Having issues creating an ssh credential in Jenkins that allows access to GitLab. I have 2 AWS instances, one with GitLab and one with Jenkins. I would like to setup a multibranch pipeline in Jenkins to run a GitLab repo. I am able to create the pipeline and can access GitLab if I use a username/password credential (using "root"/initial password) but would like to use the more secure route of using a username/SSH credential. I have generated the SSH (of the ed25519 variety) in the GitLab instance (while in root). Then, in GitLab, supplied the public key to the root user. Then, in Jenkins, provided the private SSH key and set username as "root" in a username/SSH credential. When I try to run the pipeline using the username/SSH credential I get an error indicating that it is not authorized. Should I be using a different username? Should I be generating the SSH key in a different location?
Well, I figured it was something small I was missing. I was configuring the pipeline job for the http url of the repo rather than the SSH url. Once I changed that, it worked right away.
Related
I am trying to program a pipeline that requests a username and password as parameter to connect via ssh to a linux server.
I have searched the internet for solutions but the SSH Agent plugin only works with credentials stored in Jenkins.
Is it possible to create a credential with the parameters sent by the user that executes the pipeline or use them as credentials?
Thanks!
I'm new to Jenkins world, I have a usecase where I have setup a jenkins pipeline using JenkinsFile. As part of deployment stage, we will invoke a few ansible script in the backend to get the image deployed into Kubernetes cluster running in cloud environment. The script expects few secrets in environment variable, so I like to understand which is the best option to handle secret in Jenkins, do I need them to enter into jenkins credentials and read them in jenkins environment tag like below. Or It is safe to get the value from the user using input plugin when executing the pipeline, but if I get from user then I would not able to completely automate pipeline will wait until user input the secret. Could you help in safe way to handle credentials.
pipeline{
agent any {
environment {
SECRET_VALUE=credentials('SECRET_VALUE_FROM_JENKINS_CREDENTIALS')
}
}
}
It depends on your use case, Indeed both approaches as you mentioned above will work.
There shouldn't be any problem in keeping your secrets as Jenkins credentials, in my case, all my secrets are in the Hashicorp vault and my Jenkins credentials point to the vault location as an example...
- usernamePassword:
scope: GLOBAL
id: serviceUser
username: svc_admin
password: "${secret/xyz/service_user/password}"
description: My secret service user
The Jenkins deployment is via JCasC.
As jenkins admin I can say it is safe to store credentials in jenkins.
Just create credentials in jenkins and use in a pipeline. Also it's nice to have mask password plugin installed in jenkins, which will mask credentials in jenkins jobs' output.
I've got a webhook setup in GitLab to detect whenever changes are pushed to the project repo. This works as needed, however the URL in use contains my Jenkins credentials and I'd like to make this more secure. e.g.:
https://username:password#jenkins.url.com/project/git-project
Is there a way to generate a token of sorts in Jenkins instead of providing my username and password?
There are access tokens in GitLab, you can use it. From Jenkins part, you can install GitLab plugin and then add new credentials for SSH and GitLab API Token. Please see this and this for more details.
I have installed latest Jenkins on ubuntu server and Jenkinsfile in my project repo on Gitlab.
I am able to connect to private repo on Gitlab using username/password credential on Jenkins configuration for the project pipeline without using Jenkins Gitlab plugin. This does not seem safe to me. How can I use Gitlab API token instead of username/password for Jenkins to access remote private Gitlab repo without using Jenkins Gitlab plugin. Another option is to set ssh private key on Jenkins server to athenticate against Gitlab repo. Is this option possible?
Jenkins Gitlab plugin is not officially supported and not well maintained because Gitlab wants customers to user their own CI/CD solution in order to tie customers to their platform for marketing reasons.
A relatively safe way to handle this situation is to store your credentials is the credentials system in Jenkins (that way you do not have to include the credentials in the JenkinsFile), and using a deploy token (available for Gitlab 10.7 and later) for the relevant repository. That token allows you to provide read-only rights to the repository.
Step 1 - setup the deploy token in GitLab
From the GitLab documentation
You can create as many deploy tokens as you like from the settings of your project:
Log in to your GitLab account.
Go to the project you want to create Deploy Tokens for.
Go to Settings > Repository.
Click on “Expand” on Deploy Tokens section.
Choose a name and optionally an expiry date for the token.
Choose the desired scopes.
Click on Create deploy token.
Save the deploy token somewhere safe. Once you leave or refresh the page, you won’t be able to access it again.
Step 2 - Saving the deploy token in Jenkins' credentials system
Since the deploy tokens have a username and password, pick that as the type in the steps below. Write down the id you will use in this step (see below) as you will need it in your pipeline declaration.
From the Jenkins documentation
To add new global credentials to your Jenkins instance:
If required, ensure you are logged in to Jenkins (as a user with the Credentials > Create permission).
From the Jenkins home page (i.e. the Dashboard of the Jenkins classic UI), click Credentials > System on the left.
Under System, click the Global credentials (unrestricted) link to access this default domain.
Click Add Credentials on the left. Note: If there are no credentials in this default domain, you could also click the add some credentials link (which is the same as clicking the Add Credentials link).
From the Kind field, choose the type of credentials to add.
From the Scope field, choose either:
Global - if the credential/s to be added is/are for a Pipeline project/item. Choosing this option applies the scope of the credential/s to the Pipeline project/item "object" and all its descendent objects.
System - if the credential/s to be added is/are for the Jenkins instance itself to interact with system administration functions, such as email authentication, agent connection, etc. Choosing this option applies the scope of the credential/s to a single object only.
Add the credentials themselves into the appropriate fields for your chosen credential type:
(...)
Username and password - specify the credential’s Username and Password in their respective fields.
(...)
In the ID field, specify a meaningful credential ID value - for example, jenkins-user-for-xyz-artifact-repository. You can use upper- or lower-case letters for the credential ID, as well as any valid separator character. However, for the benefit of all users on your Jenkins instance, it is best to use a single and consistent convention for specifying credential IDs. Note: This field is optional. If you do not specify its value, Jenkins assigns a globally unique ID (GUID) value for the credential ID. Bear in mind that once a credential ID is set, it can no longer be changed.
Specify an optional Description for the credential/s.
Click OK to save the credentials.
Step 3 - Use the credentials in your pipeline declaration
You can use the credentials in your jenkinsFile like so:
pipeline {
stages {
stage('Clone stage') {
steps {
git url: 'https://gitlab.com/[username]/[my-repo].git', branch: 'master', credentialsId: 'my-gitlab-repo-creds'
}
}
}
}
In the above example I assume you picked the id my-gitlab-repo-creds in step 2.
I found it very problematic to connect from Jenkins Blue Ocean to AWS CodeCommit git repository using ssh URL, so I will share below the way to do it.
Some more background:
In Blue Ocean you can use either https or ssh URL to connect to git repo. But if you select https version (which works with username+password credentials) then you cannot use some of the BlueOcean features like pipeline editor. So SSH version (which works with private/public key pair) is better.
BlueOcean tries to be nice and generates the keypair for you, you are just asked to upload the public key to the git repo server. This can be done in IAM tool in AWS, but even after that the connection doesn't work...
This worked for me:
Start the create-pipeline wizard in Blue Ocean
provide ssh repo address let say ssh://codecommiturl/repo
Jenkins generates key pair and asks you to upload it to git
do it as described in here
after upload take the value from "SSH Key ID" - this is your username
go back to Blue Ocean wizard and modify your repo url to be something like this: ssh://username#codecommiturl/repo, where username is equal to "SSH Key ID" from previous step
Finish creating pipeline
Now you should be able to use Jenkinsfile/pipeline editor from your CI server.
Additional note: for the BlueOcean features to work you need to provide correct Security roles that allow read/write operations on CodeCommit repository.