[FIXED] Building Jenkins Infra-As-Code and masking Credentials

Issue

I am building a Jenkins infrastructure using infra-as-code principles. As part of this, I am pre-populating the credentials.xml configuration of Jenkins to include some global credentials.

I populate this xml file using Ansible during the launch of the infrastructure. Once rendered, the file is pushed to the Jenkins Home Directory. See example below:

<?xml version='1.1' encoding='UTF-8'?>
<com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="[email protected]">
  <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
    <entry>
      <com.cloudbees.plugins.credentials.domains.Domain>
        <specifications/>
      </com.cloudbees.plugins.credentials.domains.Domain>
      <java.util.concurrent.CopyOnWriteArrayList>
        <com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
          <scope>GLOBAL</scope>
          <id>{{ jenkins_test_user }}</id>
          <description>GenericAccount</description>
          <username>{{ jenkins_test_user }}</username>
          <password>{{ jenkins_test_user_pass }}</password>
        </com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
      </java.util.concurrent.CopyOnWriteArrayList>
    </entry>
  </domainCredentialsMap>
</com.cloudbees.plugins.credentials.SystemCredentialsProvider>

However, when I open the credentials.xml in a text editor, I can see the passwords in plaintext.

How can I make Jenkins mask these password fields?

Note that when I add a new credential using the Jenkins console, the newly added credential and all the previously populated credentials (using Ansible) in the credentials.xml, get masked.

Solution

I managed to mask the credentials by placing a groovy script in the $JENKINS_HOME/init.groovy.d/ directory. The script creates a dummy user (as I did using the console) at the Jenkins startup which, consequently, masks all the pre-populated credentials. The script is

import com.cloudbees.plugins.credentials.impl.*;
import com.cloudbees.plugins.credentials.*;
import com.cloudbees.plugins.credentials.domains.*;

Credentials c = (Credentials) new UsernamePasswordCredentialsImpl(CredentialsScope.GLOBAL,java.util.UUID.randomUUID().toString(), "description", "user", "password")

SystemCredentialsProvider.getInstance().getStore().addCredentials(Domain.global(), c)

But, ideally I would like to find a way just to mask as oppose to create a user to mask.

Answered By - SSF
Answer Checked By - Candace Johnson (JavaFixing Volunteer)