Jenkins Kube agent cannot pull from git

6/21/2019

I am running Jenkins in Kubernetes (EKS), and can successfully pull git repos when running the jobs on the Jenkins master with the pipeline code

gitInfo = checkout([$class: 'GitSCM',
                branches: [[name: '*/master']],
                doGenerateSubmoduleConfigurations: false,
                extensions: [[$class: 'CleanCheckout'], [$class: 'RelativeTargetDirectory', relativeTargetDir: 'config']],
                submoduleCfg: [],
                userRemoteConfigs: [[credentialsId: 'Gitlab', url: 'git@gitlab.test.com:USER/config.git']]
            ])

and it checks out fine. However when I try and pull on a Jenkins kube agent it doesnt seem to be able to get the key from the master correctly. Using the exact same checkout code I get the error

using credential Gitlab
Cloning the remote Git repository
ERROR: Error cloning remote repo 'origin'
hudson.plugins.git.GitException: Command "git fetch --tags --progress git@gitlab.test.com:USER/config.git +refs/heads/*:refs/remotes/origin/*" returned status code 128:
stdout: 
stderr: Warning: Permanently added 'gitlab.test.com,11.11.111.11' (ECDSA) to the list of known hosts.
  Authorized uses only. All activity may be monitored and reported.
  Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
  fatal: Could not read from remote repository.

In working logs I would expect to see the name of the credential it is trying to use

using GIT_SSH to set credentials Git Lab key used to bootstrap Jenkins Master

Has anyone seen this problem before?

My container spec is

spec:
containers:
- name: jnlp
  image: jenkins/jnlp-slave
  imagePullPolicy: Always
  env:
  - name: POD_IP
    valueFrom:
      fieldRef:
        fieldPath: status.podIP
  - name: DOCKER_HOST
    value: tcp://localhost:2375

Update: So it seems that something is stripping newlines off the end of the id_rsa key in the credentials store. I am using Jenkins Config as Code to add it from the AWS Parameter Store, so I think it is something going wrong here, as if I dump the contents of the secret from Parameter store and copy and paste that into the credential through the Jenkins UI the job works....

-- apr_1985
git
jenkins
kubernetes

1 Answer

6/21/2019

Issue was caused by JCasC not being able to get the Parameters from AWS, so the Jenkins Credentials were corrupt (blank).

Debugged by running cat on credentials.xml and decrypting the credential in the script console

println(hudson.util.Secret.decrypt("{XXXXXXXX}"))

I have no idea how the master is able to clone from Git with the blank credential, but even in the UI it was showing as valid :/

-- apr_1985
Source: StackOverflow