what can I do on Jenkinsfile to get credentials? - jenkins

I'm new to jenkins and I'm creating a jenkinsfile with a declarative pipeline that supports different parameters. I also need to access to a credential stored in Jenkins, that I created already. How can I access to this credentials though jenkinsfile? do I need to call them inside of the stage or like this is ok? I got very confused in this part :S
I saw something like this on internet:
steps {
withCredentials([usernamePassword(credentialsId: 'x'....
}
Until now I have this:
pipeline {
agent any
environment{
my_credentials = credentials('x-credentials-id')
}
stages{
stage('Setup parameters') {
steps {
parameters([
string(name: 'a', defaultValue: 'x', description: 'test'),
text(name: 'b', defaultValue: ''),
text(name: 'b2', defaultValue: ''),
text(name: 'c', defaultValue: ''),
text(name: 'c2', defaultValue: '')
])
//])
}
}
}
}


From Jenkins documentation.
Jenkins' declarative Pipeline syntax has the credentials() helper
method (used within the environment directive) which supports secret
text, username and password, as well as secret file credentials.
So basically credentials('x-credentials-id') will support the aforementioned credential types and you should be using this helper method within an Environment block. You can use this approach if you want to declare your credentials globally so they can be used anywhere in the pipeline.
example
environment {
AWS_ACCESS_KEY_ID = credentials('jenkins-aws-secret-key-id')
AWS_SECRET_ACCESS_KEY = credentials('jenkins-aws-secret-access-key')
}
For other types, you can use withCredentials directive.(This is coming from Credentials Binding plugin) Both will get the Job done.
withCredentials(bindings: [certificate(credentialsId: 'jenkins-certificate-for-xyz', \
keystoreVariable: 'CERTIFICATE_FOR_XYZ', \
passwordVariable: 'XYZ-CERTIFICATE-PASSWORD')]) {
//
}
Although it says secrettext, username and password etc are not supported with Bind Credentials plugin, you can use WithCredentials for those types as well.
withCredentials([usernamePassword(credentialsId: 'amazon', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
echo "username is $USERNAME"
}
Read more from here and here

Related

How do I define Credentials as params in Jenkinsfile scripted pipeline

I am defining a scripted pipeline with many inputs, 2 of them are credentials. In the UI I can see how to add an input that is a credential, but I can't find anything on how to define Credential Params for scripted Pipelines. My params are defined like:
properties([
buildDiscarder(logRotator(numToKeepStr: '20')),
parameters([
stringParam(name: 'export_credentials'),
stringParam(name: 'import_credentials'),
]),
])
But I'd prefer it to be actual credentials params and not string ones

To keep the string secured use the following:
properties([
buildDiscarder(logRotator(numToKeepStr: '20')),
parameters([
password(description: 'b', name: 'b')
])
])

I figured it out after exploring the job-dsl plugin API (<jenkins_url>/plugin/job-dsl/api-viewer/index.htm):
properties([
buildDiscarder(logRotator(numToKeepStr: '20')),
disableResume(),
parameters([
credentials(name: 'export_token_credential_id', required: true, credentialType: "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl", defaultValue: 'dockerjenkins-token', description: 'Username and API Token for the Jenkins to migrate from'),
credentials(name: 'import_token_credential_id', required: true, credentialType: "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl", defaultValue: 'cloudbees-token', description: 'Username and API Token for this Jenkins'),
stringParam(name: 'item', description: 'Item (job) to migrate. '),
choiceParam(name: 'disable_mode', choices: "NEITHER\nDEST\nSOURCE\nBOTH", description: 'Which Jenkins, if any, to disable jobs on when migrating'),
]),
])

How to invoke Jenkins credentials in a jenkins scripted pipeline (not declarative)

i am trying to use jenkins scripted pipeline to invoke config file provider plugin along with fetching credentials from jenkins for the username and password, but the below doesn't seem to work.
node {
def mvnHome
def mvnSettings
stage('Prepare') {
mvnHome = tool 'maven-3.5.4'
}
stage('Checkout') {
checkout scm
}
stage('Deploy'){
def usernameLocal, passwordLocal, usr, psw
withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'xyz', passwordVariable: 'PASSWORD', usernameVariable: 'USERNAME']]) {
usernameLocal = env.USERNAME
passwordLocal = env.PASSWORD
}
configFileProvider(
[configFile(fileId: '*********', variable: 'MAVEN_SETTINGS', replaceTokens: true)])
{
usr="${usernameLocal}"
psw="${passwordLocal}"
sh "echo $usr"
sh "'${mvnHome}/bin/mvn' -s $MAVEN_SETTINGS deploy -Dserver.username="${usernameLocal}" -Dserver.password="${passwordLocal}""
}
}
}
where server.username and server.password are defined as properties under settings.xml server section for username and password.
Looks like i found out the issue and its nothing to do with withCredentials used here rather to do with the config file provider plugin. So i am able to print the credentials username correctly but somehow the config file provider is unable to substitute the variable value in the settings.xml.
so i don't get any error anymore, its just that the deployment doesn't go through with 401 unauthorized since the below in my settings.xml never gets the correct values :-
<server>
<id>snapshot</id>
<username>${server.username}</username>
<password>${server.password}</password>
</server>
Could you please advise how to resolve this?

The variables created by withCredentials are Groovy variables not environment variables. Try the following:
stage('Deploy'){
withCredentials([usernamePassword(credentialsId:'xyz', passwordVariable: 'Password', usernameVariable: 'Username')]) {
configFileProvider([configFile(fileId: 'abcde', variable:'MAVEN_SETTINGS')]) {
sh "'${mvnHome}/bin/mvn' -s $MAVEN_SETTINGS deploy -Dserver.username=${Username} -Dserver.password=${Password}"
}
}
}

Ok I figured out the solution, declare the configFileProvider entire section under the block of withCredentials and pass:
-Dserver.username='${usernameLocal}' -Dserver.password='${passwordLocal}'
(Please note single quotes). This way the values also get substituted and are outputted in the logs as masked.

How to mask a password field in Jenkins Pipeline project?

When a password property is defined in a Jenkinsfile:
properties([
parameters([
password(name: 'KEY', description: 'Encryption key')
])
])
Jenkins prompts users to provide its value every time the pipeline is executed:
I want this parameter to be masked so that echo ${KEY} does not print the actual value passed by the user. However, at the moment echoing it prints the provided value verbatim:
properties([
parameters([
password(name: 'KEY', description: 'Encryption key')
])
])
node {
stage('Stage 1') {
# Will print the actual value of the KEY, verbatim
sh "echo ${KEY}"
}
}
Also it seems that the Mask Passwords plugin does not work with Jenkins pipelines, so using that is not an option.
Is there a way to mask these password-typed parameters in the build logs?

You'll want to use the mask passwords plugin. Here's a Jenkinsfile example taken from my shared pipeline library.
properties([
parameters([
password(name: 'KEY', description: 'Encryption key')
])
])
node {
stage('Stage 1') {
// Will print the masked value of the KEY, replaced with ****
wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[var: 'KEY', password: KEY]], varMaskRegexes: []]) {
sh "echo ${KEY}"
}
}
}
Other than existing suggestions on withCredentials, there's not much to add. However, of you're automatically generating your jobs via templates and you're setting a default password, then you might want to make use of hudson.util.Secret to secure your templates.

You can use Jenkins Credentials plugin.With this plugin you can create a credential with an ID for use in your pipeline:
The code will be:
withCredentials([string(credentialsId: 'pass', variable: 'password1')]) {
echo "My password is '${password1}'!"
}
In your user case:
node {
stage('Echo') {
withCredentials([string(credentialsId: 'pass', variable: 'password1')]) {
echo "'${password1}'!"
}
}
}
Note: The password will be masked only in the withCredentials block.

Append to Job properties

My job parameters defined in job-dsl.groovy are overwritten by those defined in pipeline.
I am using job-dsl-plugin and Jenkins pipeline to generate Jenkins job for each git branch. Sine my code is stored in gitLab they require gitLab integration. I am providing that using gitlab-plugin. The problem is with the 'gitLabConnection' it looks like it can be only applied from inside the Jenkins pipeline.
So if in job-dsl I would do:
branches.each { branch ->
String safeBranchName = branch.name.replaceAll('/', '-')
if (safeBranchName ==~ "^release.*")
{
return
}
def branch_folder = "${basePath}/${safeBranchName}"
folder branch_folder
pipelineJob("$branch_folder/build") {
logRotator {
numToKeep 20
}
parameters {
stringParam("BRANCH_NAME", "${safeBranchName}", "")
stringParam("PROJECT_NAME", "${basePath}", "")
{
}
And then in my Jenkins pipeline I would add the 'gitLabConnection'
node('node_A') {
properties([
gitLabConnection('gitlab.internal')
])
stage('clean up') {
deleteDir()
}
///(...)
I have to do it like:
node('node_A') {
properties([
gitLabConnection('gitlab.internal'),
parameters([
string(name: 'BRANCH_NAME', defaultValue: BRANCH_NAME, description: ''),
string(name: 'PROJECT_NAME', defaultValue: PROJECT_NAME, description: '')
])
])
stage('clean up') {
deleteDir()
}
///(...)
So that my BRANCH_NAME and PROJECT_NAME are not overwritten.
Is there another way to tackle this ?
Is it possible to append the 'gitLabConnection('gitlab.internal')' to the properties in the Jenkins pipeline ?

Unfortunately it doesn't seem like there is a way to do this yet. There's some discussion about this at https://issues.jenkins-ci.org/browse/JENKINS-43758 and I may end up opening a feature request to allow people to "append to properties"

There are 2 ways for solving this. The first one uses only Jenkins pipeline code, but if you choose this path the initial job run will most likely fail. This initial fail will happen, because at the time of first job run, the pipeline creates Jenkins job parameters. Once the parameters are created, job will work.
Option '1' - using Jenkins pipeline Only.
In 'Pipeline Syntax'/'Snippet Generator' check:
'This project is parameterised'.
Add parameter(s) you need, and hit 'Generate Pipeline Script'. In my case I get:
properties([
gitLabConnection(gitLabConnection: 'my_gitlab_connection', jobCredentialId: '', useAlternativeCredential: false),
[$class: 'JobRestrictionProperty'],
parameters([
string(defaultValue: 'test', description: 'test', name: 'test', trim: false)
]),
throttleJobProperty(categories: [], limitOneJobWithMatchingParams: false, maxConcurrentPerNode: 0, maxConcurrentTotal: 0, paramsToUseForLimit: '', throttleEnabled: false, throttleOption: 'project')
])
Option '2' - It's more complicated but, also far more powerfull. The one I finally took, because of the issues described above.
Use Jenkins job DSL plugin - https://github.com/jenkinsci/job-dsl-plugin
Gitlab plugin works quite well with it https://github.com/jenkinsci/gitlab-plugin#declarative-pipeline-jobs

Define credential parameter in parameters in Jenkins declarative pipeline?

I Currently using Jenkins Delarative pipeline with a parameterised build
pipeline {
agent any
parameters {
booleanParam(name: 'cleanDB',defaultValue: false,description: 'should clean db ?' )
string(name: 'host',defaultValue: 'xyx',description: 'DB Host')
}
stages {
stage('Build') {
steps {
sh 'mvn verify'
}
}
stage('Execute') {
steps {
withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'CREDENTIALS', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD']])
{
sh "ant " +"-Ddb.clean=${params.cleanDB} -Ddb.host=${params.host} -Ddb.userid=$USERNAME \"-Ddb.password=$PASSWORD\" "
}
}
}
}
}
when i try to build with parameters it prompts only two param cleanDB,host params.i would like it to also ask which credential parameter to take.it takes only when explicitly added though UI in parameterised build.
so how can i add credential parameter in parameters can any one share an example of defining it in below syntax.
parameters {
booleanParam(name: 'cleanDB',defaultValue: false,description: 'should clean db ?' )
string(name: 'host',defaultValue: 'xyx',description: 'DB Host')
credentialParam(name: 'host',description: 'Credentials')
}

While as of today (2017-08-29) jenkins docs mention only string and boolean types of possible parameters, there is some ticket that answer this question. It says to do:
parameters {
credentials(name: 'CredsToUse', description: 'A user to build with', defaultValue: '', credentialType: "Username with password", required: true )
}
I just tried it and it works fine. When executed for the first time it doesn't ask anything, it just creates parameter for the job. After then it asks for credentials as it should.
Naturally, it works for Declarative Pipeline syntax, so must be enveloped with 'pipeline'.

Try the following:
withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'CREDENTIALS', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD']])
{
sh 'ant -Ddb.clean=${params.cleanDB} -Ddb.host=${params.host} -Ddb.userid=$USERNAME -Ddb.password=$PASSWORD'
}
according to the documentation on cloudbees https://support.cloudbees.com/hc/en-us/articles/204897020-Fetch-a-userid-and-password-from-a-Credential-object-in-a-Pipeline-job-

Resources