that are only available for the job(s) inside this folder. The folder level store becomes available once you made the folder.

Source: https://support.cloudbees.com/hc/en-us/articles/203802500-Injecting-Secrets-into-Jenkins-Build-Jobs

Another example of adding scoped credentials (this one for dockerhub credentials) is https://liatrio.com/building-docker-jenkins-pipelines/