Open samrocketman opened 3 years ago
Related to #170.
Better bootstrap of long running Jenkins instances is my line of thinking.
Not sure how feasible this is without support coming from JCasC
https://github.com/jenkinsci/configuration-as-code-plugin/issues/1141
All of the code and implementation would exist in this repository.
hudson.util.Secret
is a core Jenkins API. You could edit the following code.
Here's an example implementation which will probably work as intended. Generally, I recommend import hudson.util.Secret;
but for brevity I skip that in the following example to reference it directly.
private Optional<String> getVariable(String key) {
Optional<String> value = Optional.ofNullable(prop.getProperty(key, System.getenv(key)));
if(value != null) {
value = Optional.ofNullable(hudson.util.Secret.fromString(value.toString()).getPlainText());
}
return value;
}
The intent being you could set an environment variable like the following.
export CASC_VAULT_APPROLE='{ABC1234AAAAAQ1/JHKggxIlBcuVqegoa2AdyVaNvjWIFk430/vI4jEBM=}'
export CASC_VAULT_APPROLE_SECRET='{DEF5678AAAAAQ1/JHKggxIlBcuVqegoa2AdyVaNvjWIFk430/vI4jEBM=}'
This implementation would enable CASC_VAULT_FILE
vault properties file to also support encrypted secrets in its file so you're not storing secrets as plain text on disk.
This is especially important in backups. I store the Jenkins secret keys ($JENKINS_HOME/secret*
) separately from the Jenkins backup so that Jenkins backup config is secured (encrypted at rest).
In a long-lived production configuration, an admin could run hudson.util.Secret.fromString('plain text').getEncryptedValue()
in the script console to get the desired encrypted string. This would be typical for a migration from an existing Jenkins instance to using JCasC.
I would have a $JENKINS_HOME/init.groov.d/init-jcasc.groovy
initialization script which would do the following.
jenkins.yaml
jcasc file for dev/staging/prod blue/green.$JENKINS_HOME/vault-secretsource.properties
file does not exist; create it pulling properties from AWS secrets manager.$JENKINS_HOME/jenkins.yaml
file does not exist; copy it from S3. (use SHA256 hashing to verify it is up to date or update it).What are your thoughts on my proposed solution? I could open a PR but I might need help with mocking/testing as that's an area where I'm weak.
I could compile it and run it on a live Jenkins instance manually to verify it works.
For new instances it makes sense to have plain text environment variables.
However a long running modern production Jenkins instance might have autoscaling and a long lived config through jenkins config as code (JCasC).
Feature Request
For AppRole auth and other JCASC environment variables, supporting encrypted
hudson.util.Secret
strings is desirable.This could be implemented in
VaultSecretSource.getVariable()
method.