Handing Secrets in Jenkins pipeline - jenkins

I'm new to Jenkins world, I have a usecase where I have setup a jenkins pipeline using JenkinsFile. As part of deployment stage, we will invoke a few ansible script in the backend to get the image deployed into Kubernetes cluster running in cloud environment. The script expects few secrets in environment variable, so I like to understand which is the best option to handle secret in Jenkins, do I need them to enter into jenkins credentials and read them in jenkins environment tag like below. Or It is safe to get the value from the user using input plugin when executing the pipeline, but if I get from user then I would not able to completely automate pipeline will wait until user input the secret. Could you help in safe way to handle credentials.
pipeline{
agent any {
environment {
SECRET_VALUE=credentials('SECRET_VALUE_FROM_JENKINS_CREDENTIALS')
}
}
}

It depends on your use case, Indeed both approaches as you mentioned above will work.
There shouldn't be any problem in keeping your secrets as Jenkins credentials, in my case, all my secrets are in the Hashicorp vault and my Jenkins credentials point to the vault location as an example...
- usernamePassword:
scope: GLOBAL
id: serviceUser
username: svc_admin
password: "${secret/xyz/service_user/password}"
description: My secret service user
The Jenkins deployment is via JCasC.

As jenkins admin I can say it is safe to store credentials in jenkins.
Just create credentials in jenkins and use in a pipeline. Also it's nice to have mask password plugin installed in jenkins, which will mask credentials in jenkins jobs' output.

Related

setup GitLab SSH key for Jenkins

Having issues creating an ssh credential in Jenkins that allows access to GitLab. I have 2 AWS instances, one with GitLab and one with Jenkins. I would like to setup a multibranch pipeline in Jenkins to run a GitLab repo. I am able to create the pipeline and can access GitLab if I use a username/password credential (using "root"/initial password) but would like to use the more secure route of using a username/SSH credential. I have generated the SSH (of the ed25519 variety) in the GitLab instance (while in root). Then, in GitLab, supplied the public key to the root user. Then, in Jenkins, provided the private SSH key and set username as "root" in a username/SSH credential. When I try to run the pipeline using the username/SSH credential I get an error indicating that it is not authorized. Should I be using a different username? Should I be generating the SSH key in a different location?
Well, I figured it was something small I was missing. I was configuring the pipeline job for the http url of the repo rather than the SSH url. Once I changed that, it worked right away.

Use parameters to connect over ssh in jenkins pipline

I am trying to program a pipeline that requests a username and password as parameter to connect via ssh to a linux server.
I have searched the internet for solutions but the SSH Agent plugin only works with credentials stored in Jenkins.
Is it possible to create a credential with the parameters sent by the user that executes the pipeline or use them as credentials?
Thanks!

How to configure Jenkins to access Gitlab private repository without Gitlab plugin?

I have installed latest Jenkins on ubuntu server and Jenkinsfile in my project repo on Gitlab.
I am able to connect to private repo on Gitlab using username/password credential on Jenkins configuration for the project pipeline without using Jenkins Gitlab plugin. This does not seem safe to me. How can I use Gitlab API token instead of username/password for Jenkins to access remote private Gitlab repo without using Jenkins Gitlab plugin. Another option is to set ssh private key on Jenkins server to athenticate against Gitlab repo. Is this option possible?
Jenkins Gitlab plugin is not officially supported and not well maintained because Gitlab wants customers to user their own CI/CD solution in order to tie customers to their platform for marketing reasons.
A relatively safe way to handle this situation is to store your credentials is the credentials system in Jenkins (that way you do not have to include the credentials in the JenkinsFile), and using a deploy token (available for Gitlab 10.7 and later) for the relevant repository. That token allows you to provide read-only rights to the repository.
Step 1 - setup the deploy token in GitLab
From the GitLab documentation
You can create as many deploy tokens as you like from the settings of your project:
Log in to your GitLab account.
Go to the project you want to create Deploy Tokens for.
Go to Settings > Repository.
Click on “Expand” on Deploy Tokens section.
Choose a name and optionally an expiry date for the token.
Choose the desired scopes.
Click on Create deploy token.
Save the deploy token somewhere safe. Once you leave or refresh the page, you won’t be able to access it again.
Step 2 - Saving the deploy token in Jenkins' credentials system
Since the deploy tokens have a username and password, pick that as the type in the steps below. Write down the id you will use in this step (see below) as you will need it in your pipeline declaration.
From the Jenkins documentation
To add new global credentials to your Jenkins instance:
If required, ensure you are logged in to Jenkins (as a user with the Credentials > Create permission).
From the Jenkins home page (i.e. the Dashboard of the Jenkins classic UI), click Credentials > System on the left.
Under System, click the Global credentials (unrestricted) link to access this default domain.
Click Add Credentials on the left. Note: If there are no credentials in this default domain, you could also click the add some credentials link (which is the same as clicking the Add Credentials link).
From the Kind field, choose the type of credentials to add.
From the Scope field, choose either:
Global - if the credential/s to be added is/are for a Pipeline project/item. Choosing this option applies the scope of the credential/s to the Pipeline project/item "object" and all its descendent objects.
System - if the credential/s to be added is/are for the Jenkins instance itself to interact with system administration functions, such as email authentication, agent connection, etc. Choosing this option applies the scope of the credential/s to a single object only.
Add the credentials themselves into the appropriate fields for your chosen credential type:
(...)
Username and password - specify the credential’s Username and Password in their respective fields.
(...)
In the ID field, specify a meaningful credential ID value - for example, jenkins-user-for-xyz-artifact-repository. You can use upper- or lower-case letters for the credential ID, as well as any valid separator character. However, for the benefit of all users on your Jenkins instance, it is best to use a single and consistent convention for specifying credential IDs. Note: This field is optional. If you do not specify its value, Jenkins assigns a globally unique ID (GUID) value for the credential ID. Bear in mind that once a credential ID is set, it can no longer be changed.
Specify an optional Description for the credential/s.
Click OK to save the credentials.
Step 3 - Use the credentials in your pipeline declaration
You can use the credentials in your jenkinsFile like so:
pipeline {
stages {
stage('Clone stage') {
steps {
git url: 'https://gitlab.com/[username]/[my-repo].git', branch: 'master', credentialsId: 'my-gitlab-repo-creds'
}
}
}
}
In the above example I assume you picked the id my-gitlab-repo-creds in step 2.

Restrict what jobs can run on Jenkins Slave, via SSH Creds in Pipeline

We have a global jenkins master, that many teams manage and use. We have our own jenkins slave, that we manage and as our own tools on it. I'd like to restrict the use of that slave, to only our jobs leveraging pipeline as code. The below is some sudo code of what I want to achieve. My question, is this possible or will this work?
UserPass = getCredsFromCredStore
withCredentials([usernameColonPassword(credentialsId: 'mylogin', variable: 'USERPASS')]) {
node ('myNode') { //need to dynamically configure this
//do Stuff
}
}
The withCredentials will pass SSH credentials to the node inside the scope of running inside the block. Therefore, other team members, can only run jobs on this slave, if they know the ssh details, which we will manage in our external credentials store.
The only way to do what you want is with the Folders Plus plugin, which is a cloudbees plugin, and not free. You can restrict a slave to only be used by a specific folder of jobs.
You can't use code in a job to restrict the slave, because someone could just write other code in another job that doesn't have the same restrictions.

global tool configurations in jenkins through cli?

Is there a way to add global tool configurations for artifactory and aws in jenkins through cli?
I'm trying to write chef cookbook for automating creation of Jenkins job, but I don't know how to add credentials for tools.
Credentials don't depend on the tools which will use them.
You can register credentials in general through the JENKINS Credentials Plugin API: see for instance
How to create jenkins credentials via the REST API? (similar to jenkins_api_client issue 162)
update Jenkins credentials by script
You can then use those credentials in association with a Jenkins Job.
Your question is twofold.
Credentials
The Jenkins chef cookbook offers a jenkins_credentials resource, which allows you to pipe credentials (using Jenkins API internally) into your Jenkins instance.
Global Tool Configuration
You can use the jenkins_script resource of the same cookbook to execute any Groovy script. This allows you to configure your Jenkins instance. You now just have to figure out exactly, what the code is to, e.g., select the previously defined credentials. But the code looks similarly to the example given in the cookbook's README.

Resources