Issue
I am building a Jenkins infrastructure using infra-as-code principles. As part of this, I am pre-populating the credentials.xml configuration of Jenkins to include some global credentials.
I populate this xml file using Ansible during the launch of the infrastructure. Once rendered, the file is pushed to the Jenkins Home Directory. See example below:
<?xml version='1.1' encoding='UTF-8'?>
<com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="[email protected]">
<domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
<entry>
<com.cloudbees.plugins.credentials.domains.Domain>
<specifications/>
</com.cloudbees.plugins.credentials.domains.Domain>
<java.util.concurrent.CopyOnWriteArrayList>
<com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
<scope>GLOBAL</scope>
<id>{{ jenkins_test_user }}</id>
<description>GenericAccount</description>
<username>{{ jenkins_test_user }}</username>
<password>{{ jenkins_test_user_pass }}</password>
</com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
</java.util.concurrent.CopyOnWriteArrayList>
</entry>
</domainCredentialsMap>
</com.cloudbees.plugins.credentials.SystemCredentialsProvider>
However, when I open the credentials.xml in a text editor, I can see the passwords in plaintext.
How can I make Jenkins mask these password fields?
Note that when I add a new credential using the Jenkins console, the newly added credential and all the previously populated credentials (using Ansible) in the credentials.xml, get masked.
Solution
I managed to mask the credentials by placing a groovy script in the $JENKINS_HOME/init.groovy.d/
directory. The script creates a dummy user (as I did using the console) at the Jenkins startup which, consequently, masks all the pre-populated credentials. The script is
import com.cloudbees.plugins.credentials.impl.*;
import com.cloudbees.plugins.credentials.*;
import com.cloudbees.plugins.credentials.domains.*;
Credentials c = (Credentials) new UsernamePasswordCredentialsImpl(CredentialsScope.GLOBAL,java.util.UUID.randomUUID().toString(), "description", "user", "password")
SystemCredentialsProvider.getInstance().getStore().addCredentials(Domain.global(), c)
But, ideally I would like to find a way just to mask as oppose to create a user to mask.
Answered By - SSF
Answer Checked By - Candace Johnson (JavaFixing Volunteer)