Credential Management on Jenkins
Key management on Jenkins
Keys being used along with jenkins
- SSH Private Keys
- Git Credentials
- Git Access Tokens
- Snyk Authentication Token
- MySQL Credentials
- CQL Credentials
- Mail Sender Credentials
1. SSH Private keys management
Generating SSH keys for specific server
Use ssh-keygen to generate public-private key pair
ssh-keygen
Keys location on Jenkins server
Key store location should be:
<jenkins_home>/.ssh/<key_name>
Typical jenkins home directory on our servers:
/data/jenkinsdata//var/lib/jenkins/
Generate .ssh directory in jenkins home and give ownership to jenkins(if run by different user other than jenkins)
mkdir -p <jenkins_home_dir>/.ssh
chown -R jenkins:jenkins <jenkins_home_dir>/.ssh
Convention to be followed for naming private and public keys:
If it’s meant to use with Jenkins server whether for agent or in pipeline script, start with jenkins<project_name>_<type>
project name: If it’s a server of Rupid, the project name will be rupid, If it’s Panchayatseva it should be ps.
type: If it’s a production server, type will be prod, for demo type is demo for staging server, dev.
For Example,
For a private key of rupid’s demo server the file name should be: jenkins_rupid_demo
For a public key specification of the same server, jenkins_rupid_demo.pub
No need to setip passphrase
Sample Output
To configure SSH private key as a credential managed by jenkins,
Goto, Manage Jenkins –> Configure Credentials –> select global credentials domain –> select add Credentials
Using Private key configured using jenkins credetials manager
Using generated keys from jenkins pipeline script:
def remote = [:]
remote.name = 'rupid-demo'
remote.host = '<remote-server IP address or hostname>'
remote.user = 'root'
remote.identityFile = '/data/jenkinsdata/.ssh/jenkins_rupid_demo'
remote.port = 22
remote.allowAnyHosts = true
2. Git Credentials management
Add username and password on Jenkins Dashboard
Goto, Manage Jenkins –> Configure Credentials –> select global credentials domain –> select add Credentials –> Under type select Username and Password and Update the fields with given Credentials
Using configured Git credentials in Jenkins
Usage of configured credentials in pipeline script
def GIT_CREDENTIALS = "rupid-permanent-credentials"
stages {
stage ('Sourcecode Checkout') {
steps {
git credentialsId: GIT_CREDENTIALS,
url: 'https://github.com/corporate-rupid/rupid-webapp.git', branch: 'main'
}
}
}
3. Git Access Tokens
Goto, Manage Jenkins –> Configure Credentials –> select global credentials domain –> select add Credentials –> Under type select Secret text and Update the fields with given Credentials and use relevant ID which can be later used in pipeline script
Using configured credentials from Pipeline script to clone repositories from pipeline script
environment{
GIT_WEBAPP_GHP_KEY=credentials('git-webapp-ghp-key')
}
stage("Source code checkout"){
sh "git clone https://devops-rupid:$GIT_WEBAPP_GHP_KEY@github.com/corporate-rupid/rupid-webapp.git"
}
4. Snyk Authentication Token
Goto, Manage Jenkins –> Configure Credentials –> select global credentials domain –> select add Credentials –> Under type select Secret text and Update the fields with given Credentials and use relevant ID which can be later used in pipeline script
Using configured snyk authentication token in pipeline
enivronemtn{
SNYK_AUTH_TOKEN_DEMO=credentials('snyk-auth-token-rupid-demo')
}
stage("Snyk test"){
sh 'cd ${SOURCE_CODE_DIR} && snyk auth $SNYK_AUTH_TOKEN_DEMO'
}
5. Using MySQL Credentials
Configure MySQL Credentails same as GIT Credentials and use them as below
/usr/bin/mysql -u$MYSQL_CREDENTIALS_USR -p$MYSQL_CREDENTIALS_PSW rpddb_demo < /tmp/demo-resources-conf/resources/db/update/rpd_update.sql"
6. Using CQL Credentials
Use the same process as MySQL Credentials configuration
7. Mail sender credentials
Same as MySQL and other credentials with username and password