Configuration as code and preservation of credentials

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Configuration as code and preservation of credentials

damien.coraboeuf
Hi,

We're using Jenkins 2.121.3 and CasC 1.0. One thing we define as code is a list of credentials (some SSH keys, some user/passwords, etc.) common to all our instances but we let also the administrators of a Jenkins instance define their own credential entries.

However, when the Jenkins instance is restarted, only the credential entries defined by the CasC files are kept, and all the ones which were added manually are lost.

Is there a way to prevent this?

Thanks,
Damien Coraboeuf

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/2ab722d3-c851-4764-89a3-733d6cbb5391%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Configuration as code and preservation of credentials

Ulli Hafner
This is one of the drawbacks of JCasC of the current version.
You can’t change anything in the UI anymore if you enable JCasC. Everything will be lost after restart.
It would make sense to have a way to use both JCasC and the manual UI configuration together somehow. 

Am 25.09.2018 um 21:04 schrieb [hidden email]:

Hi,

We're using Jenkins 2.121.3 and CasC 1.0. One thing we define as code is a list of credentials (some SSH keys, some user/passwords, etc.) common to all our instances but we let also the administrators of a Jenkins instance define their own credential entries.

However, when the Jenkins instance is restarted, only the credential entries defined by the CasC files are kept, and all the ones which were added manually are lost.

Is there a way to prevent this?

Thanks,
Damien Coraboeuf

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/2ab722d3-c851-4764-89a3-733d6cbb5391%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/32379F33-4158-412F-92DD-215AAA30DEE5%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

signature.asc (540 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Configuration as code and preservation of credentials

damien.coraboeuf
In reply to this post by damien.coraboeuf
I've created the PR at https://github.com/jenkinsci/configuration-as-code-plugin/pull/556 to show an unit test reproducing the issue.

On Tuesday, September 25, 2018 at 9:04:31 PM UTC+2, [hidden email] wrote:
Hi,

We're using Jenkins 2.121.3 and CasC 1.0. One thing we define as code is a list of credentials (some SSH keys, some user/passwords, etc.) common to all our instances but we let also the administrators of a Jenkins instance define their own credential entries.

However, when the Jenkins instance is restarted, only the credential entries defined by the CasC files are kept, and all the ones which were added manually are lost.

Is there a way to prevent this?

Thanks,
Damien Coraboeuf

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/0ac89ce5-a270-43f9-a791-0f2041bf261d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Configuration as code and preservation of credentials

damien.coraboeuf
But many things are otherwise preserved. I feel the implementation of the credentials configuration is doing a none vs. all approach, not taking into account existing entries:

In SystemCredentialsProviderConfigurator:

target.setDomainCredentialsMap(DomainCredentials.asMap(value))

Maybe this code could be replaced to preserve existing entries.


On Tuesday, September 25, 2018 at 10:03:00 PM UTC+2, [hidden email] wrote:
I've created the PR at <a href="https://github.com/jenkinsci/configuration-as-code-plugin/pull/556" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fconfiguration-as-code-plugin%2Fpull%2F556\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFh49svf9qxrzGMqwFF6hGaJR2Uvw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fconfiguration-as-code-plugin%2Fpull%2F556\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFh49svf9qxrzGMqwFF6hGaJR2Uvw&#39;;return true;">https://github.com/jenkinsci/configuration-as-code-plugin/pull/556 to show an unit test reproducing the issue.

On Tuesday, September 25, 2018 at 9:04:31 PM UTC+2, [hidden email] wrote:
Hi,

We're using Jenkins 2.121.3 and CasC 1.0. One thing we define as code is a list of credentials (some SSH keys, some user/passwords, etc.) common to all our instances but we let also the administrators of a Jenkins instance define their own credential entries.

However, when the Jenkins instance is restarted, only the credential entries defined by the CasC files are kept, and all the ones which were added manually are lost.

Is there a way to prevent this?

Thanks,
Damien Coraboeuf

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/fb5e1d2b-4df3-4950-902d-5f18490b2ea5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Configuration as code and preservation of credentials

nicolas de loof-2
A feature we'd like to investigate for JCasC is to make the web UI read-only once configured from yaml
The specific sample of credentials could be adapted to support "preserve existing entries" but we have no way to support this in a generic way
Also, JCasC is designed to support re-creating an equivalent jenkins master from scratch, so from this point of view this would make no sense.

Le mar. 25 sept. 2018 à 22:07, <[hidden email]> a écrit :
But many things are otherwise preserved. I feel the implementation of the credentials configuration is doing a none vs. all approach, not taking into account existing entries:

In SystemCredentialsProviderConfigurator:

target.setDomainCredentialsMap(DomainCredentials.asMap(value))

Maybe this code could be replaced to preserve existing entries.


On Tuesday, September 25, 2018 at 10:03:00 PM UTC+2, [hidden email] wrote:
I've created the PR at https://github.com/jenkinsci/configuration-as-code-plugin/pull/556 to show an unit test reproducing the issue.

On Tuesday, September 25, 2018 at 9:04:31 PM UTC+2, [hidden email] wrote:
Hi,

We're using Jenkins 2.121.3 and CasC 1.0. One thing we define as code is a list of credentials (some SSH keys, some user/passwords, etc.) common to all our instances but we let also the administrators of a Jenkins instance define their own credential entries.

However, when the Jenkins instance is restarted, only the credential entries defined by the CasC files are kept, and all the ones which were added manually are lost.

Is there a way to prevent this?

Thanks,
Damien Coraboeuf

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/fb5e1d2b-4df3-4950-902d-5f18490b2ea5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--
Nicolas De Loof

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CANMVJzn_LpJBVQbjHKGLmF51oAsyWW7E%2BNxng9sB-KCHKtb%2BWQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Configuration as code and preservation of credentials

Ulli Hafner


Am 25.09.2018 um 22:27 schrieb nicolas de loof <[hidden email]>:

A feature we'd like to investigate for JCasC is to make the web UI read-only once configured from yaml
The specific sample of credentials could be adapted to support "preserve existing entries" but we have no way to support this in a generic way
Also, JCasC is designed to support re-creating an equivalent jenkins master from scratch, so from this point of view this would make no sense.


Shouldn’t it be possible to use the same configuration to create multiple master instances that handle different jobs with different views? This seems to be not possible now.

Le mar. 25 sept. 2018 à 22:07, <[hidden email]> a écrit :
But many things are otherwise preserved. I feel the implementation of the credentials configuration is doing a none vs. all approach, not taking into account existing entries:

In SystemCredentialsProviderConfigurator:

target.setDomainCredentialsMap(DomainCredentials.asMap(value))

Maybe this code could be replaced to preserve existing entries.


On Tuesday, September 25, 2018 at 10:03:00 PM UTC+2, [hidden email] wrote:
I've created the PR at https://github.com/jenkinsci/configuration-as-code-plugin/pull/556 to show an unit test reproducing the issue.

On Tuesday, September 25, 2018 at 9:04:31 PM UTC+2, [hidden email] wrote:
Hi,

We're using Jenkins 2.121.3 and CasC 1.0. One thing we define as code is a list of credentials (some SSH keys, some user/passwords, etc.) common to all our instances but we let also the administrators of a Jenkins instance define their own credential entries.

However, when the Jenkins instance is restarted, only the credential entries defined by the CasC files are kept, and all the ones which were added manually are lost.

Is there a way to prevent this?

Thanks,
Damien Coraboeuf

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/fb5e1d2b-4df3-4950-902d-5f18490b2ea5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--
Nicolas De Loof

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CANMVJzn_LpJBVQbjHKGLmF51oAsyWW7E%2BNxng9sB-KCHKtb%2BWQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/39087A77-F84E-4EA3-92E0-74AB71B470C9%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

signature.asc (540 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Configuration as code and preservation of credentials

damien.coraboeuf
In reply to this post by nicolas de loof-2
Hi Nicolas,

Thanks for your feedback.

In our case, we're using CasC to maintain and push known and tested versions of a Jenkins master into a production environment, but we wanted to still accept some degree of freedom, esp. when it comes to credential management.

An alternative is to use an external mgt system like Vault (I think it's possible to use Vault as a backend for Jenkins credentials but this remains to be tested).

Or I could drop the CasC file for the credentials, and do it using Groovy init.d files, as I did in the (bad) old times :)

Best regards,
Damien Coraboeuf

On Tue, Sep 25, 2018 at 10:28 PM nicolas de loof <[hidden email]> wrote:
A feature we'd like to investigate for JCasC is to make the web UI read-only once configured from yaml
The specific sample of credentials could be adapted to support "preserve existing entries" but we have no way to support this in a generic way
Also, JCasC is designed to support re-creating an equivalent jenkins master from scratch, so from this point of view this would make no sense.

Le mar. 25 sept. 2018 à 22:07, <[hidden email]> a écrit :
But many things are otherwise preserved. I feel the implementation of the credentials configuration is doing a none vs. all approach, not taking into account existing entries:

In SystemCredentialsProviderConfigurator:

target.setDomainCredentialsMap(DomainCredentials.asMap(value))

Maybe this code could be replaced to preserve existing entries.


On Tuesday, September 25, 2018 at 10:03:00 PM UTC+2, [hidden email] wrote:
I've created the PR at https://github.com/jenkinsci/configuration-as-code-plugin/pull/556 to show an unit test reproducing the issue.

On Tuesday, September 25, 2018 at 9:04:31 PM UTC+2, [hidden email] wrote:
Hi,

We're using Jenkins 2.121.3 and CasC 1.0. One thing we define as code is a list of credentials (some SSH keys, some user/passwords, etc.) common to all our instances but we let also the administrators of a Jenkins instance define their own credential entries.

However, when the Jenkins instance is restarted, only the credential entries defined by the CasC files are kept, and all the ones which were added manually are lost.

Is there a way to prevent this?

Thanks,
Damien Coraboeuf

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/fb5e1d2b-4df3-4950-902d-5f18490b2ea5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--
Nicolas De Loof

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CANMVJzn_LpJBVQbjHKGLmF51oAsyWW7E%2BNxng9sB-KCHKtb%2BWQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAPD6afPKoZun3Bu0JHQyQuQKTNU9cvjyUiy%2B_N2Ah2t0C42L7A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Configuration as code and preservation of credentials

James Nord-3


On Tuesday, September 25, 2018 at 9:38:10 PM UTC+1, Damien Coraboeuf wrote:
Hi Nicolas,

Thanks for your feedback.

In our case, we're using CasC to maintain and push known and tested versions of a Jenkins master into a production environment, but we wanted to still accept some degree of freedom, esp. when it comes to credential management.

An alternative is to use an external mgt system like Vault (I think it's possible to use Vault as a backend for Jenkins credentials but this remains to be tested).


If you are running on (or can configure jenkins to access to a k8s cluster) you can store the credentials as k8s secrets.
https://jenkinsci.github.io/kubernetes-credentials-provider-plugin/

 
Or I could drop the CasC file for the credentials, and do it using Groovy init.d files, as I did in the (bad) old times :)

Best regards,
Damien Coraboeuf

On Tue, Sep 25, 2018 at 10:28 PM nicolas de loof <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="PBWQeT_jCgAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">nicolas...@...> wrote:
A feature we'd like to investigate for JCasC is to make the web UI read-only once configured from yaml
The specific sample of credentials could be adapted to support "preserve existing entries" but we have no way to support this in a generic way
Also, JCasC is designed to support re-creating an equivalent jenkins master from scratch, so from this point of view this would make no sense.

Le mar. 25 sept. 2018 à 22:07, <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="PBWQeT_jCgAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">damien.c...@...> a écrit :
But many things are otherwise preserved. I feel the implementation of the credentials configuration is doing a none vs. all approach, not taking into account existing entries:

In SystemCredentialsProviderConfigurator:

target.setDomainCredentialsMap(DomainCredentials.asMap(value))

Maybe this code could be replaced to preserve existing entries.


On Tuesday, September 25, 2018 at 10:03:00 PM UTC+2, [hidden email] wrote:
I've created the PR at <a href="https://github.com/jenkinsci/configuration-as-code-plugin/pull/556" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fconfiguration-as-code-plugin%2Fpull%2F556\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFh49svf9qxrzGMqwFF6hGaJR2Uvw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fconfiguration-as-code-plugin%2Fpull%2F556\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFh49svf9qxrzGMqwFF6hGaJR2Uvw&#39;;return true;">https://github.com/jenkinsci/configuration-as-code-plugin/pull/556 to show an unit test reproducing the issue.

On Tuesday, September 25, 2018 at 9:04:31 PM UTC+2, [hidden email] wrote:
Hi,

We're using Jenkins 2.121.3 and CasC 1.0. One thing we define as code is a list of credentials (some SSH keys, some user/passwords, etc.) common to all our instances but we let also the administrators of a Jenkins instance define their own credential entries.

However, when the Jenkins instance is restarted, only the credential entries defined by the CasC files are kept, and all the ones which were added manually are lost.

Is there a way to prevent this?

Thanks,
Damien Coraboeuf

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="PBWQeT_jCgAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-users/fb5e1d2b-4df3-4950-902d-5f18490b2ea5%40googlegroups.com?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-users/fb5e1d2b-4df3-4950-902d-5f18490b2ea5%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-users/fb5e1d2b-4df3-4950-902d-5f18490b2ea5%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-users/fb5e1d2b-4df3-4950-902d-5f18490b2ea5%40googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.


--
Nicolas De Loof

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="PBWQeT_jCgAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-users/CANMVJzn_LpJBVQbjHKGLmF51oAsyWW7E%2BNxng9sB-KCHKtb%2BWQ%40mail.gmail.com?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-users/CANMVJzn_LpJBVQbjHKGLmF51oAsyWW7E%2BNxng9sB-KCHKtb%2BWQ%40mail.gmail.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-users/CANMVJzn_LpJBVQbjHKGLmF51oAsyWW7E%2BNxng9sB-KCHKtb%2BWQ%40mail.gmail.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-users/CANMVJzn_LpJBVQbjHKGLmF51oAsyWW7E%2BNxng9sB-KCHKtb%2BWQ%40mail.gmail.com.
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/1f8ca36e-7111-41a3-b128-3658860d9ff0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.