nicklocaso
commented
4 months ago Anyone?
Open nicklocaso opened 4 months ago
nicklocaso
commented
4 months ago Anyone?
jetersen
commented
4 months ago Have you tried one of the many others ways to use secrets? https://github.com/jenkinsci/configuration-as-code-plugin/blob/5708e01224bb3fbacdc61026f1d2ac37c4092aa0/docs/features/secrets.adoc
Perhaps a properties file? 🤔
jetersen
commented
4 months ago I don't know if securityRealm still allows plain text password so perhaps try bcrypt way: https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/demos/embedded-userdatabase/README.md#additional-attributes
nicklocaso
commented
3 months ago Have you tried one of the many others ways to use secrets? https://github.com/jenkinsci/configuration-as-code-plugin/blob/5708e01224bb3fbacdc61026f1d2ac37c4092aa0/docs/features/secrets.adoc
Perhaps a properties file? 🤔
Very interesting. Using the properties file seems to work correctly only if I don't use other helpers. I don't like it much, but it might be enough for now.
File /run/secrets/secrets.properties:
ADMIN_ID=admin
ADMIN_PASSWORD=test12345
ADMIN_PASSWORD_B64_ENCODED=dGVzdDEyMzQ1This will work:
...
securityRealm:
users:
- id: "${ADMIN_ID}"
name: "admin"
password: "${ADMIN_PASSWORD}"
...This will not:
...
securityRealm:
users:
- id: "${ADMIN_ID}"
name: "admin"
password: "${decodeBase64:${ADMIN_PASSWORD_B64_ENCODED}"
...In short, for now, the helpers provided here for the "password" property of "securityRealm" do not seem to work. Is this behaviour intended?
Jenkins and plugins versions report
Environment
```text Jenkins: 2.452.2 OS: Linux - 5.15.0-113-generic --- ant:497.v94e7d9fffa_b_9 antisamy-markup-formatter:162.v0e6ec0fcfcf6 apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 asm-api:9.7-33.v4d23ef79fcc8 bootstrap5-api:5.3.3-1 bouncycastle-api:2.30.1.78.1-233.vfdcdeb_0a_08a_a_ branch-api:2.1169.va_f810c56e895 build-name-setter:2.4.2 build-timeout:1.33 caffeine-api:3.1.8-133.v17b_1ff2e0599 checks-api:2.2.0 cloudbees-folder:6.928.v7c780211d66e commons-lang3-api:3.14.0-76.vda_5591261cfe commons-text-api:1.12.0-119.v73ef73f2345d configuration-as-code:1810.v9b_c30a_249a_4c credentials:1355.v46f52a_b_98d64 credentials-binding:679.v6288482e873c dark-theme:439.vdef09f81f85e display-url-api:2.204.vf6fddd8a_8b_e9 durable-task:555.v6802fe0f0b_82 echarts-api:5.5.0-1 eddsa-api:0.3.0-4.v84c6f0f4969e email-ext:1814.v404722f34263 font-awesome-api:6.5.2-1 git:5.2.2 git-client:5.0.0 github:1.39.0 github-api:1.318-461.v7a_c09c9fa_d63 github-branch-source:1789.v5b_0c0cea_18c3 gradle:2.12 gson-api:2.11.0-41.v019fcf6125dc instance-identity:185.v303dc7c645f9 ionicons-api:74.v93d5eb_813d5f jackson2-api:2.17.0-379.v02de8ec9f64c jakarta-activation-api:2.1.3-1 jakarta-mail-api:2.1.3-1 javax-activation-api:1.2.0-7 javax-mail-api:1.6.2-10 jaxb:2.3.9-1 jjwt-api:0.11.5-112.ve82dfb_224b_a_d joda-time-api:2.12.7-29.v5a_b_e3a_82269a_ jquery3-api:3.7.1-2 json-api:20240303-41.v94e11e6de726 json-path-api:2.9.0-58.v62e3e85b_a_655 junit:1265.v65b_14fa_f12f0 ldap:725.v3cb_b_711b_1a_ef locale:511.v212370760160 mailer:472.vf7c289a_4b_420 matrix-auth:3.2.2 matrix-project:832.va_66e270d2946 metrics:4.2.21-451.vd51df8df52ec mina-sshd-api-common:2.13.1-117.v2f1a_b_66ff91d mina-sshd-api-core:2.13.1-117.v2f1a_b_66ff91d okhttp-api:4.11.0-172.vda_da_1feeb_c6e pam-auth:1.11 pipeline-build-step:540.vb_e8849e1a_b_d8 pipeline-github-lib:61.v629f2cc41d83 pipeline-graph-analysis:216.vfd8b_ece330ca_ pipeline-graph-view:304.va_f2a_16b_e4964 pipeline-groovy-lib:727.ve832a_9244dfa_ pipeline-input-step:495.ve9c153f6067b_ pipeline-milestone-step:119.vdfdc43fc3b_9a_ pipeline-model-api:2.2203.v89fa_170c2b_f5 pipeline-model-definition:2.2203.v89fa_170c2b_f5 pipeline-model-extensions:2.2203.v89fa_170c2b_f5 pipeline-stage-step:312.v8cd10304c27a_ pipeline-stage-tags-metadata:2.2203.v89fa_170c2b_f5 plain-credentials:183.va_de8f1dd5a_2b_ plugin-util-api:4.1.0 prism-api:1.29.0-15 resource-disposer:0.23 scm-api:690.vfc8b_54395023 script-security:1341.va_2819b_414686 snakeyaml-api:2.2-111.vc6598e30cc65 ssh-credentials:337.v395d2403ccd4 ssh-slaves:2.973.v0fa_8c0dea_f9f structs:338.v848422169819 theme-manager:262.vc57ee4a_eda_5d timestamper:1.27 token-macro:400.v35420b_922dcb_ trilead-api:2.147.vb_73cc728a_32e variant:60.v7290fc0eb_b_cd workflow-aggregator:596.v8c21c963d92d workflow-api:1316.v33eb_726c50b_a_ workflow-basic-steps:1058.vcb_fc1e3a_21a_9 workflow-cps:3903.v48a_8836749e9 workflow-durable-task-step:1353.v1891a_b_01da_18 workflow-job:1400.v7fd111b_ec82f workflow-multibranch:783.787.v50539468395f workflow-scm-step:427.v4ca_6512e7df1 workflow-step-api:657.v03b_e8115821b_ workflow-support:907.v6713a_ed8a_573 ws-cleanup:0.46 ```What Operating System are you using (both controller, and any agents involved in the problem)?
Controller Operating System:
LABEL version="1.0.0"
ENV JAVA_OPTS=-Djenkins.install.runSetupWizard=false ENV TZ=Europe/Rome ENV CASC_JENKINS_CONFIG=/jenkins/casc_configs/jcasc.yaml ENV CASC_RELOAD_TOKEN={{token}}
COPY --chown=jenkins:jenkins ./config/jcasc.yaml /jenkins/casc_configs/jcasc.yaml COPY --chown=jenkins:jenkins ./config/secrets /secrets
COPY --chown=jenkins:jenkins ./config/plugins.txt /usr/share/jenkins/ref/plugins.txt
RUN jenkins-plugin-cli -f /usr/share/jenkins/ref/plugins.txt
However, this is a temporary workaround and poses a significant security risk, so it needs to be changed as soon as possible.
YAML Configuration Example
Below is a simplified representation of the relevant part of the JCasC configuration file:
Docker compose file
Dockerfile
Docker:
Expected Results
Successfully load and authenticate user credentials using the password from /secrets/file-user-password.txt.
Actual Results
Attempts to login using the password from /secrets/file-user-password.txt using various methods (base64, readFile, decodeBase64, readFileBase64) have failed. The file paths are correct, and the files themselves contain the expected values. Even after trimming the file and ensuring there are no extraneous spaces or additional lines, the password loading issue persists.
Anything else?
No response