Keeping the Jenkins agent secret stable

[gaborbernat]

Currently whenever I bootstrap the instance a new jenkins agent secret is generated. How can I make it deterministic? I think this is secrets/jenkins.slaves.JnlpSlaveAgentProtocol.secret that's generated on startup 🤔 Perhaps here https://github.com/jenkinsci/jenkins/blob/master/core/src/main/java/jenkins/slaves/JnlpAgentReceiver.java#L40

[gaborbernat]

In the end went with manually provisioning the secrets master.key and jenkins.slaves.JnlpSlaveAgentProtocol.secret, which fixed my problem. The only downside is this needs to happen before starting the bootstrap, otherwise Jenkins would generate this key.

[brokenpip3]

hey @gaborbernat do you mind share how you were able to create the secrets you mentioned before the jenkins start? I'm trying to investigate the options that we have about this issue: jenkinsci/kubernetes-operator#691 (comment) for the jenkins operator and understanding you experience would be great!

[gaborbernat]

I used some start script to start the Jenkins instance, and done it there.

[brokenpip3]

Thanks for getting back, can you please share at list the snippet? did you manually moved the files or manually create the secrets via groovy/api etc?
I'm asking so we can use the same approach in the operator project, I was not able to find any groovy example for the agent secret or the master key.
Thanks!

[gaborbernat]

I first started the instance without having the keys. This generates them. Then copied these generated ones going ahead into the right place. Not much else to share 🤔

[brokenpip3]

Understood, so you moved the files, thanks :)