Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Folder credentials and its chicken-and-egg problem

See original GitHub issue

Hi CasC team, thanks for making this wonderful plugin! I am evaluating it to use it for my team.

I meet one blocking point: We want to use folder to group credentials (so we can separate CI and CD for security purpose), but:

I don’t know how to configure credentials for folder
I suspect that there is an chicken-and-egg problem that is not resolvable

Detail for point 1:

I have tried to export CasC, but it contains no folder credentials.
I have tried to look up the JSON schema, found no relating property

Detail for point 2:

I use job-dsl to configure all jobs and folders. AFAIK, DSL’s depends on credentials (for git checkout) and folder credentials depends on DSL (to spin up the folder).

So this looks like a chicken-and-egg problem.

So my questions are:

Has anyone in this community done this kind of setup before? If yes, would you please share a bit of examples?
Is this doable in current version?

Context:

Jenkins version: 2.164.1
Plugin version: 1.7
OS: Linux (official Jenkins image)

Issue Analytics

State:
Created 4 years ago
Comments:12 (7 by maintainers)

Top GitHub Comments

14reactions

linkealcommented, May 21, 2019

@twz123: Here is my example of a Job DSL that creates such a folder. CasC only creates a seed job in my case which checksout the Job DSL here.

folder("test") {
    description 'The folder contains all jobs for regular tests'
    properties {
        folderCredentialsProperty {
            domainCredentials {
                domainCredentials {
                    domain {
                        name("test")
                        description("Credentials necessary for our tests")
                    }
                    credentials {
                        usernamePasswordCredentialsImpl {
                            scope("GLOBAL")
                            id("test_user_id")
                            description("User for deployments on test environment")
                            username("test_user_dev")
                            password("password")
                        }
                    }
                }
            }
        }
    }
}

A bit strange why you need the “domainCredentials” encapsulated twice but this is the only way it is working for me. I figured it out this way by installing the plugins on my jenkins instance and then opening the documentation of the dynamic DSL. See https://github.com/jenkinsci/job-dsl-plugin/wiki/Dynamic-DSL how you can view it in your jenkins.

0reactions

holmesbcommented, Mar 8, 2020

Sorry if my comment wasn’t clear @linkeal , we’re trying to create a folder credential using job-dsl (by querying credentials provided by CasC - as suggested by @zhming0), not attach a credential to a job.

Our credentials are currently created by CasC and exist globally (not at folder level). The reason we are using both CasC and JobDSL is CasC mounts our kubernetes secret. This means in our code we can create a credential referring to a secret using ${OUR_SECRET} notation. But CasC offers no way to create folder credentials (@casz says this is a bad idea), so we must use job-dsl for this.