Configuration as code and preservation of credentials

[damien.c...@collibra.com]

Hi,

We're using Jenkins 2.121.3 and CasC 1.0. One thing we define as code is a list of credentials (some SSH keys, some user/passwords, etc.) common to all our instances but we let also the administrators of a Jenkins instance define their own credential entries.

However, when the Jenkins instance is restarted, only the credential entries defined by the CasC files are kept, and all the ones which were added manually are lost.

Is there a way to prevent this?

Thanks,

Damien Coraboeuf

[Ullrich Hafner]

This is one of the drawbacks of JCasC of the current version.

You can’t change anything in the UI anymore if you enable JCasC. Everything will be lost after restart.

It would make sense to have a way to use both JCasC and the manual UI configuration together somehow. 

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/2ab722d3-c851-4764-89a3-733d6cbb5391%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[damien.c...@collibra.com]

I've created the PR at https://github.com/jenkinsci/configuration-as-code-plugin/pull/556 to show an unit test reproducing the issue.

[damien.c...@collibra.com]

But many things are otherwise preserved. I feel the implementation of the credentials configuration is doing a none vs. all approach, not taking into account existing entries:

In SystemCredentialsProviderConfigurator:

target.setDomainCredentialsMap(DomainCredentials.asMap(value))

Maybe this code could be replaced to preserve existing entries.

[nicolas de loof]

A feature we'd like to investigate for JCasC is to make the web UI read-only once configured from yaml

The specific sample of credentials could be adapted to support "preserve existing entries" but we have no way to support this in a generic way

Also, JCasC is designed to support re-creating an equivalent jenkins master from scratch, so from this point of view this would make no sense.

--

You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/fb5e1d2b-4df3-4950-902d-5f18490b2ea5%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Nicolas De Loof

[Damien Coraboeuf]

Hi Nicolas,

Thanks for your feedback.

In our case, we're using CasC to maintain and push known and tested versions of a Jenkins master into a production environment, but we wanted to still accept some degree of freedom, esp. when it comes to credential management.

An alternative is to use an external mgt system like Vault (I think it's possible to use Vault as a backend for Jenkins credentials but this remains to be tested).

Or I could drop the CasC file for the credentials, and do it using Groovy init.d files, as I did in the (bad) old times :)

Best regards,

Damien Coraboeuf

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CANMVJzn_LpJBVQbjHKGLmF51oAsyWW7E%2BNxng9sB-KCHKtb%2BWQ%40mail.gmail.com.

[Ullrich Hafner]

Am 25.09.2018 um 22:27 schrieb nicolas de loof <nicolas...@gmail.com>:

A feature we'd like to investigate for JCasC is to make the web UI read-only once configured from yaml

The specific sample of credentials could be adapted to support "preserve existing entries" but we have no way to support this in a generic way

Also, JCasC is designed to support re-creating an equivalent jenkins master from scratch, so from this point of view this would make no sense.

Shouldn’t it be possible to use the same configuration to create multiple master instances that handle different jobs with different views? This seems to be not possible now.

Le mar. 25 sept. 2018 à 22:07, <damien.c...@collibra.com> a écrit :

But many things are otherwise preserved. I feel the implementation of the credentials configuration is doing a none vs. all approach, not taking into account existing entries:

In SystemCredentialsProviderConfigurator:

target.setDomainCredentialsMap(DomainCredentials.asMap(value))

Maybe this code could be replaced to preserve existing entries.

On Tuesday, September 25, 2018 at 10:03:00 PM UTC+2, damien.c...@collibra.com wrote:

I've created the PR at https://github.com/jenkinsci/configuration-as-code-plugin/pull/556 to show an unit test reproducing the issue.

On Tuesday, September 25, 2018 at 9:04:31 PM UTC+2, damien.c...@collibra.com wrote:

Hi,

We're using Jenkins 2.121.3 and CasC 1.0. One thing we define as code is a list of credentials (some SSH keys, some user/passwords, etc.) common to all our instances but we let also the administrators of a Jenkins instance define their own credential entries.

However, when the Jenkins instance is restarted, only the credential entries defined by the CasC files are kept, and all the ones which were added manually are lost.

Is there a way to prevent this?

Thanks,

Damien Coraboeuf

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/fb5e1d2b-4df3-4950-902d-5f18490b2ea5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Nicolas De Loof

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CANMVJzn_LpJBVQbjHKGLmF51oAsyWW7E%2BNxng9sB-KCHKtb%2BWQ%40mail.gmail.com.

[James Nord]

On Tuesday, September 25, 2018 at 9:38:10 PM UTC+1, Damien Coraboeuf wrote:

Hi Nicolas,

Thanks for your feedback.

In our case, we're using CasC to maintain and push known and tested versions of a Jenkins master into a production environment, but we wanted to still accept some degree of freedom, esp. when it comes to credential management.

An alternative is to use an external mgt system like Vault (I think it's possible to use Vault as a backend for Jenkins credentials but this remains to be tested).

If you are running on (or can configure jenkins to access to a k8s cluster) you can store the credentials as k8s secrets.

https://jenkinsci.github.io/kubernetes-credentials-provider-plugin/