I am running my jenkins in Kubernetes to create dynamic slave pod based on requirement.
And each file is uses some credentials from jenkins.
Now the problem is when I run some command in sh script:"" then that credentials are visible on log view option on UI.
as below screenshot.
My Jenkinsfile is looks like below
podTemplate(
containers: [
containerTemplate(name: 'helm', alwaysPullImage: true, image: 'k8s-helm:v3.4.2', command: 'cat',
ttyEnabled: true)
],
imagePullSecrets: ['registry-credentials']) {
properties([parameters(
[string(name: 'dockerImageTag', description: 'Docker image tag to deploy'),
string(name: 'branchName', defaultValue: 'dev', description: 'Branch being deployed'),
string(name: 'targetBranch', defaultValue: 'dev', description: 'Target branch against which if a PR is being raised')])])
currentBuild.description = "branch ${params.branchName}"
node(POD_LABEL) {
container('helm') {
withCredentials([[$class : 'FileBinding',
credentialsId: 'sling-test-kubeconfig',
variable : 'KUBECONFIG'],
[$class : 'StringBinding',
credentialsId: 'sd-charts-github-api-token',
variable : 'API_TOKEN']]) {
stage('Add Helm repository') {
sh script: "helm repo add stable 'https://charts.helm.sh/stable'",
label: 'Add stable helm repo'
sh script: 'helm repo list', label: 'List available helm repos'
}
withCredentials([[$class : 'StringBinding',
credentialsId: 'test-env-postgres-password',
variable : 'POSTGRES_PASSWORD'],
[$class : 'StringBinding',
credentialsId: 'test-env-rabbitmq-password',
variable : 'RABBITMQ_PASSWORD']]) {
stage('Deploy') {
echo "Deploying docker release -> myhost.com/8023/sling/scheduler:${params.dockerImageTag}"
sh script: "scheduler charts/scheduler " +
"--set appConfig.postgres.password=${POSTGRES_PASSWORD}," +
"image.tag=${params.dockerImageTag}," +
"appConfig.rabbitmq.password=${RABBITMQ_PASSWORD}," +
"deployment.annotations.buildNumber=${currentBuild.number} " +
"--wait",
label: 'Install helm release'
}
}
}
}
}
}
This file has some credentials (i.e. RABBITMQ_PASSWORD, POSTGRES_PASSWORD etc... there are lot more then this) which I do not want to show on UI logs, basically I don't want to show entire command which is at
sh script: "scheduler charts/scheduler " +
"--set appConfig.postgres.password=${POSTGRES_PASSWORD}," +
"image.tag=${params.dockerImageTag}," +
"appConfig.rabbitmq.password=${RABBITMQ_PASSWORD}," +
"deployment.annotations.buildNumber=${currentBuild.number} " +
"--wait",
label: 'Install helm release'
I got some reference but this is also not working.
Can someone please help me to solve this.
To avoid leaking your credentials into the output, you need to resolve them within the shell interpreter of the shell step method instead of within Jenkins Pipeline. Since
withCredentialstemporarily assigns to environment variables, this is possible by not interpolating within Groovy:This will interpolate and concatenate the string put argument to the shell step method accurately and without exposing your credentials in the Jenkins Pipeline output.