Details
-
Story
-
Status: Done
-
Medium
-
Resolution: Done
-
None
-
None
-
Empty show more show less
-
All / Cross Project
Description
We need a way to safely create managed files that can be used by the community in JCasC (or define themselves). This, however, leads to a problem of credentials be stored in plain text in several of our current configurations.
Instead, what we need is a template engine that can then take maven credentials (or possibly other Jenkins credentials) and then as a build step create the actual file needed using those credentials in templated locations.
I'm thinking something along the lines of Python Jinja2 (https://jinja.palletsprojects.com/en/2.11.x/) for the templating engine
Attachments
JEditor
Issue Links
- blocks
-
RELENG-3035 Configuration yaml merger
- Done
-
RELENG-3033 Macros for managed file template system
- Archived
-
RELENG-3034 Template validation job
- Archived
While working cost analysis jobs I stumbled on a way that we can do this without having to develop our own templating system!
This will require a combination of using the config-file-provider as expected with the replace-tokens option turned. It will also require that we use the credentials-binding plugin to inject the appropriate credentials into the job as environment variables (which thankfully get auto-masked in any console output)
With the combination of these things in place it is possible do something like this in jjb:
wrappers: - credentials-binding: - username-password-separated: credential-id: test-credential username: USERVAR password: PASSVAR - config-file-provider: files: - file-id: config-file-id target: config.confg variable: CONFFILE replace-tokens: true
My limited testing tells me that this should work. There is one area that I find questionable though, and that is the credential-binding plugin is only available as a wrapper which may make it difficult to wrap into multiple different macros meaning that we may have to still do credential extraction from maven settings files instead.