puppet-jenkins
puppet-jenkins copied to clipboard
voxpupuli
Jenkins::credentials not allow private key to be added
I am trying to add a deploy key to my Jenkins cluster, just as the example specifies. The code I am using is as such:
jenkins::credentials { 'jenkins_deploy_key': password => '', private_key_or_path => $credentials['jenkins_deploy_user']['key'], uuid => $credentials['jenkins_deploy_user']['uuid'], }
The command that gets run is as such:
/usr/bin/java -jar /usr/lib/jenkins/jenkins-cli.jar -s http://127.0.0.1:8080 groovy /usr/lib/jenkins/puppet_helper.groovy create_or_update_credentials jenkins_deploy_key '' '(UUID)' 'Managed by Puppet' '-----BEGIN RSA PRIVATE KEY----- (KEY) -----END RSA PRIVATE KEY-----'
The output is:
"-----BEGIN RSA PRIVATE KEY----- (KEY) -----END RSA PRIVATE KEY-----" is not a valid option java -jar jenkins-cli.jar groovy [SCRIPT] [ARGUMENTS ...] [--username VAL] [--password VAL] [--password-file VAL] Executes the specified Groovy script. SCRIPT : Script to be executed. File, URL or '=' to represent stdin. ARGUMENTS : Command line arguments to pass into script. --username VAL : User name to authenticate yourself to Jenkins --password VAL : Password for authentication. Note that passing a password in arguments is insecure. --password-file VAL : File that contains the password
If I manually run a command on the CLI such as:
/usr/bin/java -jar /usr/lib/jenkins/jenkins-cli.jar -s http://127.0.0.1:8080 groovy /usr/lib/jenkins/puppet_helper.groovy create_or_update_credentials jenkins_deploy_key '' '(UUID)' 'Managed by Puppet' 'just some text'
Then it works -- if I try to add the actual key manually via the CLI, I get the same error as above. The GUI works fine.
Looks like this is related: https://github.com/jenkinsci/puppet-jenkins/issues/370 But has not been resolved as far as I see.
Just to be clear, your private key in $credentials['jenkins_deploy_user']['key'] is the key itself, not the reference to a file right?
I also tried to do this, based on the example
jenkins::credentials { 'gogs-deploy-key':
password => '',
private_key_or_path => hiera('gogs_deploy_key'),
}
with hieradata:
gogs_deploy_key: |
-----BEGIN RSA PRIVATE KEY-----
*topsecret*
-----END RSA PRIVATE KEY-----
But get the following error
Notice: /File[/opt/puppetlabs/puppet/cache/lib/puppet/type/jenkins_security_realm.rb]/ensure: defined content as '{md5}be1c28bacfa6d7sJoDghllt7LDT/hUBz4/GMQY4ydXPKZfZfBlpQIDAQABAoIBAQCnj8PVx+S3dii1
*topsecret*
-----END RSA PRIVATE KEY-----
' returned 255 instead of one of [0]
Correct, the key is eyaml encrypted in Hiera.
Reading further on this issue it is referenced to be a bug in the jenkins-cli.jar because of args4j, however the provided example of putting a private key makes me wonder if I am doing it wrong or there is some secret to getting this correct.
As a workaround, I suppose I could just put the key on the filesystem and then link the path in the credentials, but that feels like a janky way of doing it if I could use the provided tool.
Exactly my ugly workaround for now..
file { "/var/lib/jenkins/gogs_deploy_key":
mode => "0600",
owner => 'jenkins',
group => 'jenkins',
content => hiera('gogs_deploy_key'),
}
~>
jenkins::credentials { 'gogs-deploy-key':
password => '',
private_key_or_path => "/var/lib/jenkins/gogs_deploy_key",
}
More required fixes (source: https://issues.jenkins-ci.org/browse/JENKINS-23223)
diff --git a/manifests/service.pp b/manifests/service.pp
index 816ce9e..e737036 100644
--- a/manifests/service.pp
+++ b/manifests/service.pp
@@ -14,4 +14,26 @@ class jenkins::service {
hasrestart => true,
}
+ case $::osfamily {
+ 'Debian': {
+ file_line { 'jenkins_fix_cli':
+ ensure => present,
+ path => '/etc/default/jenkins',
+ line => 'JAVA_ARGS+=" -Dhudson.diyChunking=false "',
+ require => Service['jenkins']
+ }
+
+ file_line { 'jenkins_skip_wizard':
+ ensure => present,
+ path => '/etc/default/jenkins',
+ line => 'JAVA_ARGS+=" -Djenkins.install.runSetupWizard=false "',
+ require => Service['jenkins']
+ }
+ }
+ default: {
+
+ }
+ }
+
+
}
diff --git a/manifests/cli_helper.pp b/manifests/cli_helper.pp
index 4311e1e..02ac8d7 100644
--- a/manifests/cli_helper.pp
+++ b/manifests/cli_helper.pp
@@ -11,6 +11,7 @@
#
class jenkins::cli_helper (
$ssh_keyfile = $::jenkins::cli_ssh_keyfile,
+ $login_admin = $::jenkins::login_admin
) {
include ::jenkins
include ::jenkins::cli
@@ -38,7 +39,10 @@ class jenkins::cli_helper (
# Provide the -i flag if specified by the user.
if $ssh_keyfile {
$auth_arg = "-i ${ssh_keyfile}"
+ } elsif $login_admin {
+ $extra_args = "--username admin --password `cat /var/lib/jenkins/secrets/initialAdminPassword`"
} else {
+ $extra_args = undef
$auth_arg = undef
}
@@ -53,6 +57,7 @@ class jenkins::cli_helper (
"-s http://127.0.0.1:${port}${prefix}",
$auth_arg,
"groovy ${helper_groovy}",
+ $extra_args
]),
' '
)
@GuitarrasDeAmor I've PRed a fix/workaround for this in https://github.com/jenkinsci/puppet-jenkins/pull/580. In order to use it, you'd just have to pad your private key with a newline. For example in hiera-eyaml:
superduper_jenkins::credentials:
svc-jenkins-ssh:
uuid: 'svc.jenkins'
private_key_or_path: |
DEC(7)::PKCS7[
-----BEGIN RSA PRIVATE KEY-----
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
-----END RSA PRIVATE KEY-----
]!
I guess since the string now starts with a newline rather than a hyphen, it no longer gets misinterpreted as a switch. Anyway, it works.
As the upstream bug https://issues.jenkins-ci.org/browse/JENKINS-30652 is still open, the module should provide a workaround by always add spaces to the SSHKey.
