configuration-as-code-plugin: Jenkins helm values.yaml - failed to pass the basicSSHUserPrivateKey via terraform data.aws_secretsmanager_secret_version

Jenkins and plugins versions report

Environment 
Jenkins: 2.332.2
OS: Linux - 5.10.109
---
ace-editor:1.1
ansicolor:1.0.1
antisamy-markup-formatter:2.7
apache-httpcomponents-client-4-api:4.5.13-1.0
authentication-tokens:1.4
aws-credentials:191.vcb_f183ce58b_9
aws-java-sdk:1.12.163-315.v2b_716ec8e4df
aws-java-sdk-cloudformation:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-codebuild:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-ec2:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-ecr:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-ecs:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-elasticbeanstalk:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-iam:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-logs:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-minimal:1.12.246-349.v96b_b_f7eb_a_c3c
aws-java-sdk-ssm:1.12.246-349.v96b_b_f7eb_a_c3c
bootstrap5-api:5.1.3-7
bouncycastle-api:2.26
branch-api:2.1046.v0ca_37783ecc5
caffeine-api:2.9.3-65.v6a_47d0f4d1fe
checks-api:1.7.4
cloudbees-folder:6.729.v2b_9d1a_74d673
command-launcher:84.v4a_97f2027398
configuration-as-code:1414.v878271fc496f
credentials:1087.1089.v2f1b_9a_b_040e4
credentials-binding:523.vd859a_4b_122e6
datadog:4.0.0
display-url-api:2.3.6
docker-commons:1.19
docker-java-api:3.2.13-37.vf3411c9828b9
docker-plugin:1.2.7
docker-workflow:1.28
durable-task:496.va67c6f9eefa7
ec2:1.68
echarts-api:5.3.3-1
extended-choice-parameter:346.vd87693c5a_86c
font-awesome-api:6.1.1-1
git:4.10.3
git-client:3.11.0
git-server:1.11
github:1.34.3
github-api:1.303-400.v35c2d8258028
github-branch-source:1598.v91207e9f9b_4a_
handlebars:3.0.8
jackson2-api:2.13.3-285.vc03c0256d517
javax-activation-api:1.2.0-3
javax-mail-api:1.6.2-6
jaxb:2.3.6-1
jdk-tool:1.0
jjwt-api:0.11.5-77.v646c772fddb_0
jnr-posix-api:3.1.7-3
job-dsl:1.79
jquery:1.12.4-1
jquery3-api:3.6.0-4
jsch:0.1.55.2
junit:1119.1121.vc43d0fc45561
kubernetes:1.31.3
kubernetes-cli:1.10.3
kubernetes-client-api:5.12.2-193.v26a_6078f65a_9
kubernetes-credentials:0.9.0
list-git-branches-parameter:0.0.11
lockable-resources:2.15
mailer:414.vcc4c33714601
matrix-auth:3.1.5
matrix-project:772.v494f19991984
metrics:4.1.6.2
mina-sshd-api-common:2.8.0-21.v493b_6b_db_22c6
mina-sshd-api-core:2.8.0-21.v493b_6b_db_22c6
momentjs:1.1.1
node-iterator-api:1.5.1
okhttp-api:4.9.3-105.vb96869f8ac3a
parameterized-trigger:2.44
pipeline-aws:1.43
pipeline-build-step:2.18
pipeline-github:2.8-138.d766e30bb08b
pipeline-github-lib:36.v4c01db_ca_ed16
pipeline-graph-analysis:195.v5812d95a_a_2f9
pipeline-groovy-lib:593.va_a_fc25d520e9
pipeline-input-step:449.v77f0e8b_845c4
pipeline-milestone-step:101.vd572fef9d926
pipeline-model-api:2.2097.v33db_b_de764b_e
pipeline-model-definition:2.2097.v33db_b_de764b_e
pipeline-model-extensions:2.2097.v33db_b_de764b_e
pipeline-rest-api:2.24
pipeline-stage-step:293.v200037eefcd5
pipeline-stage-tags-metadata:2.2097.v33db_b_de764b_e
pipeline-stage-view:2.24
plain-credentials:1.8
plugin-util-api:2.17.0
popper2-api:2.11.5-2
python:1.3
resource-disposer:0.19
role-strategy:3.2.0
saml:2.296.v0016349946db_
scm-api:608.vfa_f971c5a_a_e9
script-security:1175.v4b_d517d6db_f0
slack:608.v19e3b_44b_b_9ff
snakeyaml-api:1.30.2-76.vc104f7ce9870
ssh-credentials:277.v95c2fec1c047
ssh-slaves:1.821.vd834f8a_c390e
sshd:3.242.va_db_9da_b_26a_c3
structs:318.va_f3ccb_729b_71
terraform:1.0.10
token-macro:293.v283932a_0a_b_49
trilead-api:1.66.v49c6758b_b_360
uno-choice:2.6.1
variant:1.4
workflow-aggregator:2.6
workflow-api:1188.v0016b_4f29881
workflow-basic-steps:969.vc4ec3e4854b_f
workflow-cps:2729.vea_17b_79ed57a_
workflow-cps-global-lib:588.v576c103a_ff86
workflow-durable-task-step:1174.v73a_9a_17edce0
workflow-job:1189.va_d37a_e9e4eda_
workflow-multibranch:716.vc692a_e52371b_
workflow-scm-step:400.v6b_89a_1317c9a_
workflow-step-api:625.vd896b_f445a_f8
workflow-support:833.va_1c71061486b_
ws-cleanup:0.42
xml-job-to-job-dsl:0.1.13

What Operating System are you using (both controller, and any agents involved in the problem)?

The Jenkins running on EKS cluster and deployed by Helm chart with Terraform “helm_release”

Reproduction steps

  1. Create AWS secret manager with ssh-key for GitHub credentials as below:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEABCDEBG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAxs6i6gjyvbqIMboLC7zQ3RB0UhGORL5idCIPhpupuQIMySUmZ1S+
-----END OPENSSH PRIVATE KEY-----
  1. Use data to call the secret:
data "aws_secretsmanager_secret_version" "github_token" {
  secret_id = "github"
}
  1. Define the SSH_PRIVATE_KEY in the values.yaml -
      credentials:
        system:
          domainCredentials:
            - credentials:
              - basicSSHUserPrivateKey:
                  scope: GLOBAL
                  id: github
                  username: github
                  description: "Credentials for GitHub repo"
                  privateKeySource:
                    directEntry:
                      privateKey: |
                        "${SSH_PRIVATE_KEY}"
  1. Pass the secret to the values.yaml with terraform templatefile function -
resource "helm_release" "jenkins" {
  name            = "jenkins"
  namespace  = kubernetes_namespace.jenkins.metadata[0].name
  repository    = "https://charts.jenkins.io"
  chart            = "jenkins"
  version         = var.chart_version
  values = [
    templatefile("${path.module}/${var.values}.yaml", {
        SSH_PRIVATE_KEY : data.aws_secretsmanager_secret_version.github_token.secret_string
      }
    )
  ]
}

Expected Results

Helm upgrade action to be completed successfully and the ssh-key configured as expected in the Jenkins credentials.

Actual Results

Received the below error: Error: ---> error converting YAML to JSON: yaml: line 433: could not find expected ':' # Default values for jenkins. on this section:

       credentials:
         system:
           domainCredentials:
             - credentials:
               - basicSSHUserPrivateKey:
                   scope: GLOBAL
                   id: github
                   username: github
                   description: "Credentials for public-cloud-infrastructure GitHub repo"
                   privateKeySource:
                     directEntry:
                       privateKey: |
                         "-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEABCDEBG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAxs6i6gjyvbqIMboLC7zQ3RB0UhGORL5idCIPhpupuQIMySUmZ1S+
-----END OPENSSH PRIVATE KEY-----"

Anything else?

I tried to use this link to fix the syntax error of the yaml with no luck

About this issue

  • Original URL
  • State: open
  • Created 2 years ago
  • Reactions: 2
  • Comments: 15 (8 by maintainers)

Most upvoted comments

Secret manager and terraform should perserve the multiline.

So will the expanded secret

Yes you can have multiline in yaml with quotes by escaping with \n in a literal.

Also the expanded secret will also perserve newlines by using \n in the raw binary to preserve the newlines.

+1
jetersen on Jul 17, 2022
Read more comments on GitHub
← configuration-as-code-plugin: Jenkins credential changes every time redeploy and No longer useful
configuration-as-code-plugin: Jenkins Master fails to boot after CASC Plugin upgrade to release 1.48 →