5

I'd like to allow all of our organization's users to create new pipelines in Jenkins, via Blue Ocean...

enter image description here

This requires a Github access token, meaning I have to either require each user to use their own access token, or share the contents of an access token with all users.

The first option seems inconvenient. The second option is a security risk, and we'd have to change our token any time someone left the organization.

I was hoping to find a way to add a credential to Jenkins and scope it so that all users have access to it, so the above New Pipeline flow would use that cred rather than querying the user to input a token.

I created a token with Global (rather than System) scope, but new users are still asked to input a token when they go to add a pipeline.

Is there a good solution for this? Do most organizations rely on individual developers to use their personal access tokens?

ivan
  • 151
  • 3
  • I know it's not a direct answer to your question, but would the GitHub Branch Source Plugin work for you? This plugin automatically creates jobs for every repository in a GitHub organization that contains a Jenkinsfile, removing the need to create a new job every time you create a new repository in GitHub. – jayhendren Jun 13 '18 at 16:02
  • Interesting. We're actually using that plugin, though not to auto-create jobs. I think that would suite our needs, but I don't see an option to enable automatic job creation. We've got version 2.3.2 – ivan Jun 14 '18 at 12:21
  • @jayhendren I should clarify, the plugin is automatically creating jobs for branches and PRs in the repositories that already have pipelines, but it's not automatically creating new pipelines. – ivan Jun 14 '18 at 12:42
  • Not sure I follow. If you add a Jenkinsfile to an existing branch, the plug-in will create a new job automatically. – jayhendren Jun 14 '18 at 16:23
  • @jayhendren Sorry, let me try to describe it more clearly. Our org has a GitHub account TheOrg. I created a pipeline for repo TheOrg/foo. Jenkins will create jobs for foo's branches and PRs. Another member of the organization creates a repo TheOrg/bar. Jenkins doesn't know about it, so no builds will occur despite branch and/or PR activity in bar. – ivan Jun 14 '18 at 21:44
  • 1
    The GitHub Branch Source plugin periodically scans the organization for new repositories, branches, and PRs, so it should find bar assuming it has at least one branch/PR containing a Jenkinsfile. By default, the plugin scans the org once a day. Verify that automatic scanning is turned on, the scan frequency is at a desirable setting, and that the bar repo has a Jenkinsfile in it. You can run a manual scan to debug if the repo still isn't appearing. Docs available here. – jayhendren Jun 14 '18 at 22:53

1 Answers1

1

I was a little confused by the OP question and follow up, so answering about GitHub access to jenkinsfile-based pipeline jobs: Credentials stored in Jenkins can be available to all users with rights to create jobs. Use a GitHub deployment key for your repo. Yes you need a key for every repo. This does require a user in Github, of course, but there is nothing to stop you from paying for an extra so-called 'machine user.' We, however, just use a real person like me.

This GitHub deploy key allows you to trigger on repo changes, or keep your jenkinsfile in Github. Using jenkinsfiles and keeping them in GitHub, is the best way to do Jenkins, I think.

John Fisher
  • 111
  • 1