Configure Jenkins to log into Github account

By default, Jenkins is connecting anonymously to github account.

Although this setting is fine to start with, it quickly becomes a limitation when dealing with private repos and when timeouts on anonymous users are triggered on Github side.

This post details steps to configure Jenkins and Github to allow Jenkins to authenticate on Github.

Approach

There are several ways of authenticating, which are all more or less described in https://developer.github.com/v3/guides/managing-deploy-keys/#deploy-keys

It is possible to:

  • ssh through your own account
  • use authentication token with oauth api on your own account
  • setup ssh “deploy keys” on a per repository basis
  • use a “machine user account” approach

Downside of first 2 methods is that it all goes through your own private account, I prefer to keep things separate if possible and not have jenkins use my profile.
Downside of 3rd approach is that you have to set up ssh key on each repo you create where you want jenkins to have access to, which can be cumbersome on multi-repo project (like the one we are working on).

Last method, “machine user account”, seems to tick all the boxes:

  • dedicated account for jenkins
  • easy integration on projects, jenkins is just like any collaborator that you can assign to repos to grant/revoke access

Machine user account setup

UPDATE: ssh related steps can be skipped as time of writing if you want to configure jenkins connection with github.com – ssh identification is not allowed with current version of jenkins github plugin. Directly jump to “username with password” section. If you are integrating with your own git, ssh authentication is still an option.

Here are the steps to perform:

Generate ssh key

  1. log into your server
  2. go to you jenkins folder (ex: /var/lib/jenkins/)
  3. create a .ssh_github folder
  4. inside this folder, generate a new key by running: ssh-keygen -t rsa -C <jenkins-user-email-address>
  5. follow instructions to enter secret passphrase
  6. display and copy public key: cat id_rsa.pub (<- this will be needed on github side)

note: above steps are just one way of generating ssh keys, there are lots of tutorials out-there on how to do it, feel free to accommodate steps to your own taste

note 2: i couldn’t figure out how to make push commands work with ssh when there is a passphrase 🙁 it worked fine without passphrase but is unsecure. Sadly, i have no idea how to get this ssh-agent work in git..

To make it work without passphrase (and without needing ssh-agent), i had to do the following:

  • login as jenkins user on server (sudo su jenkins)
  • create file ~/.ssh/config as per below:

Host github.com
HostName github.com
User <github-username>
IdentityFile ~/.ssh/<file>.id_rsa

After that, simple git push as jenkins user worked like a charm (without passphrase though 🙁 )

update: i finally managed to make push possible with passphrase protected ssh key, see dedicated steps in jenkins section, below.

Add github rsa fingerprint to known hosts

In order to prevent having a confirmation input to accept github public rsa, proceed as follow:

  1. log in your jenkins machine
  2. run below command: ssh-keyscan -H github.com > ~/.ssh/known_hosts

Create machine user account on github

  1. create a new github account specifically for this jenkins user (follow github signup instructions, note that you will need to use a valid email address for that account)
  2. login into that account > settings > SSH and GPG keys
  3. give the key a name like “jenkins” for instance and paste your generated public key > save

This account is now setup and ready to go!

Add Jenkins as project collaborator

Go back into your github account, add newly created jenkins github user as collaborator to your project

Configure Jenkins to use the machine account

SSH identification

Now time has come to add ssh configuration to Jenkins

  • Go to Jenkins > Credentials > global > add credentials
  • Choose type “SSH username with private key”
  • Fill up corresponding details
  • Save changes
  • Install ssh-agent plugin
  • Go back to your pipeline/github-project and select credentials from the list
  • bad surprise, in current version, github-plugin does not work with ssh credentials! update: you can ignore the above, ssh still works fine for pushing/retrieving

Luckily, all is not lost.

In the GitHub section, click on “Add” button and add option “Checkout over SSH”, this will allow to use ssh connection.

Inside your declarative pipeline, use below code to wrap any calls requiring ssh connection (like git push for instance)

sshagent (credentials: [‘<your-cred-id-defined-in-previous-step>’]) {
sh “git push –tags”
}
Simply wrap ‘sh “git push –tags” with sshagent part.

Doing so worked like a charm for me.

Note that if you integrate jenkins with your own git (i.e. not github) you can perfectly use ssh authentication, make sure to define you git url as an ssh url.

Let’s the move to “username with password” configuration.

Username with password authentication

  • go to Jenkins > Credentials > global > add credentials
  • select “Username with password” method
  • fill up details using your own values
  • save changes
  • now go to your pipeline/item you want to configure to make it use newly defined credentials
  • Finally, test your setup by generating a commit on repository where jenkins is configured and check console output to confirm query was done with logged in user

clap! clap! clap!

sources

Post a Comment

Your email is never published nor shared. You're allow to say what you want...