'Building Jenkins Infra-As-Code and masking Credentials

I am building a Jenkins infrastructure using infra-as-code principles. As part of this, I am pre-populating the credentials.xml configuration of Jenkins to include some global credentials.

I populate this xml file using Ansible during the launch of the infrastructure. Once rendered, the file is pushed to the Jenkins Home Directory. See example below: 

<?xml version='1.1' encoding='UTF-8'?>
<com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="[email protected]">
  <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
    <entry>
      <com.cloudbees.plugins.credentials.domains.Domain>
        <specifications/>
      </com.cloudbees.plugins.credentials.domains.Domain>
      <java.util.concurrent.CopyOnWriteArrayList>
        <com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
          <scope>GLOBAL</scope>
          <id>{{ jenkins_test_user }}</id>
          <description>GenericAccount</description>
          <username>{{ jenkins_test_user }}</username>
          <password>{{ jenkins_test_user_pass }}</password>
        </com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
      </java.util.concurrent.CopyOnWriteArrayList>
    </entry>
  </domainCredentialsMap>
</com.cloudbees.plugins.credentials.SystemCredentialsProvider>

However, when I open the credentials.xml in a text editor, I can see the passwords in plaintext.

How can I make Jenkins mask these password fields?

Note that when I add a new credential using the Jenkins console, the newly added credential and all the previously populated credentials (using Ansible) in the credentials.xml, get masked.

jenkins


Solution 1:[1]

you can preset the users and password hash in the xml files. you might need to create one xml config each for specific user. this is what we follow

Solution 2:[2]

As already pointed out by @p-ekambaram you can bcrypt your passwords.

I'd add on top that that you can do it simpler by using https://www.jenkins.io/projects/jcasc and the configure it like this: https://github.com/jenkinsci/configuration-as-code-plugin/tree/master/demos/embedded-userdatabase

jenkins:
  securityRealm:
    local:
      allowsSignup: false
      users:
        - id: "hashedadmin"
          # password is 'password'
          password: "#jbcrypt:$2a$10$LP4bMhwyCPnsDm.XRcTZSuBqWYKGAiDAsQXrSrJGYcEd9padaPgsC"

https://github.com/jenkinsci/configuration-as-code-plugin/issues/734#issuecomment-1024354016

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 P Ekambaram
Solution 2 Koroslak

Related Questions

Jenkins Content Security Policy

setUp method: Failed to connect to binary FirefoxBinary(/usr/bin/firefox) on port 7055; process output follows:

SonarQube 3.7 with maven and Jenkins - Maven session does not declare a top level project

How can I pass variables to post-build actions in Jenkins?

How to add a timeout step to Jenkins Pipeline

Jenkins not building docker image, can't find the docker command

compare 2 variables in jelly script

Jenkins Ambiguous Permission

Error - Jenkins detected running multiple instances

How to get child job logs in parent job on child job failure?

create jenkins ssh username with private key credential via rest xml api

How to stop build from executing from the pipeline script?

How to prevent Jenkins SCM polling from triggering a build on branch creation

jenkins builds filtering based on build description

Jenkins shell script returned exit code 1 when the searched string isn't exsist