Over the years of splitting large controllers into smaller ones, I now have 20+ controllers with the same controller key and Jenkins InstanceId. We did this so we did this so we didn’t have to mess with encrypted secrets changing if it was a new controller.
This is causing issues with plugins that use the InstanceId like the azure-vm-agent plugin when it goes to count the number of AVMs that are running since it primarily uses the InstanceId.
Are there scripts to easily decrypt all of the secrets on the controller, then allow re-creation of a new controller key followed by re-encrypting the secrets?
Are secrets only stored in the credentials.xml file that need to be re-encrypted?
Thanks,
Jenkins setup: Controller running on Ubuntu 20.04 v2.462.1.
Technically it should not be too hard to write some groovy script for the script console that will extract all credentials and write that to a file.
You would need a special handling for each type of credential, e.g. for ssh keys you need to extract the key.
Afaik what you can do is store all the secrets in the credentials.xml file unencrypted. Next time you load Jenkins I think Jenkins will automatically encrypt them, not sure if you need to explicitly save the credentials or not.
So the part that is not so nice is taking the credentials xml file and replace in there the secrets with the unencrypted values.
Users might have personal credentials, and there a folder scoped credentials, not sure where they are stored.