Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Jenkins credentials for RabbitMQ SSL authentication #263

Open
jlebon opened this issue Sep 22, 2023 · 1 comment
Open

Support Jenkins credentials for RabbitMQ SSL authentication #263

jlebon opened this issue Sep 22, 2023 · 1 comment
Labels
enhancement

Comments

@jlebon
Copy link

jlebon commented Sep 22, 2023

What feature do you want to see added?

I would like to be able to use this plugin in combination with the Kubernetes Credentials Provider plugin, which automatically syncs Kubernetes secrets into Jenkins as credentials. This would require changing this plugin to support taking credential IDs instead of file paths. (This avoids us having to mount every secret we need into the Jenkins pod.)

This would also be an opportunity to move away from the Java KeyStore format, which is not well-known outside of the Java ecosystem. Even keytool itself kindly warns:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.ks -destkeystore keystore.ks -deststoretype pkcs12".

Upstream changes

No response
jlebon added a commit to jlebon/coreos-ci that referenced this issue Nov 17, 2023
@jlebon
jenkins/config: add JCASC dropin for jms-messaging-plugin
8f3df9a 
This configures the JMS messaging plugin to connect to the public
endpoint of the Fedora messaging bus.

The tricky thing is passing in the keystores. The plugin does
not support using Jenkins credentials[[1]] so we can't leverage
kubernetes-credentials-provider.

We could do it the old way, which is to mount the secret into the
Jenkins pod, but since d6d1f61, CoreOS CI now uses the exact same
`jenkins.yaml` manifest as the production pipeline and we don't want to
bind mount it there.

Instead, we hack around this by just baking the keystores in the Jenkins
image at `$JENKINS_HOME/jms-messaging-stores`.

[1]: jenkinsci/jms-messaging-plugin#263
This was referenced Nov 17, 2023
Merged
Merged
jlebon added a commit to coreos/coreos-ci that referenced this issue Nov 17, 2023
@jlebon
jenkins/config: add JCASC dropin for jms-messaging-plugin
984af45 
This configures the JMS messaging plugin to connect to the public
endpoint of the Fedora messaging bus.

The tricky thing is passing in the keystores. The plugin does
not support using Jenkins credentials[[1]] so we can't leverage
kubernetes-credentials-provider.

We could do it the old way, which is to mount the secret into the
Jenkins pod, but since d6d1f61, CoreOS CI now uses the exact same
`jenkins.yaml` manifest as the production pipeline and we don't want to
bind mount it there.

Instead, we hack around this by just baking the keystores in the Jenkins
image at `$JENKINS_HOME/jms-messaging-stores`.

[1]: jenkinsci/jms-messaging-plugin#263
@ktdreyer
Copy link

ktdreyer commented Jan 8, 2024
edited
Loading

I haven't tested using pkcs12 keypairs instead of Java KeyStores. Does this plugin already support that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ktdreyer @jlebon