馃毃 Please review the guidelines for contributing to this repository.
[x ] Jenkins version
2.190.1
[x] Plugin version
Credentials Plugin - 2.3.0 and Configuration as Code - 1.32
[x] OS
Linux
I'm am trying to execute the following fragment in my JCasC script
credentials:
system:
domainCredentials:
- credentials:
- basicSSHUserPrivateKey:
scope: SYSTEM
id: ssh_with_passphrase_provided
username: ssh_root
passphrase: ${SSH_KEY_PASSWORD}
description: "SSH passphrase with private key file. Private key provided"
privateKeySource:
directEntry:
privateKey: ${SSH_PRIVATE_KEY}
When I insert my private key in PEM format into the fragment and run it, my github certificate is reported as invalid but if I put the same value manually to the certificate plugin it works just fine.
After much testing and reading about base64 encoding I stumbled upon this fragment to check the contents of my certificate store:
def creds = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(
com.cloudbees.plugins.credentials.common.StandardUsernameCredentials.class,
Jenkins.instance,
null,
null
);
for (c in creds) {
println(c.id + ": " + c.description )
if(c instanceof com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey)
println(c.getPrivateKey())
}
I was able to determine that the contents of the certificate are not being parsed properly by the JCasC input process. To put it simply:
The carriage return after the "BEGIN PRIVATE" is being ignored as well as the carriage return before the "END PRIVATE". Here is an example:
-----BEGIN RSA PRIVATE KEY----- line 1
line 2
line 3
line 4 -----END RSA PRIVATE KEY-----
I was able to fix it by inserting the CR directly into the JCasC template and it works just fine.
I thought I'd pass this on since it might help someone in the same situation as myself and possibly close a bug!
Thanks!
This works just fine, your certificate should have a final new line.
Depends how you set the SSH_PRIVATE_KEY variable
Hi Caz,
Thanks for getting back so quickly;
I tried the following based on your comments:
This does not work:!!!
- basicSSHUserPrivateKey:
id: github-key
passphrase: "u5ZVELAR/uZmu2t0ytKh7g=="
privateKeySource:
directEntry:
privateKey: "-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAtJcUUZWn/5NppT/hmy8nvmnHI/1175+OggQ39JzO3MS/mjJt
f/vRQUa6E17S+Q6KvUKK50rQFhfzYIQLVVuxiAACQxIQqeSjyiV/I4hHbgrHmKGV
9uNRP5Wd21fH9DUPkjLwnYJiZIz+YtOrQchWekIMnvVX6nALZi5MuvJL6bsM1JrR
eBkzfFnhaCOWEbJUjlXgYYereIm33zYSxzGV1HPoTTcLfuf40O9vwg==
-----END RSA PRIVATE KEY-----"
But this does!
- basicSSHUserPrivateKey:
id: github-key
passphrase: "u5ZVELAR/uZmu2t0ytKh7g=="
privateKeySource:
directEntry:
privateKey: "-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAtJcUUZWn/5NppT/hmy8nvmnHI/1175+OggQ39JzO3MS/mjJt
f/vRQUa6E17S+Q6KvUKK50rQFhfzYIQLVVuxiAACQxIQqeSjyiV/I4hHbgrHmKGV
9uNRP5Wd21fH9DUPkjLwnYJiZIz+YtOrQchWekIMnvVX6nALZi5MuvJL6bsM1JrR
eBkzfFnhaCOWEbJUjlXgYYereIm33zYSxzGV1HPoTTcLfuf40O9vwg==
-----END RSA PRIVATE KEY-----"
I'm setting the Private Key just fine; It's the extra CR/LFs that you need to insert to make it work. Are you not seeing this behaviour on your installation?
Again depends how you pass it 馃槗
We use vault where we pass \n for each new neline as shown in the file when generated.
The other ways I have seen it work is to use yaml literal block as literal block will preserve any whitespace
credentials:
system:
domainCredentials:
- credentials:
- basicSSHUserPrivateKey:
scope: SYSTEM
id: ssh_with_passphrase_provided
username: ssh_root
passphrase: ${SSH_KEY_PASSWORD}
description: "SSH passphrase with private key file. Private key provided"
privateKeySource:
directEntry:
privateKey: |
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAtJcUUZWn/5NppT/hmy8nvmnHI/1175+OggQ39JzO3MS/mjJt
f/vRQUa6E17S+Q6KvUKK50rQFhfzYIQLVVuxiAACQxIQqeSjyiV/I4hHbgrHmKGV
9uNRP5Wd21fH9DUPkjLwnYJiZIz+YtOrQchWekIMnvVX6nALZi5MuvJL6bsM1JrR
eBkzfFnhaCOWEbJUjlXgYYereIm33zYSxzGV1HPoTTcLfuf40O9vwg==
-----END RSA PRIVATE KEY-----
Tried it the above way and it worked; I guess it's all in how you pass it.
Thanks for checking.
Running the groovy fragment is a great way to tell if you're doing it right.
Laters!
I have more or less the same error when I do it manually it works for me and when I pass it through a variable that I set as a fact and it gives me an error
I am loading a template with jinja2 to modularize
I put that template at the beginning of the main template
#jinja2: trim_blocks: "true", lstrip_blocks: "false"
since in some parts the indentation moved
then I put it as mentioned above
- basicSSHUserPrivateKey:
scope: GLOBAL
id: "{{slave_linux_jenkins_cred_id}}"
username: "{{jenkins_user}}"
passphrase: ''
description: "SSH passphrase with private key file. Private key provided for {{jenkins_user}}"
privateKeySource:
directEntry:
privateKey: |
{{SSH_PRIVATE_KEY}}
## render this way and it's not working it fails me
privateKeySource:
directEntry:
privateKey: |
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAzBYzbFCWSOOFoY6jFoj3xTMfmrRzTEaYMrTjALnSaKCrqu8P
nQVBXjU77aokH+pbcGhYcCQx0NFQFF0NAzJyAvQVmuNmh5p4mHl4pE5w2HEm3ApM
poh/2bmqdEtZ8gKrRLTh0RwCsI4CxCPU49sqAqgoUNTV3DXWc4Fhn/Dw+Xs/AKc/
nLcIYeb7rfJNDuW93sCugDt7mUVIOI618a/yBpBrkaT+Em/UL2PN8QW968lCslMy
+Hxjsm3Keyi3IshFm9FgRsldlKtYW+9fwB/Lq6lpQNsbl/NN3GtzVpX2MVduq1eZ
rKRWi+aKZU2mWSxwTetulh8AqlUwAJjdY2ag1wIDAQABAoIBAEiFOxCqMj0EXF/k
R5+iXCj+2aQnqzDXhQ2/qUqAvXvgXCAJgwrQ60GGuRzi8KNGq+dtrL9snScOud4C
krUoH8tc4LCBTdWx1liYEX6RQRgoXR6jqkkjCAteJmvcusF8oU9w1y1vPqVuUR1R
fjzZjDwVdP4EI1p05xd0SjSDcZ20w01jxwGRPBNWmuAJxTu/7ncMdKqvlHgNWpk8
hMQkZO1I9cCUXHPRvsIlSjr9wYaWIwD2IZ+d0HacFaLb3NZWdcZzgyfsjXIuoIED
6Z29Bj0iDMqnV3PPS/AeSZYfjJxEw88Hx1v6Iia2+35oU27m0YzYwCCUekZFJ4FJ
ffAgxMECgYEA7EhuCLBAlIVqeVl0c/6JASxwmQ0sJ9ozQrA3cW3NXIAOyEFvBI9s
iiI3WuoVN6RGQlTTmC33TupB37KWwYziNTIbyfZe3F6kwCvf0iQUO/784ol+aSq3
vNZlFGB2xFc7z2pBh0tFLY0MkExc10QYqBR/xMe8YaijpqyT2rA6XEsCgYEA3R37
m0uGkmo4SRgzNwN3RXU/r4iloTpB68fu0GyRUEvfQ1ny/slMbc0bbajXaUxwsSOe
tTLTWVQJqTCtZpEzlYDpdJguHgarBFxVykWGX3Va5QbRBX9cz7uZ61tUuLam6/xz
qPv1NdNlQNTrVhUNcgAlFDOk5fIiTYtpiX9jniUCgYAIqs9+ehikWhCBywo+hwO3
i03GD3mjLJncxGIEQybZUck5B01vOWOd3YtyRkvo8pmxLTNlzanYtzcbYY2uI+DY
WrIyQltQchhRBEr9hl1Hph7YoHqGmQ6MWsDycmdo5FpJTXiB4fzzosznLiXpr5HH
+JiHO1xpqKn4HzR9PSGm6QKBgDysYIEBXWDJsr4j3NHIqq6teJcy+Lff43zONLKO
R+VvnEi/4tSU6drrQA58GPe02OtSadcwphvJ2ojJaZtOVog8glLS+zyT+dNNfuDs
6O1Cp3lWwH4wr4f040xYmEvDGtSARkBlOqjVY+BBTH4ncrQIZCRB84qBQXZjvcbT
5MLdAoGBALMCnX6sEVju+rzm5sf5Da7FLkObqJVkiLkWj+R8mWf13+Z01qO4O/14
EgLaH9GhxmH43Jn0A4SGAqUcoHLeMb+A2hQs5mruKEaHUEPzo5a3KzQZsYHyU/h9
Afk8MgjsfF2NM2rybMrfJf8gvAED87+OprtBHoYlPlvePl39s8ho
-----END RSA PRIVATE KEY-----
so I put it manually and it worked
SSH Launch of agent-0 on 192.168.10.x completed in 13,350 ms
- basicSSHUserPrivateKey:
scope: GLOBAL
id: "agent_node_cred"
username: "jenkins"
passphrase: ''
description: "SSH passphrase with private key file. Private key provided for jenkins"
privateKeySource:
directEntry:
privateKey: |
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAreHRaZ8Fe/J5ofesl5+6h6ichymjKRGU3HEgRuy0zC+hNf5E
oTHJeClVl1GOS3EKjwJLlyxZ7GPaxbf8fcb+iwlmNNZVAo8oaHaL7t73Tzx/L1gl
pOR2HY24TJD3KztT/ZrRH4x4/DyC8SEs8zLzkejWtt7NTklIWte8a87LGJ7ZIy4P
w8zYSwvBcjvbfvogEGtqQgQCR3PcYnjkKQQuaTDQrYAlBbLNmWm11nWwNCcltfbx
pGedM6n//brDInWQt4tt1lj1KSVwO8YvaOq2gnD//FfbhaSAqJSeQth+ZZ5u9ANe
8vyRKp1e9UmHji4WmH3QrPpuZt/jDDCgh+9k8wIDAQABAoIBAQCetAUWifXPczhh
BFWa7kapmtOC6hXpXgqoSPhUw6cg1jglt7WcCn0AF3nvapidcsdYT5f+mpRYlasP
2yWxBvc8n4+Rmi5s74zKC6kclJTU1TqgU6vIHF1SDA+ykn2GD9hRGATW7rdeQTyi
KM2GC3MUMZgHwMNSOMC5aT6oh04HYTK+gbbnZ1pLn7rDW+lOE/iFRL/IEqY3vBsP
79a3nFYa4GGKVeDAqo+qpPY3yuiZHsr1R/EkMNJ+KF3aG2ev//v9AXXrMT1Rg8x6
6XJkR7bREb4SsFUuiBw6yEej33OjfAihhW13X6khS4HRDwp00/qaaua5EsC5pOjr
oXHmn68BAoGBAN85JwYCy1Wsb2b5/wZZCILvFJh/lTBJWicsiOvbu8ifmGg5EWaT
UM3rzVhGwUzcWM5PbcOr6ZzegK0oqObohLDn3iz9F+TJD/QheRtTkUgshlG8f+Ny
dZMutIwB7+ZR4y1PclJ97RE05Shu2huE+VPAdx2R0SqARU3aBX9TYfZjAoGBAMdp
9QFt4fguZzAsECGyVSaOvga9Y7M8gcfI6P22wg5hYV49e4ktnjj4iehGU7tItaNb
orpmC+P82TkTEevKSocCiBebFLkf0FT5TeCiBo+cppWULfEp5RkVVQ2l2Ni028Pl
WpRubjwytmKSAQ6Me4i/jnMhw0u4+Wl4p7MGqpQxAoGAA/wvOCpAmwzzCDGaXfCk
+EFwarCMZ0pH878VyrAnkBNZUzMBnoUuwh5dkh/hP5AHfddpLD8bcpN+VJkPOuAX
zli1XLRAAvOb903JrbU2OMWiuD7XQaY/dxs0WfOG5uO7XIm4jsR0wQPiu3APMMKU
+OvMtJhv1YRouFUWGAnTC+UCgYBq4VmWGIUC9iwMX7GNvf1xmxQynJOxX37Xy9FF
Gw1Lk9oSHrX1wmOJeXzA5+C9Aq2IDvdbHJLG8aCjvJrgXB4x2qOCs3YZ+vk4ch7R
hUYq9vU6Op+dIK1QEmTx2bAuBlG731P7Nm0TCsNCdarnV1hm5PS+tJvuHAhiBW8s
vyfyIQKBgQCD6skqo6HtupTrd+titO6UE8NTuqtIn9BrGJ41VesZ+W4sbK0h7KlV
dIAPEA83e0Nq2BbcVt4l5HWosjuaoEu+0UF4a36ooBPlANXAT4VUMAa7nt//wskn
mRQd0IdjrwfV/xYCJB9efYkStYceTFtQigrTaWGbR8Up2WGg2ERJhg==
-----END RSA PRIVATE KEY-----
if you can help me the sshkey I'm setting it this way
聽聽 set_fact:
聽聽聽聽 SSH_PRIVATE_KEY: "{{slurped_private_key_stat.content | b64decode}}"
thanks in advance @casz and @terrdry
stay tuned
I could solve the problem I had here the solution
20 spaces have to be indented and I did it this way and it worked for me
#jinja2: trim_blocks: "true", lstrip_blocks: "true"
- basicSSHUserPrivateKey:
scope: GLOBAL
id: "{{slave_linux_jenkins_cred_id}}"
username: "{{jenkins_user}}"
passphrase: ''
description: "SSH passphrase with private key file. Private key provided for {{jenkins_user}}"
privateKeySource:
directEntry:
privateKey: |
{{ SSH_PRIVATE_KEY | indent(20) }}
render this way and it's works #resolvetaskssh
privateKeySource:
directEntry:
privateKey: |
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAm2eO9B2a9g6E7vCmhEMyoNDyPgUmcr4gChnirniN0SUYCAyo
2/rSVhEe+LxU1MR3ZhOfTGX6uozc/bBHExsKj4/drR2f6oAJfa8Drvaplxr7GeI5
ul4tea/ZtsT6iPNYLlfJeMM7TkjMt7fl/x+pycxT4fuWKRDoOHZlPcXXZkPvbSpm
D7UmkQq7npyzkTwysY7OeeF5iXT6LOZRyc28Yn5fxzmAZ58lTzHExBHP1HcmH++h
hPIBAoGAPlJk4r3bAa3wK8CcuWISPmSx5TM/KWKDWCZpkGX99gKVIJrxTVc9Kyu6
qov+TRng6qxbA/8BOL7MWjJu9e5n5dNHZE5bghBSDoC+8g6tZxsMJrFuQQ+Y1EiH
n63Rb1vZJOXH7o/iiBU8ZRbGVX0iPCJZaXcGVOfwXPcR55NhocY=
-----END RSA PRIVATE KEY-----
I hope this helps someone
regards
@daverod24 it's possible encrypt the privateKey? Maybe with bcrypt?
maybe i haven't tried it yet @caiohasouza
Hmm ok, i tried a lot's of way but not works, i don't know how to debug. The plugin accept the bcrypt password but i can't use the key.
Hi @caiohasouza
Use the groovy fragment to interrogate the creds after you add them to see what it looks like so you can tweak the formatting...
see https://github.com/jenkinsci/configuration-as-code-plugin/issues/1189#issue-513350547
@terrdry thank you for your response, i did the steps and the script show the key bcrypted, it's right? I did too another aproach:
What do you think about this approach?
@caiohasouza, thats basically the approach I took for my certificate issues and it worked for me. I'm glad it worked for you.
Cheers!
@terrdry perfect, thank you so much!
Hopefully this helps others who search on this issue... What daverod24 did with https://github.com/jenkinsci/configuration-as-code-plugin/issues/1189#issuecomment-560565982 fixed the indentation for the yaml so that it was parsed correctly.
I hit the same issue when I was trying to import a Github App private key.
I generated the key in github and ran it through this to put it in the right format for Jenkins:
openssl pkcs8 -topk8 -inform PEM -outform PEM -in github-app-private-key.pem -out converted-github-app.pem -nocrypt
Then used this config to use JCasC with the Jenkins helm chart and Ansible: https://github.com/jenkinsci/helm-charts/tree/main/charts/jenkins:
JCasC:
configScripts:
githubsetup: |
credentials:
system:
domainCredentials:
- credentials:
- gitHubApp:
appID: "99999"
id: "githubApp"
description: "GitHub app for mysite"
privateKey: |
{{ lookup('file','secrets/converted-github-app.pem') | indent(14) }}
Without the indent it was not valid Yaml. This is helpful to see how to format it: https://yaml-multiline.info/
Might just be easier to have people pass these as base64 encoded strings and be done with it vs fixing up the yaml.
JCasC can decode base64 to strings with the help of substitution: https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#additional-variable-substitution
Most helpful comment
I could solve the problem I had here the solution
20 spaces have to be indented and I did it this way and it worked for me
render this way and it's works #resolvetaskssh
I hope this helps someone
regards