Use Jenkins Credentials inside Jervis

samrocketman / jervis

Self service Jenkins job generation using Jenkins Job DSL plugin groovy scripts. Reads .jervis.yml and generates a job in Jenkins.

http://sam.gleske.net/jervis-api/

Apache License 2.0

267 stars 45 forks source link

Use Jenkins Credentials inside Jervis #122

Closed byjg closed 1 year ago

byjg commented 6 years ago

The Jervis documentation mentions "secrets". I see examples here: https://github.com/samrocketman/jervis-secrets-test

But, for use this solution I have to write in the .jervis.yml the secret text. Is there anyway to get a jenkins credentials directly from inside the Jervis?

I imagine something like this:

jenkins:
  credentials:
      - MY_SECRET_TEXT: id_jenkins_secret_text
      - MY_SECRET_USER: id_jenkins_secret_user.USERNAME
      - MY_SECRET_PASSWORD: id_jenkins_secret_user.PASSWORD

samrocketman commented 6 years ago

I’ll consider it to core. However, you can add your own custom workflow library that has an adminSecretsMap var. it would be a key value pair which gets hidden from the console output and injected as environment variables.

https://github.com/samrocketman/jervis/blob/264312a267460133d92adf21aff4dbbbc1564298/vars/buildViaJervis.groovy#L311

For now, no immediate plans.

This extension was added so admins can add any arbitrary secrets support they like via their own groovy code.

byjg commented 6 years ago

I have to install the "Global Variable String Parameter" and it worked. I can setup a variable and use it inside the .jervis.yml.

This plugin could be in the "jenkins-bootstrap-shared" project

samrocketman commented 6 years ago

I'd rather limit plugins to only those essential to core logic at this time. I don't see myself using that plugin. I may expand the plugins to include metrics as well.

Building your own custom fork of the bootstrapper should be fairly easy. Just a matter of you bootstrapping to the UI. Installing the plugins, and then saving the installed plugins via the bootstrap scripts to generate a new dependencies.gradle.

byjg commented 6 years ago

Thanks! It helped a lot!

samrocketman commented 1 year ago

@byjg Adding on some context with some of my lessons learned. I’ve moved away from Jenkins credentials for most secrets in favor of either external credential store (such as hashicorp vault) or ephemeral credentials. For example, I am in the process of integrating with GitHub app auth.

Here’s some of my reasons:

Jenkins credentials are a well known attack target.
Ephemeral credentials have time limits.
Not all secrets should be available all the time.
- Pull requests should not access the same secrets as branches or tags.
- Dev secrets, staging secrets, and prod secrets should only be available during those specific stages of deployment (which inject via a custom deploy step).

Using hashicorp vault for ci secrets I organize them the following way (kv v2).

jenkins/<folder>
jenkins/<folder>/tag
jenkins/<folder>/<project>
jenkins/<folder>/<project>/tag

Meaning different contexts may get different secrets when ephemeral credentials are not available.