nixos/services/jenkins: Introduce declarative credentials management #121958
Conversation
Pamplemousse
changed the title
jenkins-cli command
Pamplemousse
changed the title
ofborg
bot
requested review from
fpletz,
coreyoconnor,
NeQuissimus and
earldouglas
ofborg
bot
added
10.rebuild-darwin: 1-10
10.rebuild-darwin: 1
10.rebuild-linux: 1-10
labels
Signed-off-by: Pamplemousse <xav.maso@gmail.com>
Pamplemousse
force-pushed
the
jenkins-credentials
branch
from
978e1b5
to
46180e3
Compare
ofborg
bot
added
10.rebuild-darwin: 0
and removed
10.rebuild-darwin: 1
10.rebuild-darwin: 1-10
labels
|
I marked this as stale due to inactivity. → More info |
stale
bot
added
the
2.status: stale
|
Related: I came across https://www.jenkins.io/projects/jcasc/ (Jenkins Configuration as Code) today. It creates a bit of a bootstrap issue, as you need to first install the plugin (jenkinsPlugins2Nix is not broken now btw), but seems to help making Jenkins setups more declarative. |
stale
bot
removed
the
2.status: stale
Of course, it turns out to not be truly declarative -- it supports adding and changing settings, but not removing 😢 |
|
|
||
| config = mkIf (jenkinsCfg.enable && cfg.enable) { | ||
| assertions = [ | ||
| { assertion = jenkinsCfg.withCLI; |
There was a problem hiding this comment.
Instead of having this assertion that withCLI must be true, you can use an absolute path to the jenkins-cli program: ${pkgs.jenkins}/bin/jenkins-cli.
| script = | ||
| let | ||
| _jenkinsCLI = { | ||
| auth = "-auth admin:\"$(cat ${jenkinsCfg.home}/secrets/initialAdminPassword)\""; |
There was a problem hiding this comment.
TODO: Check that initialAdminPassword gets created if -Djenkins.install.runSetupWizard=false is used.
There was a problem hiding this comment.
TODO: Check that initialAdminPassword gets created if
-Djenkins.install.runSetupWizard=falseis used.
It does not.
So this change depends on users having that plugin already installed? And currently that means imperatively installing the credentials plugin? Maybe we should get declarative plugin support in jenkins first? |
|
@bjornfor, indeed, as the description of the PR says:
|
|
Thanks for taking interest in this PR by the way @bjornfor :) |
Sorry I missed that. Should we mark this PR as a draft? |
wegank
added
the
2.status: stale
Signed-off-by: Pamplemousse xav.maso@gmail.com
Motivation for this change
Allow declarative management of credentials for Jenkins!
Depends on #121841 (I included its commits in this PR for the
.credentialsoption to be reviewable - work).There is a plugin to manage credentials: https://plugins.jenkins.io/credentials/. Useful to get stuff from SCMs, sign releases, and so on.
This my first "real" contribution to the
nixos/modulesside of things.In particular, I took a very naive approach regarding the management of "secrets", which might be insecure:
/var/lib/jenkins/credentials/<ID>/credentials.xml(However, the
jenkinsuser already has means to read/write the content of credentials through the API anyway - i.e. I don't think this is effectively widening the attack surface.);/nix/storeeither.Also, as is, here are known limitations:
jenkinsby default);I had to start somewhere, and because it's somewhat my first time in this area of the repo, I was not shooting for a "perfect" solution.
Feedback appreciated! 🙏
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)Signed-off-by: Pamplemousse xav.maso@gmail.com