Hi!
is it possible to limit the usage of a credential to a specific slave?
With this restriction, I could fully empower developers to create their own Pipelines (Jenkinsfile) while avoiding passwords to be leaked in the wrong slaves/environments.
Just for further context, in my scenario and at infrastructure level, only specific slaves are allowed to deploy to specific environments. E.g.: dev_slave -> deploy to DEV; tst_slave -> deploy to TST and so on.
Cheers,
Jhonny Oliveira
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/2540cf8f-0413-4ec1-ae4a-136f2eeaf894%40googlegroups.com.
The Jenkinsfile should be part of the source code and cover the entire process (end to end). Breaking it into pieces kind of defeats our main purpose of having everyone working together in the same source (developers, testers, operations, ...).
Is there any chance such feature could be included in future releases? To whom can I address this question?
What do you mean with agents?
--
The idea is to have a self contained application (as in source repo), where you have everything you need to maintain its SDLC: source, build, tests (unit, regression, ...), continuous integration/automation (Jenkinsfile).
The Jenkinsfile should be part of the source code and cover the entire process (end to end). Breaking it into pieces kind of defeats our main purpose of having everyone working together in the same source (developers, testers, operations, ...).
Is there any chance such feature could be included in future releases? To whom can I address this question?
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/fca0f38f-1b9a-4843-8572-fb77dc716aa7%40googlegroups.com.
Dear Mark,
I agree with you, I'm relying on long-lived agents. I read your answer, but I'm not understanding your suggestion to use folders, I do not comprehend how they can help. I mean, with folders I can avoid cross application credential usage and that is great, but I can't prevent cross environment credential leakage within the same application.
Please have a look at the code snippet below. As you will be able to see, with this implementation nothing prevents anyone with access to the source code from flipping the IDs around and getting the credentials in the wrong environment (mistake or malicious action). Furthermore, and to give a little extra context, the Pipeline is completely autonomous and will be triggered automatically on every (almost) pull request. It is also smart enough to detect a release and proceed towards production (with some approvals - of course - to adhere to release management).
In such scenario, and considering that the agents only have access to their own environment, the only way to prevent a credential to be used or exposed in the wrong one would be to deliberately restrict it to that specific agent.
Maybe I'm taking this idea of automation and complete SDLC from source to far! :-)
I appreciate your answers, thanks you!
J. Oliveira
def WLS_CRED_DEV=’111aaa11-a3a1-4aab-9a20-a11666666a80’
def WLS_CRED_TST=’222aaa11-a3a1-4aab-9a20-a11666666a80 ‘
(…)
stage ('Deploy to DEV') {
agent { label "${agent_dev}"}
steps {
script {
withCredentials([usernamePassword(credentialsId: "$WLS_CRED_DEV", usernameVariable: 'WL_USER', passwordVariable: 'WL_PASS')]){
sh "mvn -U weblogic:redeploy -DskipTests=true -Dfailonerror=true -Duser='${WL_USER}' -Dpassword='${WL_PASS}' -Dname=${ARTIFACTID} -Dupload=true -Dsource=target/${ARTIFACTID}-${VERSION}.war -Dtargets=${ARTIFACTID} -Dadminurl='${URL_DEV}'"
}
}
}
}
stage ('Deploy to TST) {
agent { label "${agent_tst}"}
steps {
script {
withCredentials([usernamePassword(credentialsId: "$WLS_CRED_TST", usernameVariable: 'WL_USER', passwordVariable: 'WL_PASS')]){
sh "mvn -U weblogic:redeploy -DskipTests=true -Dfailonerror=true -Duser='${WL_USER}' -Dpassword='${WL_PASS}' -Dname=${ARTIFACTID} -Dupload=true -Dsource=target/${ARTIFACTID}-${VERSION}.war -Dtargets=${ARTIFACTID} -Dadminurl='${URL_TST}'"
}
}
}
}
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/ac762c3b-3488-4a4f-a8f5-2408aac38284%40googlegroups.com.
I understand your suggestion, however in such case you would have to create multiple jobs, whereas, as it is right now, I only need one. No parameters, no additional settings just the minimal configuration to pick up the changes, build, test and deploy. I even get for free all the statistics together.
Nevertheless, I will try to come with an alternative solution. I believe your input may be valuable in there.
Thank you very much,
J Oliveira
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/25d0de20-d7c4-4336-8645-d6302768d2db%40googlegroups.com.