Setting the scene: I have set up a multi-node Kubernetes cluster and deployed the Jenkins Helm Chart with the Jenkins Kubernetes plugin. We run (company-)internally an Enterprise GitHub installation and we have multiple private and public repos. The builds are implemented using non-declarative Jenkins pipelines (many features are missing in the plugin for declarative pipelines). The builds don't run on the Jenkins master, but every job run consumes its own pod for obvious reasons (maximum scale-out and total isolation/no side effects) via podTemplates/containerTemplates.

The problem/question: I found no way or description how to fetch from private repos or, more generally spoken, I found no way to pull any credentials/secrets from the Jenkins master (where I like to maintain them centrally) into the pods/containers that the plugin creates for my job runs, i.e. I miss in those pods/containers e.g. the credentials/secrets to pull from a private repo. How can I make those available in the dynamically spawned pods/containers? Is that even possible?

Some additional information: On my Jenkins master I can perfectly fetch from private repos, have access to everything and all is fine. It's only lately that I tried to use the Kubernetes plugin and get more out of my cluster. Also, I kubectl exec'd into the JNLP slave container (and its siblings based on my containerTemplates) and couldn’t find anything. Not in the ENV, not in files. It is not clear to me how my credentials/secrets would get injected, and what I need to do for it.

Dirty solutions I already use, but I like to replace: To overcome the problem, I put my credentials into the JenkinsFile, but that's bad because I now smear them across my repos and it's no solution for the public repos either. What I also did was to bake them into my images for the pod/container templates, but that's ugly for similar reasons as I put them now into DockerFiles (directly or indirectly during the build) and can't use off-the-shelf images anymore and can't put mine into public image repos anymore, too. I guess it would be also possible to modify my top-most podTemplate/containerTemplate and manually add ENV vars with the credentials/secrets, but that's ugly as well as I wouldn't make use of the Jenkins master credentials/secrets store any more.

I look for a clean solution to the problem. I hope, it's possible to bring my credentials/secrets from the Jenkins master into my dynamically spawned pods/containers that I also like to keep (no static slaves, but dynamic ones for each and every job run).