Jenkins: Migrating credentials…

Jenkins: Migrating credentials…

By : -

Thanks to CloudBees for providing a great guide on how to migrate Jenkins credentials – makes it dead simple.

1. Stop Jenkins on new server.

new-server # /etc/init.d/jenkins stop

2. Remove the identity.key.enc file on new server:

new-server # rm identity.key.enc

3. Copy secret* and credentials.xml to new server.

current-server # cd /var/lib/jenkins
current-server # tar czvf /tmp/credentials.tgz secret* credentials.xml
current-server # scp credentials.tgz $user@$new-server:/tmp/
new-server # cd /var/lib/jenkins
new-server # tar xzvf /tmp/credentials.tgz -C ./

4. Start Jenkins.

new-server # /etc/init.d/jenkins start

RE: https://support.cloudbees.com/hc/en-us/articles/115001634268-How-to-migrate-credentials-to-a-new-Jenkins-instance-

Just an FYI that you might also need to confirm file ownership and privileges after you copy in the files from the old server. If permissions are incorrect, the credentials file doesn’t get loaded.

How do we migrate from an old Jenkins server to an already in-use Jenkins server? Will deleting the “identity.key.enc” not result in existing credentials in the “new” Jenkins server becoming inaccessible ?

Hi Traiano,

I wouldn’t follow this procedure for that scenario. I’d prefer to switch to deploying credentials with a configuration management solution, and I use puppet, so I’d add the credentials to an eyaml file (encrypted yaml), and then deploy using groovy scripts that I’d push to the server, and then call using curl within an exec line.

Thanks,
Josh

Regarding deploying credentials via configuration management. Does that mean you are writing credentials.xml via puppet?

Hi Bilal,

I add new credentials using puppet by deploying script files to get parameters from AWS system manager parameter store for credentials (using bash or ruby) and make available to puppet as facts. I then deploy groovy scripts to check and add these credentials to Jenkins, if they do not exist. This makes it so that I don’t have to restart Jenkins after running puppet – that would be an anti-pattern.

I’ve worked with teams who have required a Jenkins restart on running configuration management and it’s a painful way to work. Don’t do it!

Thanks,
Josh

Hi Josh,

I have 3-4 jenkins instances which have their set of separate credentials in it. I wanted to use all of the available credentials across the jenkins machines.
How can I achieve this?
Should I use any valut or secret management tool which will store all the creds in one place and use that tool with the jenkins machines to retrieve the available creds?
All I want to do is club the available creds in one place and retrieve them from jenkins machine

Thanks,
Anil

Hi Anil,

I would use encrypted yaml (eyaml) with puppet that would allow me to store the credentials in a git repository (encrypted) and deploy them to each Jenkins instance using a groovy script.

Here is a very recent article by CloudBees that explains part of the process using the REST API to update credentials:
https://support.cloudbees.com/hc/en-us/articles/360030526992-How-to-manage-Credentials-via-the-REST-API

Here is the API reference to managing credentials using the REST API:
https://github.com/jenkinsci/credentials-plugin/blob/master/docs/user.adoc#rest-api

Thanks,
Josh

Seems as though there in no longer a credentials.xml. What would be the process in newer systems?

com.cloudbees.hudson.plugins.folder.config.AbstractFolderConfiguration.xml jobs
config.xml logs
hudson.model.UpdateCenter.xml nodeMonitors.xml
hudson.plugins.emailext.ExtendedEmailPublisher.xml nodes
hudson.plugins.git.GitTool.xml org.jenkinsci.plugins.workflow.flow.FlowExecutionList.xml
hudson.tasks.Ant.xml plugins
hudson.tasks.Maven.xml queue.xml.bak
identity.key.enc secret.key
jenkins.install.InstallUtil.lastExecVersion secret.key.not-so-secret
jenkins.install.UpgradeWizard.state secrets
jenkins.model.JenkinsLocationConfiguration.xml updates
jenkins.mvn.GlobalMavenConfig.xml userContent
jenkins.security.QueueItemAuthenticatorConfiguration.xml users
jenkins.security.UpdateSiteWarningsConfiguration.xml war
jenkins.security.apitoken.ApiTokenPropertyConfiguration.xml workflow-libs
jenkins.telemetry.Correlator.xml workspace

Hi Doug,

Take a look at the users directory in that location where you pasted the file listing from. You should see a directory for each user, as well as a config.xml inside that directory with user details located there. The users.xml is an index of current users.

I created an admin user on install and I see the following:

jenkins@122e2de7e259:~$ ls -lah users
total 16K
drwxr-xr-x  3 jenkins jenkins 4.0K Jun 29 22:32 .
drwxr-xr-x 15 jenkins jenkins 4.0K Jun 29 22:32 ..
drwx------  2 jenkins jenkins 4.0K Jun 29 22:32 admin_11383069947132392194
-rw-r--r--  1 jenkins jenkins  301 Jun 29 22:32 users.xml
jenkins@122e2de7e259:~$ ls -lah users/admin_11383069947132392194/
total 12K
drwx------ 2 jenkins jenkins 4.0K Jun 29 22:32 .
drwxr-xr-x 3 jenkins jenkins 4.0K Jun 29 22:32 ..
-rw-r--r-- 1 jenkins jenkins 2.2K Jun 29 22:32 config.xml

I’d try copying those files over first. Let me know if it works.

Thanks,
Josh

11 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *