Author: Arpit Singh

Introduction

A Jenkins manager (that is a Jenkins user who administers a Jenkins site) can add/configure credentials in Jenkins. The credentials can be used by Pipeline projects to interact with the application and/or build process.

Where to use?

Credentials stored in Jenkins can be used:
  • Anywhere applicable throughout Jenkins (i.e. global credentials).
  • By a specific Pipeline project/item.
  • By a specific Jenkins user (as is the case for Pipeline projects created in Blue Ocean).
Types of Credential Store in Jenkins
  • Secret text– a token such as an API token (e.g. a GitHub personal access token).
  • Username and password– which could be handled as separate components or as a colon separated string in the format username:password (read more about this in Handling credentials).
  • Secret file– which is essentially secret content in a file. We will be using this type in this article.
  • SSH Username with private key– an SSH public/private key pair.
  • Certificate– a PKCS#12 certificate file and optional password, or
  • Docker Host Certificate Authentication credentials.

We will be using Secret File type credential store for this article.

Configuring credentials

Who can create credentials?

Credentials can be added to Jenkins by any Jenkins user who has the Credentials > Create permission (set through Matrix-based security). These permissions can be configured by a Jenkins user with the Administer permission.

Steps to Use Jenkins Secret FileĀ 

Use Case

I will showcase deployment of a simple mule application to cloudhub. The requirement is to NOT expose the cloudhub credentials anywhere, neither in the application nor in the Jenkins Pipeline. 

Step 1: Install the Credential and Credential Binding Plugin
  1. Go to Jenkins > Plugins Manager and select Credentials and Credential Bindings Plugin.
  1. Download and install the plugins. Jenkins will prompt for a restart after the installation.
Step 2: Create and add secret file in Jenkins
  1. Create a simple text file without any extension and add the credentials you want to add in the secret file. For this example, I will be adding anypoint credentials , along with a sample password key.
  1. Go To Credentials
  1. Go to Jenkins > Credentials > System > Global credentials > Add Credentials
  1. Enter the required fields. For this use case, I am using the below configuration:
  1. Upload the created secretFile in the above Jenkins Section.
Step 3: Creating and adding Jenkins file in the Mule application
  1. As mentioned above, I have created a very simple Mule application with one endpoint. The end point will return the values present in the secret File. 
  1. Please note that in general you would not come across this scenario. I am just using the above endpoint to show that the values can also be accessed in the application as well if required.
  1. Create a Jenkins file which will access the secret file credentials and deploy the app to cloudhub using these credentials.
stage('BUILD') {
	environment {
        SECRET_FILE_ID = credentials('secret-file-id')
      }
     steps {
	   echo "####DISPLAYING SECRET_FILE_ID####"
	   echo "Global property file: ${SECRET_FILE_ID}"
	   
	   echo "#####Copying Global property file to src\\main\\resources#####"
	   bat "powershell Copy-Item ${SECRET_FILE_ID} -Destination src\\main\\resources"
	   
	   echo "#####Deleting Local Global property file present in src\\main\\resources#####"
	   bat "powershell Remove-Item src\\main\\resources\\global-dev.properties"
	   
	   echo "#####Renaming Global property file in Jenkins to global-dev.properties#####"
	   bat "powershell Rename-Item src\\main\\resources\\secret_file_jenkins global-dev.properties"
	   
	   echo "#####Creating Mule Application artifact#####"
	   bat 'mvn clean install'
   }
   }

Build Stage Steps:

  1. Refer to the secret file by id and add it to the environment as SECRET_FILE_ID 
  2. The below two steps is just to showcase how to access the properties in the secret file in the application. It is not a required/necessary step.
  3. Copy the secret file to the application src/main/resources
  4. Replace the application property file with the secret file.

Deploy Step:

stage('DEPLOY-DEV') { 
      environment {
		CLOUDHUB_ENV = credentials('CLOUDHUB_ENV_SANDBOX')
		ANYPOINT_USERNAME_DEV = credentials('ANYPOINT_USERNAME_DEV')
		ANYPOINT_PASSWORD_DEV = credentials('ANYPOINT_PASSWORD_DEV')
		
      }
      steps {
	   echo "DISPLAYING ALL ENVIRONMENT VARIABLES...."
	   echo "CLOUDHUB_ENV: ${CLOUDHUB_ENV}"
	   echo "ANYPOINT_USERNAME: ${ANYPOINT_USERNAME_DEV}"
	   echo "ANYPOINT_PASSWORD: ${ANYPOINT_PASSWORD_DEV}"
	   echo "#####Initiating Deployment to cloudhub#####"
	   bat "mvn package deploy -Pcloudhub -Denv=dev -DANYPOINT_USERNAME=${ANYPOINT_USERNAME_DEV} -DANYPOINT_PASSWORD=${ANYPOINT_PASSWORD_DEV} -DCLOUDHUB_ENV=${CLOUDHUB_ENV}"
	  
	   echo "################APP SUCCESSFULLY DEPLOYED################"
	   
      }

Deploy Stage Steps:

  1. Assign the properties of the secret file to environment variables.
  2. Pass the Cloudhub credentials as run time parameters, and deploy to Cloudhub.

Conclusion

  1. As you can see, the properties of the secret file are not exposed anywhere during the build process and also in the application.
  2. The contents of the secret file can also only be accessed only during the first upload of the file. To update the secret file, the only option is that the administrator, i.e., user having credential access, uploads a new credentials file.

Leave a Comment