Master Node <> Worker Node: SSH relationship

[Thor Waway]

Hello, 

I am having a hard time understanding the relationship between master and worker nodes - specifically, how things work with git. 

The way I understand things at the moment, Master Node is able to pass-on/share ssh keys and passphrases with worker nodes via Credential Plugin. This is why worker nodes are able to run git clone and git init in the repos sent to them from the Master Node. Is this correct? 

If so, I would like to understand why this: 

      steps{
        sh('git remote -v')
        sshagent(credentials: ['some-cred']) {
          sh('git tag -a $BRANCH_NAME.$BUILD_NUMBER -m "git sha is $GIT_COMMIT"')
          sh('git push origin HEAD:development --tags')
        }
      }

 produces the errors below: 

[K-Front_feature-jenkinsfile-KHCSHNIRHLZUOTSCIQPWI7] Running shell script
+ git remote -v
origin https://github.com/OrgName/SampleRepo.git (fetch)
origin https://github.com/OrgName/SampleRepo.git (push)
[Pipeline] sshagent
FATAL: [ssh-agent] Could not find specified credentials
[ssh-agent] Looking for ssh-agent implementation...
[ssh-agent] Exec ssh-agent (binary ssh-agent on a remote machine)
$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-5mWVQddQ47JG/agent.4864
SSH_AGENT_PID=4866
[ssh-agent] Started.
[Pipeline] {
[Pipeline] sh
[K-Front_feature-jenkinsfile-KHCSHNIRHLZUOTSCIQPWI7] Running shell script
+ git tag -a feature-jenkinsfile.19 -m git sha is a12ea59545db96fc8681dbdd5d44923108c01b40
[Pipeline] sh
$ ssh-agent -k
unset SSH_AUTH_SOCK;
unset SSH_AGENT_PID;
echo Agent pid 4866 killed;
[ssh-agent] Stopped.
[K-Front_feature-jenkinsfile-KHCSHNIRHLZUOTSCIQPWI7] Running shell script
+ git push origin +refs/heads/feature-jenkinsfile --tags
error: src refspec refs/heads/feature-jenkinsfile does not match any.
error: failed to push some refs to 'https://github.com/OrgName/SampleRepo.git'

Is this because I am using ssh as opposed to https? I am not sure. 

When I attempt to switch to https protocol by making use of withCredentials() function: 

steps{
  sh('git remote -v')
  withCredentials([string(credentialsId:'github-org-credential')]) {
    sh('git tag -a $BRANCH_NAME.$BUILD_NUMBER -m "git sha is $GIT_COMMIT"')
    sh('git push origin HEAD:development --tags')
  }
}

I get this error: 

org.jenkinsci.plugins.credentialsbinding.impl.CredentialNotFoundException: Credentials 'github-org-credential' is of type 'Username with password' where 'org.jenkinsci.plugins.plaincredentials.StringCredentials' was expected at org.jenkinsci.plugins.credentialsbinding.MultiBinding.getCredentials(MultiBinding.java:164) at org.jenkinsci.plugins.credentialsbinding.impl.StringBinding.bindSingle(StringBinding.java:62) at org.jenkinsci.plugins.credentialsbinding.Binding.bind(Binding.java:150) at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Execution.start(BindingStep.java:114) at org.jenkinsci.plugins.workflow.cps.DSL.invokeStep(DSL.java:224) at org.jenkinsci.plugins.workflow.cps.DSL.invokeMethod(DSL.java:150) at org.jenkinsci.plugins.workflow.cps.CpsScript.invokeMethod(CpsScript.java:108) at sun.reflect.GeneratedMethodAccessor440.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:93) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1213) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1022) at org.codehaus.groovy.runtime.callsite.PogoMetaClassSite.call(PogoMetaClassSite.java:42) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:155) at org.kohsuke.groovy.sandbox.GroovyInterceptor.onMethodCall(GroovyInterceptor.java:23) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:133)

I am confused. I don't understand where/how git authentication happens.  Also when do we use sshagent vs credential plugins? 

Appreciate any feedback/insight. Thank you

[Mark Waite]

On Sunday, October 8, 2017 at 12:38:31 PM UTC-6, Thor Waway wrote:

Hello, 

I am having a hard time understanding the relationship between master and worker nodes - specifically, how things work with git. 

The way I understand things at the moment, Master Node is able to pass-on/share ssh keys and passphrases with worker nodes via Credential Plugin. This is why worker nodes are able to run git clone and git init in the repos sent to them from the Master Node. Is this correct? 

Yes, that is correct.

Yes, the ssh agent will only authenticate access which uses ssh protocol.  You're using https protocol in that URL.  The ssh credentials won't be used.

You could switch to clone with ssh protocol, or you could define a "push URL" for that remote using ssh protocol.  Clone and fetch would then continue to use https, while push would use ssh.

The git plugin does not (yet) directly support the concept of a push URL, but command line git does.  Refer to https://git-scm.com/docs/git-push for the "pushurl" description.

 

When I attempt to switch to https protocol by making use of withCredentials() function: 

steps{
  sh('git remote -v')
  withCredentials([string(credentialsId:'github-org-credential')]) {
    sh('git tag -a $BRANCH_NAME.$BUILD_NUMBER -m "git sha is $GIT_COMMIT"')
    sh('git push origin HEAD:development --tags')
  }
}

I get this error: 

org.jenkinsci.plugins.credentialsbinding.impl.CredentialNotFoundException: Credentials 'github-org-credential' is of type 'Username with password' where 'org.jenkinsci.plugins.plaincredentials.StringCredentials' was expected at org.jenkinsci.plugins.credentialsbinding.MultiBinding.getCredentials(MultiBinding.java:164) at org.jenkinsci.plugins.credentialsbinding.impl.StringBinding.bindSingle(StringBinding.java:62) at org.jenkinsci.plugins.credentialsbinding.Binding.bind(Binding.java:150) at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Execution.start(BindingStep.java:114) at org.jenkinsci.plugins.workflow.cps.DSL.invokeStep(DSL.java:224) at org.jenkinsci.plugins.workflow.cps.DSL.invokeMethod(DSL.java:150) at org.jenkinsci.plugins.workflow.cps.CpsScript.invokeMethod(CpsScript.java:108) at sun.reflect.GeneratedMethodAccessor440.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:93) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1213) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1022) at org.codehaus.groovy.runtime.callsite.PogoMetaClassSite.call(PogoMetaClassSite.java:42) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:155) at org.kohsuke.groovy.sandbox.GroovyInterceptor.onMethodCall(GroovyInterceptor.java:23) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:133)

I am confused. I don't understand where/how git authentication happens.  Also when do we use sshagent vs credential plugins? 

I think that is failing because your call to withCredentials is using the wrong syntax.  Refer to https://www.cloudbees.com/blog/workflow-integration-credentials-binding-plugin for an example.

Mark Waite

[Thor Waway]

Hi Mark!  Thanks for the feedback. 

Got things to work by keeping https protocol and correcting the syntax for withCredentials like this: 

            withCredentials([usernamePassword(credentialsId: 'username-with-password',
              passwordVariable: 'GIT_PASS', usernameVariable: 'GIT_USER')]) {

                sh('git tag -a $BRANCH_NAME.$BUILD_NUMBER -m "git sha is $GIT_COMMIT"')

                sh('git push https://$GIT_USER:$GIT_...@github.com/OrgName/SampleRepo.git' --tags')
            }

For others: 

Using the Snippet Generator was key for me given that there are a couple of different syntaxes floating on the web for withCredentials() function.