How to persist Jenkins API token?

[dene14]

Expected Behavior

We need a way to persist user token or pre-create it somehow.

Actual Behavior

User auth set up with LDAP, user creates API token for himself, after jenkins restart (pod recreation) token invalidated.

Any guidance/workaround is highly welcome! Thanks!

[SylwiaBrant]

Hello @dene14, as part of our roadmap we'll be partitioning everything into smaller custom resources, then many authorisation mechanisms will be available. Until then there's not much you can do, but it's our priority so please, stay tuned :)

[ndcampbell]

@dene14 did you find any work around for this? We are running into the same issue with needing to persist user tokens when pods get recreated.

[dene14]

As a workaround we've added mountpoint for this directory, volumeMounts looks as follows:

  - mountPath: /var/lib/jenkins/jobs
    name: backup
    subPath: jobs
  # Below more of workaround to persist user API tokens, there is no good solution for that right now, see:
  # https://github.com/jenkinsci/jenkins/pull/4027
  # https://github.com/jenkinsci/kubernetes-operator/issues/454
  - mountPath: /var/lib/jenkins/users
    name: backup
    subPath: users

[antoniaklja]

related to #495

do you think, is there any way we can temporarily fix it? until the new API schema will be introduced.

[pniederlag]

Not sure if this can help you, but here's what we do to persist users:

• adapted/custom backup/restore scripts
• in backup exclude some user-dirs: --exclude users/jenkinsoperato_* --exclude users/jenkinsdev_*
• in restore: capture the user id of jthe jenkins_operator that was created before restoring the backup... and search/replace that after restore

backup.sh

tar -C ${JENKINS_HOME} -czf "${BACKUP_TMP_DIR}/${backup_number}.tar.gz" --exclude jobs/*/workspace* --no-wildcards-match-slash --anchored --exclude jobs/*/config.xml --exclude jobs/*/state.xml --exclude users/jenkinsoperato_* --exclude users/jenkinsdev_* -c jobs users userContent && \

restore.sh

# get directory of current setup (operato is intentional!, stripped on 14 chars)
jenkins_operator_user_regex="(.*<string>)(jenkinsoperato_|jenkinsdev_)([0-9]+)(<\/string>.*)"
users_xml_path=${JENKINS_HOME}/users/users.xml
# store user:id
jenkins_operator=$(cat $users_xml_path | sed -r -n -e "s/$jenkins_operator_user_regex/\2:\3/p")

if [ "$jenkins_operator" == "" ]; then
  echo "directory of jenkins-operator user could not be found"
  echo "regex: $jenkins_operator_user_regex"
  exit 1
fi

echo "Running restore backup"

tar -C ${JENKINS_HOME} -zxf "${BACKUP_DIR}/${backup_number}.tar.gz"

# now, replace any old jenkins*_1234 strings from backup with the ones we have captured before restoring
for operator in $jenkins_operator; do
  # split by ':' (user:id) and update proper user
  sed -r -i "s/(${operator%:*})([0-9]+)/\1${operator#*:}/g" $users_xml_path
done

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If this issue is still affecting you, just comment with any updates and we'll keep it open. Thank you for your contributions.

[Sig00rd]

Thank you all for your contributions. Unfortunately this won't be worked on for a while since currently we're facing more pressing matters concerning new API schema and Jenkins API Token persistence might not make it to the roadmap for some time

[MatthewSkingley]

Is there now a way in Jenkins to persist PATs over restarts? Some of the benefit to having configuration-as-code is lost when our CI pipeline has to be modified with a new token every time the container restarts.

Thanks!

[brokenpip3]

this is working: #454 (comment)

[brokenpip3]

also check: #691