Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-60529

SSH authentication fails during submodule checkout from declarative pipeline

    Details

    • Similar Issues:

      Description

      Possibly similar to JENKINS-59546:

      I have a project with a Jenkinsfile containing a declarative pipeline in a git repository that also has submodules. I have activated submodule processing, and submodules are initialized correctly, but cloning them fails with a login error from the ssh connection opened by git.

      It seems that multiple keys are tried (I get two "Permission denied" messages), although credentials config inside the project explicitly specifies which key to use.

        Attachments

          Activity

          Hide
          markewaite Mark Waite added a comment -

          Usually a configuration error in the submodule definition. For example, if the parent repository is cloned with ssh, then the submodule repository must be defined to use an ssh protocol URL to the submodule repository. Command line git needs the same protocol in the submodule as in the parent repo because it needs to use the same credentials.

          Show
          markewaite Mark Waite added a comment - Usually a configuration error in the submodule definition. For example, if the parent repository is cloned with ssh, then the submodule repository must be defined to use an ssh protocol URL to the submodule repository. Command line git needs the same protocol in the submodule as in the parent repo because it needs to use the same credentials.
          Hide
          markewaite Mark Waite added a comment -

          Here is the declarative Pipeline that I defined to test submodule cloning from a private repository. The private repository is referenced in 3 different multibranch jobs in my test environment. One of those test environments uses ssh protocol. The other two use https protocol. The declarative pipeline job skips all stages when it detects that the URL protocol is not ssh.

          @Library('globalPipelineLibraryMarkEWaite') _
          
          pipeline {
            agent {
              label '!windows && git-1.8+' // Older git versions don't do submodules well, use an sh step later, no windows
            }
            options {
              skipDefaultCheckout()
            }
            stages {
              stage('checkout') {
                when {
                  // Only test when cloning from ssh protocol URL
                  // Submodule is defined with ssh protocol URL
                  expression { scm.userRemoteConfigs[0].url ==~ /git@github.com:.*/ }
                }
                steps {
                  deleteDir()
                  checkout([$class: 'GitSCM',
                            branches: scm.branches,
                            userRemoteConfigs: scm.userRemoteConfigs,
                            extensions: [
                                  [$class: 'SubmoduleOption', parentCredentials: true],
                                  [$class: 'LocalBranch', localBranch: 'JENKINS-60529'],
                              ],
                            gitTool: 'Default' // JGit in git client plugin does not fully support submodules
                  ])
                }
              }
              stage('build') {
                when {
                  // Only test when cloning from ssh protocol URL
                  // Submodule is defined with ssh protocol URL
                  expression { scm.userRemoteConfigs[0].url ==~ /git@github.com:.*/ }
                }
                steps {
                  echo 'SCM url is ' + scm.userRemoteConfigs[0].url
                  withAnt(installation: 'ant-latest', jdk: 'jdk8') {
                    sh 'ant info'
                  }
                }
              }
              stage('verify') {
                when {
                  // Only test when cloning from ssh protocol URL
                  // Submodule is defined with ssh protocol URL
                  expression { scm.userRemoteConfigs[0].url ==~ /git@github.com:.*/ }
                }
                steps {
                  logContains([expectedRegEx: ".*Found:.*JENKINS-57936.*",
                         failureMessage: "Missing submodule README contents."])
                }
              }
            }
          }
          
          Show
          markewaite Mark Waite added a comment - Here is the declarative Pipeline that I defined to test submodule cloning from a private repository. The private repository is referenced in 3 different multibranch jobs in my test environment. One of those test environments uses ssh protocol. The other two use https protocol. The declarative pipeline job skips all stages when it detects that the URL protocol is not ssh. @Library('globalPipelineLibraryMarkEWaite') _ pipeline { agent { label '!windows && git-1.8+' // Older git versions don't do submodules well, use an sh step later, no windows } options { skipDefaultCheckout() } stages { stage('checkout') { when { // Only test when cloning from ssh protocol URL // Submodule is defined with ssh protocol URL expression { scm.userRemoteConfigs[0].url ==~ /git@github.com:.*/ } } steps { deleteDir() checkout([$class: 'GitSCM', branches: scm.branches, userRemoteConfigs: scm.userRemoteConfigs, extensions: [ [$class: 'SubmoduleOption', parentCredentials: true], [$class: 'LocalBranch', localBranch: 'JENKINS-60529'], ], gitTool: 'Default' // JGit in git client plugin does not fully support submodules ]) } } stage('build') { when { // Only test when cloning from ssh protocol URL // Submodule is defined with ssh protocol URL expression { scm.userRemoteConfigs[0].url ==~ /git@github.com:.*/ } } steps { echo 'SCM url is ' + scm.userRemoteConfigs[0].url withAnt(installation: 'ant-latest', jdk: 'jdk8') { sh 'ant info' } } } stage('verify') { when { // Only test when cloning from ssh protocol URL // Submodule is defined with ssh protocol URL expression { scm.userRemoteConfigs[0].url ==~ /git@github.com:.*/ } } steps { logContains([expectedRegEx: ".*Found:.*JENKINS-57936.*", failureMessage: "Missing submodule README contents."]) } } } }
          Hide
          simonrichter Simon Richter added a comment -

          Ooooh, found it. "Use Credentials from default remote of parent repository" needs to be set. Sorry for the noise.

          Show
          simonrichter Simon Richter added a comment - Ooooh, found it. "Use Credentials from default remote of parent repository" needs to be set. Sorry for the noise.

            People

            • Assignee:
              Unassigned
              Reporter:
              simonrichter Simon Richter
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: