Jenkins casc utilize secret files to store credentials

user21113865 · March 1, 2023, 10:15pm

Hello,

I am trying to update my jenkins casc instance to pull credentials from an encrypted secrets file rather than from properties.yaml.

Currently I have a job in my jenkins casc instance which accesses credentials as follows:

freeStyleJob('myjob') {
    wrappers {
        credentialsBinding {
            usernamePassword('userVariableName', 'passwordVariableName', 'credential-id')
        }
    }

The credentials are provided in casc.yaml

credentials:
  system:
    domainCredentials:
    - credentials:
      - usernamepassword:
          scope: GLOBAL
          id: "credential-id"
          username: "user"
          password: "pass123"
          description: "default credentials."

However, instead of defining these credentials in casc.yaml, I want to define them in a secret file. I cannot find any documentation on whether it is possible to add a secret file via casc rather than by adding it through the jenkins web ui.

Furthermore, I am curious what the syntax of the secret file would be. Could I add the contents of casc.yaml to a secret file and access it from my job similar to how I am currently?

Thank you

halkeye · March 1, 2023, 10:26pm

github.com

jenkinsci/configuration-as-code-plugin/blob/c3457b3933e66a27f913985bfa05da10f7f64b5f/docs/features/secrets.adoc#additional-variable-substitution

= Handling Secrets
:toc:
:toc-placement: preamble
:toclevels: 3

Almost every Jenkins instance defines credentials and other sensitive information, and JCasC offers ways to manage credentials and other sensitive information in the YAML configuration files.
This page describes the available options.

There are 3 ways to securely pass credentials in JCasC:

* Using credential provider plugins
* Passing secrets through variables
* Passing secrets through encrypted strings

== Using credential provider plugins

link:https://plugins.jenkins.io/credentials[Credentials Plugin] is a standard way to manage credentials in Jenkins.
This plugin offers the link:https://jenkins.io/doc/developer/extensions/credentials/#credentialsprovider[CredentialsProvider extension point] which might be used to use credentials from external sources.
Examples of available plugins:

This file has been truncated. show original

user21113865 · March 2, 2023, 12:03am

So following this documentation I updated my casc.yaml to the following:

credentials:
  system:
    domainCredentials:
    - credentials:
      - usernamepassword:
          scope: GLOBAL
          id: "credential-id"
          username: "user"
          password: "${file:/secret/password}"
          description: "default credentials."

Additionally I added a file in the same directory as casc.yaml “secret/password” containing a single line of text.

However when I try to access these credentials there is no value for the password. Perhaps this is because /secret/password is an absolute path from /? Would casc.yaml look in the same directory as itself (i.e “${file:secret/password}”. Are the quotations required?

I wish the documentation showed a more complete example

halkeye · March 2, 2023, 12:16am

absolutely

that might work? or ./secret/password

sadly I don’t know, I’ve only used it with quotes and absolute paths.

In open source, wishes don’t really mean much. You can open a bug, but best bet is to help update the docs when you figure out something that isn’t recorded.

Topic		Replies	Views
Jenkins CaSC - Kubernetes Using Jenkins	2	48	October 7, 2024
Using Jenkins CasC to approve Script Signatures Using Jenkins question	4	631	February 27, 2024
Configure SSH private key from kubernetes secret in JCASC plugin? Using Jenkins	2	2930	October 4, 2021
Use kubernetes secrets as jenkins credentials without a respin Ask a question	2	608	April 12, 2024
Missing Credentials Menu Using Jenkins	6	3820	April 18, 2022

Jenkins casc utilize secret files to store credentials

Related topics