Jenkins casc utilize secret files to store credentials

Hello,

I am trying to update my jenkins casc instance to pull credentials from an encrypted secrets file rather than from properties.yaml.

Currently I have a job in my jenkins casc instance which accesses credentials as follows:

freeStyleJob('myjob') {
    wrappers {
        credentialsBinding {
            usernamePassword('userVariableName', 'passwordVariableName', 'credential-id')
        }
    }

The credentials are provided in casc.yaml

credentials:
  system:
    domainCredentials:
    - credentials:
      - usernamepassword:
          scope: GLOBAL
          id: "credential-id"
          username: "user"
          password: "pass123"
          description: "default credentials."

However, instead of defining these credentials in casc.yaml, I want to define them in a secret file. I cannot find any documentation on whether it is possible to add a secret file via casc rather than by adding it through the jenkins web ui.

Furthermore, I am curious what the syntax of the secret file would be. Could I add the contents of casc.yaml to a secret file and access it from my job similar to how I am currently?

Thank you

So following this documentation I updated my casc.yaml to the following:

credentials:
  system:
    domainCredentials:
    - credentials:
      - usernamepassword:
          scope: GLOBAL
          id: "credential-id"
          username: "user"
          password: "${file:/secret/password}"
          description: "default credentials."

Additionally I added a file in the same directory as casc.yaml “secret/password” containing a single line of text.

However when I try to access these credentials there is no value for the password. Perhaps this is because /secret/password is an absolute path from /? Would casc.yaml look in the same directory as itself (i.e “${file:secret/password}”. Are the quotations required?

I wish the documentation showed a more complete example

absolutely

that might work? or ./secret/password

sadly I don’t know, I’ve only used it with quotes and absolute paths.

In open source, wishes don’t really mean much. You can open a bug, but best bet is to help update the docs when you figure out something that isn’t recorded.