Re: Configuration as code and preservation of credentials

[James Nord]

On Tuesday, September 25, 2018 at 9:38:10 PM UTC+1, Damien Coraboeuf wrote:
>
> Hi Nicolas,
>
> Thanks for your feedback.
>
> In our case, we're using CasC to maintain and push known and tested 
> versions of a Jenkins master into a production environment, but we wanted 
> to still accept some degree of freedom, esp. when it comes to credential 
> management.
>
> An alternative is to use an external mgt system like Vault (I think it's 
> possible to use Vault as a backend for Jenkins credentials but this remains 
> to be tested).
>
>
If you are running on (or can configure jenkins to access to a k8s cluster) 
you can store the credentials as k8s secrets.
https://jenkinsci.github.io/kubernetes-credentials-provider-plugin/

 

> Or I could drop the CasC file for the credentials, and do it using Groovy 
> init.d files, as I did in the (bad) old times :)
>
> Best regards,
> Damien Coraboeuf
>
> On Tue, Sep 25, 2018 at 10:28 PM nicolas de loof  > wrote:
>
>> A feature we'd like to investigate for JCasC is to make the web UI 
>> read-only once configured from yaml
>> The specific sample of credentials could be adapted to support "preserve 
>> existing entries" but we have no way to support this in a generic way
>> Also, JCasC is designed to support re-creating an equivalent jenkins 
>> master from scratch, so from this point of view this would make no sense.
>>
>> Le mar. 25 sept. 2018 à 22:07, > 
>> a écrit :
>>
>>> But many things are otherwise preserved. I feel the implementation of 
>>> the credentials configuration is doing a none vs. all approach, not taking 
>>> into account existing entries:
>>>
>>> In SystemCredentialsProviderConfigurator:
>>>
>>> target.setDomainCredentialsMap(DomainCredentials.asMap(value))
>>>
>>>
>>> Maybe this code could be replaced to preserve existing entries.
>>>
>>>
>>> On Tuesday, September 25, 2018 at 10:03:00 PM UTC+2, 
>>> damien.c...@collibra.com wrote:

 I've created the PR at 
 https://github.com/jenkinsci/configuration-as-code-plugin/pull/556 to 
 show an unit test reproducing the issue.

 On Tuesday, September 25, 2018 at 9:04:31 PM UTC+2, 
 damien.c...@collibra.com wrote:
>
> Hi,
>
> We're using Jenkins 2.121.3 and CasC 1.0. One thing we define as code 
> is a list of credentials (some SSH keys, some user/passwords, etc.) 
> common 
> to all our instances but we let also the administrators of a Jenkins 
> instance define their own credential entries.
>
> However, when the Jenkins instance is restarted, only the credential 
> entries defined by the CasC files are kept, and all the ones which were 
> added manually are lost.
>
> Is there a way to prevent this?
>
> Thanks,
> Damien Coraboeuf
>
 -- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "Jenkins Users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to jenkinsci-use...@googlegroups.com .
>>> To view this discussion on the web visit 
>>> https://groups.google.com/d/msgid/jenkinsci-users/fb5e1d2b-4df3-4950-902d-5f18490b2ea5%40googlegroups.com
>>>  
>>> 
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
>> -- 
>> Nicolas De Loof
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Jenkins Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to jenkinsci-use...@googlegroups.com .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/jenkinsci-users/CANMVJzn_LpJBVQbjHKGLmF51oAsyWW7E%2BNxng9sB-KCHKtb%2BWQ%40mail.gmail.com
>>  
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/1f8ca36e-7111-41a3-b128-3658860d9ff0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Configuration as code and preservation of credentials

[Ullrich Hafner]

> Am 25.09.2018 um 22:27 schrieb nicolas de loof :
> 
> A feature we'd like to investigate for JCasC is to make the web UI read-only 
> once configured from yaml
> The specific sample of credentials could be adapted to support "preserve 
> existing entries" but we have no way to support this in a generic way
> Also, JCasC is designed to support re-creating an equivalent jenkins master 
> from scratch, so from this point of view this would make no sense.
> 

Shouldn’t it be possible to use the same configuration to create multiple 
master instances that handle different jobs with different views? This seems to 
be not possible now.

> Le mar. 25 sept. 2018 à 22:07,  > a écrit :
> But many things are otherwise preserved. I feel the implementation of the 
> credentials configuration is doing a none vs. all approach, not taking into 
> account existing entries:
> 
> In SystemCredentialsProviderConfigurator:
> 
> target.setDomainCredentialsMap(DomainCredentials.asMap(value))
> 
> Maybe this code could be replaced to preserve existing entries.
> 
> 
> On Tuesday, September 25, 2018 at 10:03:00 PM UTC+2, damien.c...@collibra.com 
>  wrote:
> I've created the PR at 
> https://github.com/jenkinsci/configuration-as-code-plugin/pull/556 
>  to show 
> an unit test reproducing the issue.
> 
> On Tuesday, September 25, 2018 at 9:04:31 PM UTC+2, damien.c...@collibra.com 
> <> wrote:
> Hi,
> 
> We're using Jenkins 2.121.3 and CasC 1.0. One thing we define as code is a 
> list of credentials (some SSH keys, some user/passwords, etc.) common to all 
> our instances but we let also the administrators of a Jenkins instance define 
> their own credential entries.
> 
> However, when the Jenkins instance is restarted, only the credential entries 
> defined by the CasC files are kept, and all the ones which were added 
> manually are lost.
> 
> Is there a way to prevent this?
> 
> Thanks,
> Damien Coraboeuf
> 
> --
> You received this message because you are subscribed to the Google Groups 
> "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to jenkinsci-users+unsubscr...@googlegroups.com 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/jenkinsci-users/fb5e1d2b-4df3-4950-902d-5f18490b2ea5%40googlegroups.com
>  
> .
> For more options, visit https://groups.google.com/d/optout 
> .
> 
> 
> --
> Nicolas De Loof
> 
> --
> You received this message because you are subscribed to the Google Groups 
> "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to jenkinsci-users+unsubscr...@googlegroups.com 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/jenkinsci-users/CANMVJzn_LpJBVQbjHKGLmF51oAsyWW7E%2BNxng9sB-KCHKtb%2BWQ%40mail.gmail.com
>  
> .
> For more options, visit https://groups.google.com/d/optout 
> .

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/39087A77-F84E-4EA3-92E0-74AB71B470C9%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP

Re: Configuration as code and preservation of credentials

[Damien Coraboeuf]

Hi Nicolas,

Thanks for your feedback.

In our case, we're using CasC to maintain and push known and tested
versions of a Jenkins master into a production environment, but we wanted
to still accept some degree of freedom, esp. when it comes to credential
management.

An alternative is to use an external mgt system like Vault (I think it's
possible to use Vault as a backend for Jenkins credentials but this remains
to be tested).

Or I could drop the CasC file for the credentials, and do it using Groovy
init.d files, as I did in the (bad) old times :)

Best regards,
Damien Coraboeuf

On Tue, Sep 25, 2018 at 10:28 PM nicolas de loof 
wrote:

> A feature we'd like to investigate for JCasC is to make the web UI
> read-only once configured from yaml
> The specific sample of credentials could be adapted to support "preserve
> existing entries" but we have no way to support this in a generic way
> Also, JCasC is designed to support re-creating an equivalent jenkins
> master from scratch, so from this point of view this would make no sense.
>
> Le mar. 25 sept. 2018 à 22:07,  a écrit :
>
>> But many things are otherwise preserved. I feel the implementation of the
>> credentials configuration is doing a none vs. all approach, not taking into
>> account existing entries:
>>
>> In SystemCredentialsProviderConfigurator:
>>
>> target.setDomainCredentialsMap(DomainCredentials.asMap(value))
>>
>>
>> Maybe this code could be replaced to preserve existing entries.
>>
>>
>> On Tuesday, September 25, 2018 at 10:03:00 PM UTC+2,
>> damien.c...@collibra.com wrote:
>>>
>>> I've created the PR at
>>> https://github.com/jenkinsci/configuration-as-code-plugin/pull/556 to
>>> show an unit test reproducing the issue.
>>>
>>> On Tuesday, September 25, 2018 at 9:04:31 PM UTC+2,
>>> damien.c...@collibra.com wrote:

 Hi,

 We're using Jenkins 2.121.3 and CasC 1.0. One thing we define as code
 is a list of credentials (some SSH keys, some user/passwords, etc.) common
 to all our instances but we let also the administrators of a Jenkins
 instance define their own credential entries.

 However, when the Jenkins instance is restarted, only the credential
 entries defined by the CasC files are kept, and all the ones which were
 added manually are lost.

 Is there a way to prevent this?

 Thanks,
 Damien Coraboeuf

>>> --
>> You received this message because you are subscribed to the Google Groups
>> "Jenkins Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to jenkinsci-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/jenkinsci-users/fb5e1d2b-4df3-4950-902d-5f18490b2ea5%40googlegroups.com
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
> --
> Nicolas De Loof
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-users/CANMVJzn_LpJBVQbjHKGLmF51oAsyWW7E%2BNxng9sB-KCHKtb%2BWQ%40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/CAPD6afPKoZun3Bu0JHQyQuQKTNU9cvjyUiy%2B_N2Ah2t0C42L7A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Configuration as code and preservation of credentials

[nicolas de loof]

A feature we'd like to investigate for JCasC is to make the web UI
read-only once configured from yaml
The specific sample of credentials could be adapted to support "preserve
existing entries" but we have no way to support this in a generic way
Also, JCasC is designed to support re-creating an equivalent jenkins master
from scratch, so from this point of view this would make no sense.

Le mar. 25 sept. 2018 à 22:07,  a écrit :

> But many things are otherwise preserved. I feel the implementation of the
> credentials configuration is doing a none vs. all approach, not taking into
> account existing entries:
>
> In SystemCredentialsProviderConfigurator:
>
> target.setDomainCredentialsMap(DomainCredentials.asMap(value))
>
>
> Maybe this code could be replaced to preserve existing entries.
>
>
> On Tuesday, September 25, 2018 at 10:03:00 PM UTC+2,
> damien.c...@collibra.com wrote:
>>
>> I've created the PR at
>> https://github.com/jenkinsci/configuration-as-code-plugin/pull/556 to
>> show an unit test reproducing the issue.
>>
>> On Tuesday, September 25, 2018 at 9:04:31 PM UTC+2,
>> damien.c...@collibra.com wrote:
>>>
>>> Hi,
>>>
>>> We're using Jenkins 2.121.3 and CasC 1.0. One thing we define as code is
>>> a list of credentials (some SSH keys, some user/passwords, etc.) common to
>>> all our instances but we let also the administrators of a Jenkins instance
>>> define their own credential entries.
>>>
>>> However, when the Jenkins instance is restarted, only the credential
>>> entries defined by the CasC files are kept, and all the ones which were
>>> added manually are lost.
>>>
>>> Is there a way to prevent this?
>>>
>>> Thanks,
>>> Damien Coraboeuf
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-users/fb5e1d2b-4df3-4950-902d-5f18490b2ea5%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>


-- 
Nicolas De Loof

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/CANMVJzn_LpJBVQbjHKGLmF51oAsyWW7E%2BNxng9sB-KCHKtb%2BWQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Configuration as code and preservation of credentials

[damien . coraboeuf]

But many things are otherwise preserved. I feel the implementation of the 
credentials configuration is doing a none vs. all approach, not taking into 
account existing entries:

In SystemCredentialsProviderConfigurator:

target.setDomainCredentialsMap(DomainCredentials.asMap(value))


Maybe this code could be replaced to preserve existing entries.


On Tuesday, September 25, 2018 at 10:03:00 PM UTC+2, 
damien.c...@collibra.com wrote:
>
> I've created the PR at 
> https://github.com/jenkinsci/configuration-as-code-plugin/pull/556 to 
> show an unit test reproducing the issue.
>
> On Tuesday, September 25, 2018 at 9:04:31 PM UTC+2, 
> damien.c...@collibra.com wrote:
>>
>> Hi,
>>
>> We're using Jenkins 2.121.3 and CasC 1.0. One thing we define as code is 
>> a list of credentials (some SSH keys, some user/passwords, etc.) common to 
>> all our instances but we let also the administrators of a Jenkins instance 
>> define their own credential entries.
>>
>> However, when the Jenkins instance is restarted, only the credential 
>> entries defined by the CasC files are kept, and all the ones which were 
>> added manually are lost.
>>
>> Is there a way to prevent this?
>>
>> Thanks,
>> Damien Coraboeuf
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/fb5e1d2b-4df3-4950-902d-5f18490b2ea5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Configuration as code and preservation of credentials

[damien . coraboeuf]

I've created the PR at 
https://github.com/jenkinsci/configuration-as-code-plugin/pull/556 to show 
an unit test reproducing the issue.

On Tuesday, September 25, 2018 at 9:04:31 PM UTC+2, 
damien.c...@collibra.com wrote:
>
> Hi,
>
> We're using Jenkins 2.121.3 and CasC 1.0. One thing we define as code is a 
> list of credentials (some SSH keys, some user/passwords, etc.) common to 
> all our instances but we let also the administrators of a Jenkins instance 
> define their own credential entries.
>
> However, when the Jenkins instance is restarted, only the credential 
> entries defined by the CasC files are kept, and all the ones which were 
> added manually are lost.
>
> Is there a way to prevent this?
>
> Thanks,
> Damien Coraboeuf
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/0ac89ce5-a270-43f9-a791-0f2041bf261d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Configuration as code and preservation of credentials

[Ullrich Hafner]

This is one of the drawbacks of JCasC of the current version.
You can’t change anything in the UI anymore if you enable JCasC. Everything 
will be lost after restart.
It would make sense to have a way to use both JCasC and the manual UI 
configuration together somehow.

> Am 25.09.2018 um 21:04 schrieb damien.corabo...@collibra.com:
> 
> Hi,
> 
> We're using Jenkins 2.121.3 and CasC 1.0. One thing we define as code is a 
> list of credentials (some SSH keys, some user/passwords, etc.) common to all 
> our instances but we let also the administrators of a Jenkins instance define 
> their own credential entries.
> 
> However, when the Jenkins instance is restarted, only the credential entries 
> defined by the CasC files are kept, and all the ones which were added 
> manually are lost.
> 
> Is there a way to prevent this?
> 
> Thanks,
> Damien Coraboeuf
> 
> --
> You received this message because you are subscribed to the Google Groups 
> "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to jenkinsci-users+unsubscr...@googlegroups.com 
> .
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/jenkinsci-users/2ab722d3-c851-4764-89a3-733d6cbb5391%40googlegroups.com
>  
> .
> For more options, visit https://groups.google.com/d/optout 
> .

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/32379F33-4158-412F-92DD-215AAA30DEE5%40gmail.com.
For more options, visit https://groups.google.com/d/optout.


signature.asc
Description: Message signed with OpenPGP

Configuration as code and preservation of credentials

[damien . coraboeuf]

Hi,

We're using Jenkins 2.121.3 and CasC 1.0. One thing we define as code is a 
list of credentials (some SSH keys, some user/passwords, etc.) common to 
all our instances but we let also the administrators of a Jenkins instance 
define their own credential entries.

However, when the Jenkins instance is restarted, only the credential 
entries defined by the CasC files are kept, and all the ones which were 
added manually are lost.

Is there a way to prevent this?

Thanks,
Damien Coraboeuf

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/2ab722d3-c851-4764-89a3-733d6cbb5391%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.