Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-56600

Jenkins Shared Library checkout behind proxy for ssh

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Jenkins Shared Library (JSL Plugin) checkout behind proxy for ssh use case.

      Our environment currently enforces all traffic to the web to be proxied, including ssh traffic. As such in this environment normally I need to use netcat to forward the ssh traffic to the proxy host. Below is typically what the ssh_config file would look like: 

       

       Host some.public.git.remotehost.com
       Port 7999
       ProxyCommand nc --proxy some.internal.network.proxy.host:8080 %h %p
       

       

      In our pipelines to use git, we pass in the above config as a managed file assigned as $SSH_CONFIG, along with some git credentials assigned to $IDENTITY_FILE and then setup the GIT_SSH var so the git binary will know how to use the ssh proxy when encountering the ssh://git url. seebelow:

      echo 'ssh $SSH_DEBUG -F $SSH_CONFIG -i $IDENTITY_FILE $@' > /ssh
      chmod +x /ssh
      export GIT_SSH=/./ssh

       

      Then I'm allowed to checkout a repo like normal 

      exec git clone --depth=1 $GIT_SSH_REPO_URL --branch $GIT_BRANCH_NAME ${GIT_CHECKOUT_DIRECTORY:-.} 

       

      Additional note about about our use case. 

      HTTPS_PROXY is allowed here, however our repos are behind an okta mfa verify wall. And each git transaction is forced to be attached to a mobile device somewhere thus using this method in any git workflow is terrible and cumbersome especially in CI... We bypass this with ssh and ssh keys.

       

      When I try to put the config file in the master, at a known location (because currently I can not find a way to pass in a managed file or config file into the JSL Plugin), and set the global var for GIT_SSH to the executable, and set the global tool for git, to the git binary. When using the global shared library in Jenkins ->  Manage -> Configure. In the build when calling the library key, my GIT_SSH var is overridden by the plugin for the global library when calling the ssh keys needed for the git transaction. see below: 

      Started by user unknown or anonymous
      Running in Durability level: MAX_SURVIVABILITY
      Loading library jenkins-common-awesomerepo@feature/BRANCH-244
      Attempting to resolve feature/BRANCH-244 from remote references...
       > git --version # timeout=10
      using GIT_SSH to set credentials jenkins-repo-creds do note delete
       > git ls-remote -h ssh://git@some.public.git.remotehost.com:7999/org/awesomerepo.git # timeout=10
      java.lang.InterruptedException 

      I would very much like to use the Global Shared Library plugin instead of checking out the library in each build manually and instantiating the library context inside each builds node context causing me to repeat code vs just a call to the library key.

      Thanks for any input that can be made.

       

        Attachments

          Activity

          Hide
          caley Caley Goff added a comment -

          So this will still be an issue worth improving, but as a working around I was able to do the following:

           

          create a copy of the ssh_config we're using and pass it into the alpine container for the master at /etc/ssh/ssh_config, override the global ssh_config for the jenkins-master.  

          This isn't an issue for us because we also use ephemeral containers with their own git binary, and ssh_config and static slaves with the same configuration.

          When setting the default tool for git to git, and the path to git in the Jenkins > Manage > Global Tool Configuration, we can pass git a ssh url, and then ssh will know what proxy to use because of the global ssh_config file on the master container.

          Show
          caley Caley Goff added a comment - So this will still be an issue worth improving, but as a working around I was able to do the following:   create a copy of the ssh_config we're using and pass it into the alpine container for the master at /etc/ssh/ssh_config, override the global ssh_config for the jenkins-master.   This isn't an issue for us because we also use ephemeral containers with their own git binary, and ssh_config and static slaves with the same configuration. When setting the default tool for git to git, and the path to git in the Jenkins > Manage > Global Tool Configuration, we can pass git a ssh url, and then ssh will know what proxy to use because of the global ssh_config file on the master container.

            People

            • Assignee:
              Unassigned
              Reporter:
              caley Caley Goff
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: