get secret from master based on user/password auth #76
get secret from master based on user/password auth #76
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the pull request @Constantin07 ! It would be a nice improvement. It will not work as is, because CRUMB is hardcoded. E.g. see https://support.cloudbees.com/hc/en-us/articles/219257077-CSRF-Protection-Explained which explains how to get it
I would also suggest using JENKINS_API_TOKEN
as a variable name to encourage people to use it instead of the password. CC @Wadeck
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wdyt about renaming JENKINS_PASSWORD to JENKINS_API_TOKEN ?
@oleg-nenashev done. Tested locally - slave successfully connects to master using username/password.
|
@Constantin07 Great work! @oleg-nenashev It would be great if this gets merged and published in DockerHub. |
This seems like a bad idea. You are replacing a limited token good only for connecting this agent with a general personal access token which, if compromised, could be abused in various ways. What exactly is the use case here? |
I'm closing this PR for the following reasons:
Of course, feel free to reopen it if you feel it should be reviewed and merged (but you'll have to describe the initial problem and solve the merge conflicts). |
The use case I can think of is that you are configuring the controller via JCasC including a static agent, and wish to be able to reconstruct the setup from scratch (with a freshly generated The better solution would be to deprecate the agent HMAC generally. Instead each newly created agent would get a randomly generated connection token persisted as a ( |
=> https://issues.jenkins.io/browse/JENKINS-70168 just created |
This PR is to address the issue in jenkinsci/docker-agent#701 .
It's doesn't break existing functionality (use of only JENKINS_SECRET).