there are two other options: 1. Bake the secret key used to encrypt Jenkins secrets into your image (downside, anyone with access to the image can decrypt they keys)
2. Seed the JENKINS_HOME volume with unencrypted credentials.xml and have an init.groovy.d script trigger a save (which will encrypt them on first start) Outside of that, you could look into implementing a plugin that extends from CredentialsProvider and exposes your ssh credentials how you see fit. one I think would be nice is one that basically takes an SSH_AGENT from the Jenkins user and exposes its keys as SSH keys (so good an idea I may implement it myself... if I get spare time or if my employer agrees it is a good idea) That way you could mount the SSH_AGENT socket into docker and away you go... of course none of that is written yet... so fit now just hack it working On Tue 3 Jan 2017 at 14:21, Barry Laffoy <[email protected]> wrote: > Hi > > I'm trying to set-up our Jenkins master in a reproducible way using the > Docker image here: https://github.com/jenkinsci/docker > > One problem I am having is how to make ssh private keys (e.g. for polling > git repos) available within the container in a secure manner. Ideally, I > would like to be able set the private keys at runtime for the container, as > a way to test the configuration in a safe environment before it is promoted > to production. > > Copying the keys at build time fails this second requirement (and may have > security implications if it would make a user's private key visible to > anybody with permission to run the container?). > > Mounting the key location as volume with `docker run -v > /path/to/keys:/var/jenkins_home/.ssh` does not work, as the mount point in > the container inherits the uid/gid of the host directory, which does not > match the uid/gid of the "jenkins" user within the container. There are > solutions to this available, using gosu, but that seems to be strongly > discouraged by the community. > > What is the advised/best practise way of injecting ssh private keys into > the Jenkins master container? > > Thanks > > > > > > > > > -- > > > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > > > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > > > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/8d8d6fd2-11c2-4946-93b3-07981944af23%40googlegroups.com > <https://groups.google.com/d/msgid/jenkinsci-users/8d8d6fd2-11c2-4946-93b3-07981944af23%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > > For more options, visit https://groups.google.com/d/optout. > > > -- Sent from my phone -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CA%2BnPnMwB95%2BWGuvvmN4KsAw2Q_ZefEa89KuQc%2BTcYvB9vOLxkQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
