If I have a private registry, e.g. Artifactory, what is the best way to share the RW key with the development team?
Of course, it is not desired that all dev have possession of the common RW key or credentials which is used by Travis-CI. (each dev has own).
I would like to encrypt the credentials with a private key and provide that key to Travis-ci.
It would be then safe to distribute encrypted credentials and use the job settings in travis-ui. Travis would then decrypt the credentials and use them for the job.
The credentials are not leaked, DevOps person doesn't go crazy updating all keys in UI-setting manually and devs can set up new Travis job and use the encrypted version in Travis-ui. Everybody is happy. Is it possible?
Travis provides Encryption keys:
A repository’s .travis.yml file can have “encrypted values”, such as environment variables, notification settings, and deploy api keys. These encrypted values can be added by anyone, but are only readable by Travis CI. The repository owner does not keep any secret key material.
Please note that encrypted environment variables are not available for pull requests from forks.
How it works:
Download and install Travis CLI
gem install travis
Encrypt the variable
travis encrypt SOMEVAR="secretvalue"
Then you can use the encrypted value inside .travis.yml using secure: (that I guess is what you need in order not to change the environment variables in every repository)
secure: ".... encrypted data ...."
It is also possible to automatically include the encrypted value into your .travis.yml by executing:
travis encrypt SOMEVAR="secretvalue" --add
While Travis executes the job, the encrypted key,
env:
- secure: "encrypted string"
becomes
env:
- "decrypted string"
I have the same problem in my pipelines and I will give a try.
Related
as you probably know, Jenkins uses a key stored in plain text in a file in the master server to encrypt the credentials. From security perspective that is not a good approach. Is there any way of telling Jenkins to take the key from Hashicorp Vault?
I have a private GitHub Repo and I have autorised particular users to be able to create their own private forks of this repo.
I have Travis configured to generate code coverage which is sent to coveralls.io, where the API key is stored in an environment variable that is encrypted.
Travis encrypts environment variables and does not make them available to forks. This means PRs for my repo do not get code coverage reports before they are merged.
I understand that Travis does not make encrypted environment variables available to forks because this would expose the variable where the repo is public and anyone could generate a build.
In my case, my repo is private and I trust the users I have allowed to fork it. So it would be fine for these variables to not be encrypted.
But I do not want to put the variables in .travis.yml because whilst I trust who has forked the repo, there are other parties who are not permitted to fork the repo who can still see the code (i.e. where copies of the code are kept on servers, or in backups.)
Is there a strategy to set an evironment variable that is not encrypted and not defined in .travis.yml?
Is there a strategy to set an evironment variable that is not encrypted and not defined in .travis.yml?
When defining the variable in Travis.ci, enable the switch for Display Value in Build Log.
This will have the effect of not encrypting the variable, and the variable will be available for Pull Request builds.
This is appropriate where all the users who can raise a PR for your repo are trusted to know the Coveralls API key.
I'm setting up some tests to be run via Travis CI. I have some secret encrypted environment variables containing AWS credentials. According to Travis's documentation, encrypted environment variables aren't available in untrusted builds such as GitHub Pull Requests. I'd like to make it so that if/when an un-trusted build is run, the testing scripts do something different.
The Environment Variables doc page says Travis provides TRAVIS_PULL_REQUEST in order to say when a build is triggered by a pull request. However, it's not clear to me whether there are other circumstances in which Travis may withhold encrypted environment variables. As it earlier refers to (emphasis mine):
Encrypted variables are not available to untrusted builds such as pull requests coming from another repository.
This suggests to me that there are other builds that Travis would consider untrusted, besides simply Pull Requests.
TRAVIS_SECURE_ENV_VARS seems like a better fit, but it seems to be set to true when secure variables are defined, regardless of whether they are used or not. Will this resolve to false if it's done by an untrusted build?
The obvious solution is to of course just check to see if the secret environment variables are defined at all when the code runs. But that's not ideal for my use-case, though it's probably what I'll end up doing if I can't find anything.
I have installed latest Jenkins on ubuntu server and Jenkinsfile in my project repo on Gitlab.
I am able to connect to private repo on Gitlab using username/password credential on Jenkins configuration for the project pipeline without using Jenkins Gitlab plugin. This does not seem safe to me. How can I use Gitlab API token instead of username/password for Jenkins to access remote private Gitlab repo without using Jenkins Gitlab plugin. Another option is to set ssh private key on Jenkins server to athenticate against Gitlab repo. Is this option possible?
Jenkins Gitlab plugin is not officially supported and not well maintained because Gitlab wants customers to user their own CI/CD solution in order to tie customers to their platform for marketing reasons.
A relatively safe way to handle this situation is to store your credentials is the credentials system in Jenkins (that way you do not have to include the credentials in the JenkinsFile), and using a deploy token (available for Gitlab 10.7 and later) for the relevant repository. That token allows you to provide read-only rights to the repository.
Step 1 - setup the deploy token in GitLab
From the GitLab documentation
You can create as many deploy tokens as you like from the settings of your project:
Log in to your GitLab account.
Go to the project you want to create Deploy Tokens for.
Go to Settings > Repository.
Click on “Expand” on Deploy Tokens section.
Choose a name and optionally an expiry date for the token.
Choose the desired scopes.
Click on Create deploy token.
Save the deploy token somewhere safe. Once you leave or refresh the page, you won’t be able to access it again.
Step 2 - Saving the deploy token in Jenkins' credentials system
Since the deploy tokens have a username and password, pick that as the type in the steps below. Write down the id you will use in this step (see below) as you will need it in your pipeline declaration.
From the Jenkins documentation
To add new global credentials to your Jenkins instance:
If required, ensure you are logged in to Jenkins (as a user with the Credentials > Create permission).
From the Jenkins home page (i.e. the Dashboard of the Jenkins classic UI), click Credentials > System on the left.
Under System, click the Global credentials (unrestricted) link to access this default domain.
Click Add Credentials on the left. Note: If there are no credentials in this default domain, you could also click the add some credentials link (which is the same as clicking the Add Credentials link).
From the Kind field, choose the type of credentials to add.
From the Scope field, choose either:
Global - if the credential/s to be added is/are for a Pipeline project/item. Choosing this option applies the scope of the credential/s to the Pipeline project/item "object" and all its descendent objects.
System - if the credential/s to be added is/are for the Jenkins instance itself to interact with system administration functions, such as email authentication, agent connection, etc. Choosing this option applies the scope of the credential/s to a single object only.
Add the credentials themselves into the appropriate fields for your chosen credential type:
(...)
Username and password - specify the credential’s Username and Password in their respective fields.
(...)
In the ID field, specify a meaningful credential ID value - for example, jenkins-user-for-xyz-artifact-repository. You can use upper- or lower-case letters for the credential ID, as well as any valid separator character. However, for the benefit of all users on your Jenkins instance, it is best to use a single and consistent convention for specifying credential IDs. Note: This field is optional. If you do not specify its value, Jenkins assigns a globally unique ID (GUID) value for the credential ID. Bear in mind that once a credential ID is set, it can no longer be changed.
Specify an optional Description for the credential/s.
Click OK to save the credentials.
Step 3 - Use the credentials in your pipeline declaration
You can use the credentials in your jenkinsFile like so:
pipeline {
stages {
stage('Clone stage') {
steps {
git url: 'https://gitlab.com/[username]/[my-repo].git', branch: 'master', credentialsId: 'my-gitlab-repo-creds'
}
}
}
}
In the above example I assume you picked the id my-gitlab-repo-creds in step 2.
So it is a common situation that you want to use your CI environment such as Jenkins or Bamboo to deploy to servers. This also means that you need to store endpoint credentials somewhere.
What is the best practice to do this? Having passwords as plain-text in text files is of course the easy route, but often not possible.
If you are using Maven to do the deployment you can encrypt your passwords, see: https://maven.apache.org/guides/mini/guide-encryption.html
We generally use MaskPasswords plugin for jenkins and I am not sure of bamboo
Use the Jenkins credentials plugin to store your passwords; Jenkins encrypts them in the configuration stored on disk. Note that it is possible to decrypt the passwords, so make sure your Jenkins configuration files are adequately protected.