This model looks good: https://cloud.google.com/architecture/managing-infrastructure-as-code-with-terraform-jenkins-and-gitops#infrastructure_proposal
However it's possible for anyone with repo access to create a feature branch, put any old content into a jenkinsfile, and create a PR - at which point Jenkins will run whatever's in the jenkinsfile. To me this kinda negates the controls to enforce peer review of code, or stops you allowing certain individuals only permitted to deploy changes to dev etc.
I'm not aware that you can "protect" the jenkinsfile and stop this happening (at least not in github).
Best solution may be to enforce controls at the cloud access key credential level (I'm an AWS user so I think in terms of secret access key) - so only certain jenkins (or github) users can pull the creds to make infrastructure changes?
I have a series of jenkins pipeline jobs to move Apps to Cloud Foundry. My client application need to be able to listen to all the updates of a push. I.e. apart from getting text logs, i need other events like Git repo cloned, cloud foundry logged in, App pushed.
One crud way of doing this is to submit POST requests to an event server from a shell script(Curl). However, I think it is unlikely that such a functionality does not exist already on Jenkins(either through a plugin or something like that).
I need an advice from best practices point of view.
Thanks.
As commented by mdabdullah. But this needs a person to set up kibana or splunk. (I did not try this).
Statistics gatherer plugin
https://plugins.jenkins.io/statistics-gatherer/
Jenkins notification plugin
https://plugins.jenkins.io/notification/
Both 2,3 are available plugins in the Jenkins community. They need to configured for server endpoints before use.
Using On-Premise TFS 2017 and Slack. Just trying to find a way for people to manually queue builds. Slack Slash Commands will almost work, but can't seem to send JSON bodies, so I'm trying to find out how to send credentials and definition IDs using only query strings...
Some background:
Our people cannot run unsigned Powershell Scripts because of Group Policy overrides for ExecutionPolicy.
Don't want to give people access to queue builds through web interface.
We are using CI/CD, but need to manually queue for QA/Demo builds.
Wanted to avoid using another app as a go-between if possible, since new environments for hosting are hard to come by here.
Is there a way to hit the TFS API through Slack Slash Commands?
There are so many posts about this, and being inexperienced in Git doesn't help to get a good grip on this.
I just joined a new company that dont have CI at all, so jumped on the opportunity to create a proof of concept (using Jenkins locally on my Windows box for now, until I get a dedicated server for it). I've used and semi-configured Jenkins in the past, using SVN, and it was so simple and fast to get it working. In this company, they don't use SVN, only GitLab (I believe its private - we have our own site, not .gitlab.com), and nothing works for me.
I followed a few turorials, but mainly this seemed like the one that meets my needs. It didn't work (the reasons and symptoms are probably worth a post of its own).
When I look at Gitlab Hook plugin in Jenkins, I see a big red warning saying it is not safe ("Gitlab API token stored and displayed in plain text").
So my question, for this POC that i am working on, how serious is this warning? Should I avoid this plugin and then this method altogether because of this?
And while i'm at it, I might also throw an additional general question to open up my options here ... If I want Jenkins to work with Gitlab (meaning, I checkin something and it triggers a build), do I absolutely need to use the SSH method, or it could work with HTTPS as well?
Thank you.
This is indeed SECURITY-263 / CVE-2018-1000196
Gitlab Hook Plugin does not encrypt the Gitlab API token used to access Gitlab. This can be used by users with master file system access to obtain GitHub credentials.
Additionally, the Gitlab API token round-trips in its plaintext form, and is displayed in a regular text field to users with Overall/Administer permission. This exposes the API token to people viewing a Jenkins administrator’s screen, browser extensions, cross-site scripting vulnerabilities, etc.
As of publication of this advisory, there is no fix.
So:
how serious is this warning?
Serious, but it does require access to the Jenkins server filesystem, or it requires Jenkins administration level. So that risk can be documented, acknowledged and, for now, set aside, provided mitigation steps are in place, ie.:
the access to the Jenkins server is properly monitored
the list of Jenkins admin account is properly and regularly reviewed.
do I absolutely need to use the SSH method, or it could work with HTTPS as well?
You can use https for accessing GitLab repositories in a Jenkins job.
But for the GitLab hook plugin, SSH remains the recommended way, considering you would use a token (instead of a user account name/password), that you can revoke at any time.
My goal is to ask questions of the Jenkins server within a Jenkins-run script (specifically when it's run on a remote agent). I'd like to use a Perl or Python script with the REST API. I'd like to ask data known by the Jenkins server.
In my specific case, I'd like a build-display-name of a most-recent successful build of a different project. I'd like to do this without username/password credentials. I'd expect to be able to use the environment variable JENKINS_SERVER_COOKIE as a credential as a cookie or header as I use the Jenkins REST API for GET-based requests.
Is that possible? If not, what is the environment variable JENKINS_SERVER_COOKIE used for?
Thanks!
JENKINS_SERVER_COOKIE is not used for anything related to the REST API; best to ignore it.
What you request is not currently possible.