How to set up SSH keys for Jenkins Blue Ocean using Kubernetes and Helm

11/13/2018

I have a CI system set up using the stable Jenkins Helm chart with the BlueOcean plugin.

In my SCM system (BitBucket Server), I have a Jenkins build user created with SSH keys configured.

What I'd like to do is bootstrap the Jenkins install with the SSH key so that when configuring a BlueOcean pipeline, authentication is handled seamlessly. As it is, I have to go in to the repository I want to build and add access for the SSH key generated by BlueOcean. This is obviously not ideal as it adds an additional manual step for each build pipeline to be configured.

The Jenkins Helm chart documentation specifies an Agent.volumes value in values.yaml that can be used to mount, for instance, a Kubernetes secret containing the SSH keys. However, this is agent configuration, so presumably would allow for SCM authentication from a build agent (e.g., from a Jenkinsfile). What I want to do is bootstrap the keys into Jenkins master.

I see that there is a Master.CredentialsXmlSecret which allows for a Kubernetes secret containing a Credentials XML file, but the documentation on this is sparse (or non-existent).

Has anyone set up Jenkins on Kubernetes/Helm with this kind of SSH configuration?

*Edit: So I have managed to produce a correct credentials.xml file by logging in to Jenkins and manually setting up the SSH keys, then copying the produced credentials.xml file, running it through base64 encoding, adding it as a Kubernetes secret and then binding it to Master.CredentialsXmlSecret in the Jenkins Helm chart's values.yaml. After doing that, my Jenkins instance loads up with the credentials.xml file in place (/var/jenkins_home/credentials.xml). The Credentials don't appear to be loading into the Jenkins UI correctly but I think I'm on the right track.

-- LiquidPony
git
jenkins
jenkins-blueocean
kubernetes
kubernetes-helm

1 Answer

11/13/2018

You can probably set it up with an API call to bitbucket to set up the SSH key. Something like this with API 1.0

$ curl --user <USER>:<PASSWORD> -X POST \
  https://bitbucket.org/api/1.0/users/<USER>/ssh-keys \
  --data-urlencode "key=<PUBLIC_KEY>" \
  --data-urlencode "label=<LABEL>"

Documented here, or API 2.0:

 $ curl -X POST -H "Content-Type: application/json" \
   -d '{"key": "ssh-ed25519 ...."}' \
   https://api.bitbucket.org/2.0/users/<USER</ssh-keys

Documented here

Not sure what type of permissions you are looking for but you may want a repo SSH key pair for Jenkins Blue Ocean pipelines.

In either case, you will have to build your custom docker image with an entrypoint script that picks up the ssh key generated and posts it wherever you want to post it.

-- Rico
Source: StackOverflow