So it is a common situation that you want to use your CI environment such as Jenkins or Bamboo to deploy to servers. This also means that you need to store endpoint credentials somewhere.
What is the best practice to do this? Having passwords as plain-text in text files is of course the easy route, but often not possible.
If you are using Maven to do the deployment you can encrypt your passwords, see: https://maven.apache.org/guides/mini/guide-encryption.html
We generally use MaskPasswords plugin for jenkins and I am not sure of bamboo
Use the Jenkins credentials plugin to store your passwords; Jenkins encrypts them in the configuration stored on disk. Note that it is possible to decrypt the passwords, so make sure your Jenkins configuration files are adequately protected.
Related
We're setting up multiple more or less static servers in AWS. These are primarily configured via Ansible and that's also the ultimate source of truth when it comes to their existence, grouping, host names and IPs. But then there's Jenkins deploying configuration files to these servers based on new commits added to a git repository.
I'm having an issue with listing the target servers directly in a Jenkinsfile. How shall I proceed? Which are the most common ways of dealing with this?
I understand this is mostly an opinion based topic. But maybe there's a particular Jenkins feature which I don't know about...?
Thank you.
This is very subjective. Following are a few ways to do this.
Store the details somewhere accessible after the Ansible step. Possibly commit to a Github repo and retrieve these details within the Jenkins Job.
Using AWS APIs/CLI to retrieve server details. You can either set up AWS CLI in Jenkins Agent or use something like AWS Step Plugin.
Do an API call to Jenkins after the Ansible script is executed and update the server details in the Job itself.
If I have a private registry, e.g. Artifactory, what is the best way to share the RW key with the development team?
Of course, it is not desired that all dev have possession of the common RW key or credentials which is used by Travis-CI. (each dev has own).
I would like to encrypt the credentials with a private key and provide that key to Travis-ci.
It would be then safe to distribute encrypted credentials and use the job settings in travis-ui. Travis would then decrypt the credentials and use them for the job.
The credentials are not leaked, DevOps person doesn't go crazy updating all keys in UI-setting manually and devs can set up new Travis job and use the encrypted version in Travis-ui. Everybody is happy. Is it possible?
Travis provides Encryption keys:
A repository’s .travis.yml file can have “encrypted values”, such as environment variables, notification settings, and deploy api keys. These encrypted values can be added by anyone, but are only readable by Travis CI. The repository owner does not keep any secret key material.
Please note that encrypted environment variables are not available for pull requests from forks.
How it works:
Download and install Travis CLI
gem install travis
Encrypt the variable
travis encrypt SOMEVAR="secretvalue"
Then you can use the encrypted value inside .travis.yml using secure: (that I guess is what you need in order not to change the environment variables in every repository)
secure: ".... encrypted data ...."
It is also possible to automatically include the encrypted value into your .travis.yml by executing:
travis encrypt SOMEVAR="secretvalue" --add
While Travis executes the job, the encrypted key,
env:
- secure: "encrypted string"
becomes
env:
- "decrypted string"
I have the same problem in my pipelines and I will give a try.
I'm setting up some tests to be run via Travis CI. I have some secret encrypted environment variables containing AWS credentials. According to Travis's documentation, encrypted environment variables aren't available in untrusted builds such as GitHub Pull Requests. I'd like to make it so that if/when an un-trusted build is run, the testing scripts do something different.
The Environment Variables doc page says Travis provides TRAVIS_PULL_REQUEST in order to say when a build is triggered by a pull request. However, it's not clear to me whether there are other circumstances in which Travis may withhold encrypted environment variables. As it earlier refers to (emphasis mine):
Encrypted variables are not available to untrusted builds such as pull requests coming from another repository.
This suggests to me that there are other builds that Travis would consider untrusted, besides simply Pull Requests.
TRAVIS_SECURE_ENV_VARS seems like a better fit, but it seems to be set to true when secure variables are defined, regardless of whether they are used or not. Will this resolve to false if it's done by an untrusted build?
The obvious solution is to of course just check to see if the secret environment variables are defined at all when the code runs. But that's not ideal for my use-case, though it's probably what I'll end up doing if I can't find anything.
Many times I have the need to download files (e.g. archives) from a remote repository (e.g. maven-repo) which is protected by username/password.
Its easy to get such a file with curl or wget, but when I don't like to see the password on the logs, maybe there is a better/embedded way to do this from within a jenkins workflow? And how do I combine it with credentials managed by jenkins credential plugin?
Use the Credentials Binding plugin, which integrates with Workflow.
We are using Hudson as a CI tool. At present we are needed to use Jenkins, to deploy the build to Stage, Prod environment. What is the best aproach we should follow.
I know about promote buld plugin, but the issue is authentication. I want whevener we need to promote a build to deploy to Stage or Prod, it should ask for netqwork credential first. And then the promote job should execute the Batch command using the creadential supplied. At present, the promote plugin, runs using the credentials which the Tomcat server is configured to run.
Same issue with Build Pipeline plugin.
I want only dev or even hudson admin also should not be able to execute the promote build unless credential supplied. (We have windows 2008 r2 OS)
Can you please help me in resolving the issue. so that basically whenever a user click on Promote build to QA\Stage\Prod the plugin should ask for credential or should use the logged on users credential and execute the batch script using the logged users credential only and not by using the credentials of the account with which the tomcat server is configured.
Can you please help me?
Please suggests us the best aproach for making automated build on prod\stage.
For deployment I normally use SSH, Private/Public keys takes care of the authentication problems normally associated with running commands on other servers.
SSH is normally associated with unix based systems, but it does support windows.
Finally, I would recommend considering decoupling your build system (jenkins) from the system performing the deployment by using an intermediate repository. See the following answer for more details:
Jenkins : how to check out artifact from Nexus and Deploy on Tomcat-