Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Usage in pipeline #6

Closed
smaftoul opened this issue Feb 14, 2017 · 14 comments
Closed

Usage in pipeline #6

smaftoul opened this issue Feb 14, 2017 · 14 comments

Comments

@smaftoul
Copy link

smaftoul commented Feb 14, 2017
edited
Loading

Is it possible to use this plugin in a Jenkinsfile ?
If so, how ? can it work with withCredentials ?
My goal is to execute gsutil commands (in docker containers).
I found a workaround but took quite some time to found it, I'm doing this in my pipeline:

withCredentials([[$class: 'StringBinding', credentialsId: "google-cloud", variable: 'GCS_KEY']]) {
  docker.image('google/cloud-sdk').inside("-e GCS_KEY=${GCS_KEY} -e GCS_KEY_FILE=/tmp/google-key.json -u 0:0 -v ${pwd()}:/code"){
    sh 'echo $GCS_KEY |base64 -d > $GCS_KEY_FILE'
    sh 'gcloud auth activate-service-account --key-file=$GCS_KEY_FILE --project $project'
    sh 'gsutil cp -r $file  gs://$bucket/'
   }
}

The google-cloud credential is of type secret file and it's a base64 encoded json file.
@rochdev
Copy link

rochdev commented May 23, 2017

I too am wondering this. The documentation explains how to setup the credential but not how to use it.

@stefanbuck
Copy link

@smaftoul @rochdev did one of you figured out how to use it?

@smaftoul
Copy link
Author

smaftoul commented Aug 2, 2017

I think it's not usable as is, google-oauth-plugin doesn't expose anything to pipeline (AFAIK).
My workaround still works fine but is quite verbose ...

@stefanbuck
Copy link

stefanbuck commented Aug 2, 2017
edited
Loading

In my despair, I looked at the source code of Google OAuth Credentials Plugin and compared it with others credentials plugins. I found out that other plugins extend org.jenkinsci.plugins.credentialsbinding.MultiBinding, but the Google OAuth doesn't. Maybe that's the reason why it's not working!?

@rochdev
Copy link

rochdev commented Aug 2, 2017

I've used pretty much the same workaround as @smaftoul. I stopped looking into better solutions as we are considering moving away from Jenkins right now.

@Unit2MBailey
Copy link

I tried this workaround and got an exception because a secret file couldn't be bound with 'StringBinding'. I used 'FileBinding' instead and it writes the file to a temporary workspace then points the environment variable at it. If you set the variable name to GOOGLE_APPLICATION_CREDENTIALS then the Google client libraries should just work without having to write out the file manually.

@Unit2MBailey
Copy link

Unit2MBailey commented Apr 25, 2018 via email

@ericuldall
Copy link

ericuldall commented Oct 19, 2018
edited
Loading

@Unit2MBailey This does not seem to be working for me. I'm running Jenkins in GKE..is there something different there?

Jenkinsfile Stage:

stage('Deploy to GKE') {
    container('google-cloud-deployment') {
      withCredentials([[$class: 'FileBinding', credentialsId: 'google-service-account', variable: 'GOOGLE_APPLICATION_CREDENTIALS']]) {
        sh 'echo "${GOOGLE_APPLICATION_CREDENTIALS}"' // returns ****
        sh 'gcloud auth activate-service-account [user]@[project].iam.gserviceaccount.com --key-file=$GOOGLE_APPLICATION_CREDENTIALS'
        sh 'gcloud auth list' //desired account is not authenticated
      }
    }
  }

Does anyone know why this won't work?

@Unit2MBailey
Copy link

@ericuldall Sorry I couldn't say if GKE is different; our Jenkins is hosted internally. We simply wrap our steps in this if we want the python scripts within to be able to use the gcloud API:

// Run some steps with Google Cloud credentials
def withGoogleCloudCredentials(thingToDo)
{
	withCredentials([[$class: 'FileBinding', credentialsId: "cloud-storage", variable: 'GOOGLE_APPLICATION_CREDENTIALS']])
	{
		thingToDo()
	}
}

@glenpike
Copy link

So I had issues with our GCP Compute VM - I had to create a new service account in Google Clouds' IAM because the key on the compute instance doesn't play nice. In testing I've given the service account the role of editor and Jenkins seems to be building now...

I am going to work on cleaning this up, but here's my starter for 10:

pipeline {
  agent any
  environment {
    JENKINS_DEPLOY = 'true'
  }
  stages {
    stage('Build') {
      steps {
        sh 'printenv'
        nodejs(nodeJSInstallationName: 'NodeJS 8.11.2 Install') {
            sh 'npm i'
            sh 'npm run build'
        }
        withCredentials([[$class: 'FileBinding', credentialsId: 'google-secret-file', variable: 'GOOGLE_APPLICATION_CREDENTIALS']]) {
          sh 'echo "${GOOGLE_APPLICATION_CREDENTIALS}"' // returns ****
          sh 'gcloud auth activate-service-account --key-file $GOOGLE_APPLICATION_CREDENTIALS'
          sh './deploy.sh'
        }
      }
    }
  }
}

@stephenashank stephenashank mentioned this issue Mar 1, 2019
Closed
1 task
@stephenashank stephenashank mentioned this issue Mar 25, 2019
Closed
@spmason
Copy link

spmason commented May 3, 2019

So I've managed to write a shared library plugin that gives my apps GCloud auth from my Jenkinsfiles. You use it like so:

withGCloudCredentials(<projectName>, <credentialsId>) {
  sh "gcloud <command>"
  sh "gsutil <command>"
}

It's reasonably complicated but we've been using it on v0.7 of google-oauth-plugin for a while now and it mostly works (there are occasional race-conditiony issues when multiple builds run at a time, so it's now flawless). Since 0.8 was released the technique had to change a bit, but I've given examples of both approaches on the gist, which is here:

https://gist.github.com/spmason/a53b646ab6219c788b8d04ad959ca940

@craigdbarber
Copy link
Contributor

Thanks @spmason for sharing the workaround. Ideally it shouldn't be needed. We have pipeline support scheduled on the roadmap for this quarter. Will send updates as soon as progress is made.

@ericuldall
Copy link

I ended up opting for a less Jenkins specific solution. I'm just mounting my keys from secrets in my GKE cluster and I can reference them with normal access patterns based on the project name I'm deploying to:

container('google-cloud-deployment') {
      sh 'gcloud auth activate-service-account $SERVICE_ACCOUNT_NAME --key-file=/etc/keys/$SERVICE_ACCOUNT_PROJECT.json --project=$SERVICE_ACCOUNT_PROJECT'
      sh 'echo Y | gcloud auth configure-docker'
}

This works well and I don't need to worry about any Jenkins plugins that may or may not work as expected.

@stephenashank
Copy link
Contributor

Usage in pipeline should be resolved by #48. Still, I recommend checking out our Jenkins Integration Samples for best practices on using these credentials with our plugins.

@stephenashank stephenashank mentioned this issue Sep 24, 2019
Closed
@v1v v1v mentioned this issue Dec 1, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@spmason @smaftoul @glenpike @stefanbuck @rochdev @ericuldall @stephenashank @craigdbarber @Unit2MBailey