Jenkins podTemplate disbale default echo

315 views Asked by At

I am running my jenkins in Kubernetes to create dynamic slave pod based on requirement.

And each file is uses some credentials from jenkins.

Now the problem is when I run some command in sh script:"" then that credentials are visible on log view option on UI.

as below screenshot.

enter image description here

My Jenkinsfile is looks like below

podTemplate(
    containers: [
        containerTemplate(name: 'helm', alwaysPullImage: true, image: 'k8s-helm:v3.4.2', command: 'cat',
            ttyEnabled: true)
    ],
    imagePullSecrets: ['registry-credentials']) {
  properties([parameters(
      [string(name: 'dockerImageTag', description: 'Docker image tag to deploy'),
       string(name: 'branchName', defaultValue: 'dev', description: 'Branch being deployed'),
       string(name: 'targetBranch', defaultValue: 'dev', description: 'Target branch against which if a PR is being raised')])])

  currentBuild.description = "branch ${params.branchName}"
  node(POD_LABEL) {

    container('helm') {
      withCredentials([[$class       : 'FileBinding',
                        credentialsId: 'sling-test-kubeconfig',
                        variable     : 'KUBECONFIG'],
                       [$class       : 'StringBinding',
                        credentialsId: 'sd-charts-github-api-token',
                        variable     : 'API_TOKEN']]) {
        stage('Add Helm repository') {
          sh script: "helm repo add stable 'https://charts.helm.sh/stable'",
              label: 'Add stable helm repo'
          sh script: 'helm repo list', label: 'List available helm repos'
        }
        withCredentials([[$class       : 'StringBinding',
                          credentialsId: 'test-env-postgres-password',
                          variable     : 'POSTGRES_PASSWORD'],
                         [$class       : 'StringBinding',
                          credentialsId: 'test-env-rabbitmq-password',
                          variable     : 'RABBITMQ_PASSWORD']]) {

          stage('Deploy') {
            echo "Deploying docker release -> myhost.com/8023/sling/scheduler:${params.dockerImageTag}"
            sh script: "scheduler charts/scheduler " +
                "--set appConfig.postgres.password=${POSTGRES_PASSWORD}," +
                "image.tag=${params.dockerImageTag}," +
                "appConfig.rabbitmq.password=${RABBITMQ_PASSWORD}," +
                "deployment.annotations.buildNumber=${currentBuild.number} " +
                "--wait",
                label: 'Install helm release'
          }
        }
      }
    }
  }
}

This file has some credentials (i.e. RABBITMQ_PASSWORD, POSTGRES_PASSWORD etc... there are lot more then this) which I do not want to show on UI logs, basically I don't want to show entire command which is at

sh script: "scheduler charts/scheduler " +
                "--set appConfig.postgres.password=${POSTGRES_PASSWORD}," +
                "image.tag=${params.dockerImageTag}," +
                "appConfig.rabbitmq.password=${RABBITMQ_PASSWORD}," +
                "deployment.annotations.buildNumber=${currentBuild.number} " +
                "--wait",
                label: 'Install helm release'

I got some reference but this is also not working.

Can someone please help me to solve this.

1

There are 1 answers

0
Matthew Schuchard On BEST ANSWER

To avoid leaking your credentials into the output, you need to resolve them within the shell interpreter of the shell step method instead of within Jenkins Pipeline. Since withCredentials temporarily assigns to environment variables, this is possible by not interpolating within Groovy:

sh script: 'scheduler charts/scheduler ' + // literal string
           '--set appConfig.postgres.password=${POSTGRES_PASSWORD},' + // no Groovy interpolation
           "image.tag=${params.dockerImageTag}," + // Groovy interpolation
           'appConfig.rabbitmq.password=${RABBITMQ_PASSWORD},' + // no Groovy interpolation
           "deployment.annotations.buildNumber=${currentBuild.number} " +  // Groovy interpolation
           '--wait', // literal string
           label: 'Install helm release'

This will interpolate and concatenate the string put argument to the shell step method accurately and without exposing your credentials in the Jenkins Pipeline output.