In my organization, I am setting up continuous integration with jenkins 2, and all built artifacts go to a private nexus 3 server (maven and npm modules)
I want to restrict publication to nexus on a set of fixed machines : only the jenkins slaves can publish. The rule is : all projects must be in continuous integration to be released.
I don't want developpers to be able to publish directly in the private nexus from their workstation.
Currently I achieved this by putting npm publish token in .npmrc file, in jenkins user home directory.
It works, but this token can be easily stolen by creative users (in their jenkins build, with a simple command like 'more ~.npmrc'). With this token, anybody can publish on the nexus server. Clearly my current configuration is not good.
What are the best practices ? My goal is that all npm module in my private nexus are built from jenkins and not from dev workstations.
Thank you all
Jenkins does provide a mechanism for storing and retrieving credentials via the Credentials Plugin. Would this be an option?
For example, if you are in a free style build, you can check the "Use secret text(s) or file(s)" under "Build Environment" to use a secret text/password.
If you are in a Jenkinsfile, you can use a "withCredentials" clause to provide the same information.
Related
Context & Problem
I'm working on a DevOps platform for a company which wants to provide developers with tools for code versioning & automatic testing / build / deploy, using Gitlab + Jenkins + Azure (alongside other tools like Jira / Sonarqube / Grafana, but not relevant here).
For security reasons & ease of management, we want to provide users with only one account for all those tools : Azure Active Directory.
Currently, Gitlab users can connect through Azure AD, and a push to the Gitlab repository triggers a build in Jenkins.
When I configure Jenkins authentication through Azure AD, the Gitlab integration with Jenkins doesn't work anymore, since you can no longer use username / password to connect to Jenkins, and it seems the only way provided by Gitlab integrations.
Current Setup
Gitlab (14.6.0-ee) & Jenkins (2.319.1) are installed on 2 different virtual machines (CentOs 7.9) hosted on Azure
Jenkins integration is enabled on Gitlab (https://docs.gitlab.com/ee/integration/jenkins.html)
Gitlab plugin is enabled on Jenkins (https://plugins.jenkins.io/gitlab-plugin/)
Jenkins integration with Azure Active Directory works fine (https://plugins.jenkins.io/azure-ad/)
Groups & Users are configured on Azure AD to give roles on Jenkins (https://www.cloudbees.com/blog/securing-jenkins-role-based-access-control-and-azure-active-directory)
✅ When Azure AD is not enabled on Jenkins, Gitlab triggers build after each push, and you can track every step status in Gitlab
❌ When Azure AD is enabled on Jenkins, Gitlab cannot trigger Jenkins (using Webhooks or official Jenkins integration)
Questions
Is there a way for Jenkins to provide multiple auth strategies depending on the user ? (as Gitlab does)
Is there a way for Gitlab to use something else that user / password for Jenkins integration or Webhooks ?
Do we have to choose between Azure AD & Gitlab integration ? (if so, does this mean no one uses Jenkins Single Sign On & Gitlab ? Seems weird)
Leads & Ideas
Tried using webhooks instead of the Jenkins integration, but it fails since the webhooks also need username / password (and integration would probably be less "advanced")
Tried finding a way to enable multiple auth methods on Jenkins, but seems impossible right now (https://issues.jenkins.io/browse/JENKINS-15063)
Tried giving role permissions to Gitlab on Azure AD, but it won't change anything since I can't find how to make Gitlab using OAuth with Jenkins
I searched thorougly for answers, but still may have missed something trivial.
I didn't find much litterature on this specific setup, so I'm hoping someone around here did encounter this type of situation before 🙂
Thank you for your help
We have a hosted GitLab instance internally and a Nexus repository hosted internally (neither of which touches the open internet). The Nexus repository uses client certificates for authentication. We have a repository in GitLab that is accessed by many developers and we need a way to get the user's client certificate in the runner so we can access Nexus.
Is there a way to specify in the .gitlab-ci.yml a user-specific mount? Putting the user's certificate information in the repository's "variables" is not an option because we have many developers accessing the same project. We (as developers) also don't have access to the runners. I can, however, create a new container/image that the GitLab runner can execute. Any thoughts on how to get the CI pipeline to recognize the user's certificate in the pipeline would be greatly appreciated!
After reading the GitLab documentation and realizing how far behind we were in releases (a major version) I discovered that GitLab now integrates with Vault. This appears to work for exactly our use case.
https://docs.gitlab.com/ee/ci/examples/authenticating-with-hashicorp-vault/
I have setup build/test/release on VSTS. And we have another pipeline (in Linux) to get the build artifact from the build system with a give build id. So is there a way to download the build artifact from VSTS on Linux? I found that you can't download it without login. We used to use Jenkins. It works good as Jenkins doesn't require login for that.
No, authentication is required, you can create personal access tokens to authenticate access.
You also can build a API app to get artifacts with authentication, then another pipeline can get build artifact from that API app.
I give a user guest role in my private project, want him to see my project build log. but I find that him cannot see the build log.
here is my research
In gitlab Permissions document , I see the guest role has the right to see build log.
I find the sentence "If Allow guest to access builds is enabled in CI settings " but I can not find the CI setting in the gitlab 8.8
"CI Quick Start" (and user permissions) are not up-to-date.
As mentioned in "Migrate GitLab CI to GitLab CE or EE"
CI settings are now in GitLab
If you want to use custom CI settings (e.g. change where builds are stored), please update /etc/gitlab/gitlab.rb (Omnibus) or /home/git/gitlab/config/gitlab.yml (Source).
As of GitLab 8.3.0, the dedicated CI settings section was removed, and those settings are integrated in the various other project settings (like the runners section)
This GitLab CE issue search mentions access issues for guest like issue 18448:
I think that 'Allow guest to access builds` works only for public projects
Nothing specific to the logs though.
We have an Azure Entreprise Agreement with a main subscription to which a VSTS account is bound. We have setup the Package Management extension in order to host some usefull packages for diferent projects. For each customer, we create a subscription in this EA and a VSTS account bound to it. We build our customer projects on the Hosted build agent of the latter subscription.
But when it's time for the build process to restore NuGet packages (using Nuget Installer task) that are stored on the main package feed, it looks like that the build service cannot access this feed (probably because it's not part of the same subscription).
Is there a way to allow an external build service in the main feed permissions, or even use an api key in the NuGet Installer task of the customer build definition, in order to be able to restore packages from the main feed ?
EDIT: i tryed to use a specific nuget.config with either the apiKey (with the same api key that is locally set on my dev machine) or the packageSourceCredentials tag. None of the 2 let the build agent restore the packages.
EDIT: build agent screenshot (COETools.Testing comes from custom feed on another subscription)
EDIT: nuget.config
EDIT: I changed the build task to use the default agent supplied nuget.exe (i was previously using one in source control) and i managed to have the packages from nuget official feed to be restored. But i'm still unable to have the one from custom feed to restore.
OK, i had it to work, but i don't like the way i did it because i had to use my personal access token in the packageSourceCredentials tag.
Here is the nuget.config i used:
A better way to do it would be to use the API key (as the one that is generated in the dev local machine nuget.config instead of the personal access token.