I have been working on setting up Jenkins Pipelines for some projects and had an issue that I think others have had, but I could not find a clear answer on the way to handle it.
We have some NPM Packages that are pulled from a private git repo, and all of the accounts have MFA enabled, including the CI user account. This means that SSH authentication is mandatory for CI user.
If there is only one host that you need to ssh auth with jenkins, or you use the exact same ssh key for all hosts, then you can just put the private key on your Jenkins server at ~/.ssh/id_rsa. If you need to specify a key dependant upon the host, which is the situation I was in, it was not working to pull the package.
The solution for this that I found was to use the ~/.ssh/config. In there you specify the hosts, the user, and what identity file to use. It can look something like this:
Host github.com
User git
IdentityFile ~/.ssh/github.key
Host bitbucket.org
User git
IdentityFile ~/.ssh/bitbucket.key
Host tfs.myonprem-domain.com
User my-ci-user
IdentityFile ~/.ssh/onprem-tfs.key
So now, when running npm install, ssh will know what identity file to use.
Bonus tip: Not everyone uses ssh, so in the package.json, it may not be configured to use ssh. You can put options in the global .gitconfig on the Jenkins server that will redirect the https protocol requests to ssh:
[url "ssh://git@github.com/"]
insteadOf = "https://github.com/"
[url "ssh://git@bitbucket.org/"]
insteadOf = "https://bitbucket.org/"
[url "ssh://tfs.myonprem-domain.com:22/"]
instadOf = "https://tfs.myonprem-domain.com/
So with that, when git detects an https request, it will switch to use ssh.
No comments:
Post a Comment