kubernetes-credentials-provider-plugin

Credentials provider that allows storing credentials in Kubernetes

Project maintained by jenkinsci Hosted on GitHub Pages — Theme by mattgraham

Credential Examples

Credentials are added and updated by adding/updating them as secrets to Kubernetes. The format of the Secret is different depending on the type of credential you wish to expose, but will all have several things in common:

To add or update a Credential just execute the command kubectl apply -f <nameOfFile.yaml>

The raw yaml for the following examples can be found in the GitHub repository

Where Strings are encoded using base64 the bytes encoded should be from the UTF-8 representation of the String.

UserName / Password credentials

The UserName password credentials are probably the most commonly uses.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

apiVersion: v1
kind: Secret
metadata:
# this is the jenkins id.
  name: "another-test-usernamepass"
  labels:
# so we know what type it is.
    "jenkins.io/credentials-type": "usernamePassword"
  annotations:
# description - can not be a label as spaces are not allowed
    "jenkins.io/credentials-description" : "credentials from Kubernetes"
# folder/job scope - optional
    jenkins.io/credentials-store-locations: "['thisIsJobA', 'thisIsJobB', 'thisIsFolderA/thisIsJobC']"
type: Opaque
stringData:
  username: myUsername
  password: 'Pa$$word'

Secret Text

1
2
3
4
5
6
7
8
9
10
11
12
13
14

apiVersion: v1
kind: Secret
metadata:
# this is the jenkins id.
  name: "another-test-certificate"
  labels:
# so we know what type it is.
    "jenkins.io/credentials-type": "secretText"
  annotations:
# description - can not be a label as spaces are not allowed
    "jenkins.io/credentials-description" : "secret text credential from Kubernetes"
type: Opaque
stringData:
  text: MySecret

Secret File

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

apiVersion: v1
kind: Secret
metadata:
# this is the jenkins id.
  name: "another-test-file"
  labels:
# so we know what type it is.
    "jenkins.io/credentials-type": "secretFile"
  annotations:
# description - can not be a label as spaces are not allowed
    "jenkins.io/credentials-description" : "secret file credential from Kubernetes"
type: Opaque
stringData:
  filename: mySecret.txt
data:
# base64 encoded bytes
  data: SGVsbG8gV29ybGQh # Hello World!

Certificates

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

apiVersion: v1
kind: Secret
metadata:
# this is the jenkins id.
  name: "another-test-certificate"
  labels:
# so we know what type it is.
    "jenkins.io/credentials-type": "certificate"
  annotations:
# description - can not be a label as spaces are not allowed
    "jenkins.io/credentials-description" : "certificate credential from Kubernetes"
type: Opaque
stringData:
  password: testPassword
data:
# PKCS#12 base64 encoded bytes
  certificate: MIIGVgIBAzCCBhAGCSqGSIb3DQEHAaCCBgEEggX9MIIF+TCCAe4GCSqGSIb3DQEHAaCCAd8EggHbMIIB1zCCAdMGCyqGSIb3DQEMCgECoIIBgjCCAX4wKAYKKoZIhvcNAQwBAzAaBBS8gwNtjKLHTMMoC2L83UxIYuls0QICBAAEggFQfFVGQyhzIfZo4xtp/0moxTScC7VnHLUdFJijWhp4r52bPAaNfspOtq+yC63WlqewxKkZw2SX0fxhI7RptDDr501991D2o5tpuBoL4oTy6yGGecohZBlVjRSRDKPvN+tQaQNoevyZXIPmHZ0eoSlDYNpmBmg4mQScvTpgJdFaMB65vnYrkBu3gM90scPUzhje8JWygM6tdGKnsjXptyIMrl5fjMi14SUOmLxEBrWCyK3/2gbVOxWJiyWkc90vlLHAx0PwRCiBFIXYzHmtSUmSDDjqGSCa5uC3mfv0J/IqXh8kqy9Ow9F9y8ZK/0CG64NW9OvlPeoh/5MLdteu0lXPCs7lgVgFRyOlUd64ye9e0AoARDLNw2VQ9eSfzK5LJRqEHWrrUwINsoJ6tMXWiZmgf1RM/30gX/XPeVA7N4UxI9EBfaX0JjWcgYw3cZWtinEQMT4wGQYJKoZIhvcNAQkUMQweCgBtAHkAawBlAHkwIQYJKoZIhvcNAQkVMRQEElRpbWUgMTUxOTY1NDY0NzgzMzCCBAMGCSqGSIb3DQEHBqCCA/QwggPwAgEAMIID6QYJKoZIhvcNAQcBMCgGCiqGSIb3DQEMAQYwGgQUg55TJweXYYQneENZWhGGcFMy/LsCAgQAgIIDsEqbX0CMdKsn6+vHv8Wjc6e/xAuWEhjYbk3Ls6c7HZFP0RcbeViLYiDxrgLW6BTyij0+mq/xa5e83rQgPeSyyZeZbYSYNJBQP3Y6ZVLDwcwTd9oMjxwp6pBOom5bWsCclh8YMt+yS0jCGpPG4s31baYtRsRL+xXfdGDqiaflgfKCHPWerwva5tidJafriGKKrm8w4xLQYYrWQqhCdSxrRb5Y/SQWu4Dkx3kv7LlACy/xWkVdj4UwHcnpX55XnYgIFrm5qjryRswCCwjjEdGmJu+Aluh/1phhWOGOO4z4NELjiPoSqRgg18zB/nFptw1OFSYsQEBf4kCy+4VZ3o2ru7Q2OgIpKlSCWM5XjelRs5IECK7VAXqcjQGK4mReNTc3nS/8+OFHb3mm3SM/OPKYZ7R06YXHHgmARwgFhu4F5LpP3Ts1+n+rC1+yjImovwMlClQ/ylBJ05FdzaHDT/HuZLlkP8EnwSLNf4qYcQQn/ue+TmtttaQVjG1hgpA0e/CGlcb53btGGczzmpybEcdWtZ5J2AepdGe/Lwt9yNjnZUhx1L9EGDbqM7j6zL4WraKQO7wSbx3oPIgUffsBzTdxyVwWtVTbYZ8sl0cS07vRpib+RFpvfzfI3JBLeASXjcrbszqsdQAj6VlPclm886BfoFsPeQmGrdm9kzyLDk+OZGtpDDLzr7atICgbfNSiq7oM2z61Kuqo52YMWdSDfDrB0/pX89/pQ85lu/cPdVUgRzHspI3N0P0DCHk3RZil7uC8E9nBv+VBjdC0MzWt6Rt7AX7TXNYN+ZpSP5x7pUbVR22M7GnvE5S+ilajuVkJFubzh+6JVmxELX4ICFPXAt3CaCic9tGQfrCX0wFGEA8sR4iIW/e7IIAucxeyj71QEJ5mhCU6svtumpZjXFDknoLGNCW9NNTvHs8EFE2/9KGVjXGneGlt1JvXQ//cp9R467fnBHhbqsfR6sn87X2+rEsIgE2GWNglzSjGW4m+a0514ysRVn2qo+nIKjRYv3e4C4NRosfJWToC70BbvyXlKcB15gH/y94SRgRRrCaYXS5W+8NDn0Elpvu1MdDOiPQphe1ojJ8zTZwKQpPV/4xd6t4tlx41t1nbNb/+01YSie6cMWFct5MfSI/PVuan83g++3ZvN2Jgo4PPiGr2v+aK8UEEhLSoJzQgFhsJTsJG2LlOm6cREktdFyjXOc5aYXrrBHrRpAPtCignPfiJEzJjTa2G9WJWNLhzgw4NYG/V1Y4+gPsoMD0wITAJBgUrDgMCGgUABBTrj6mhy1Xiox0MiY31nywgFh89WgQUxNMo6e8OT36frUrNo8HUp3t5KDACAgQA/RAGWnng5Yf6tLIPJOfahG0bCB2P9AzJuiQHpbSBjCIIG6onojpdv9dQIDAYagMAwGCCqGSIb3DQIHBQAwHQYJYIZIAWUDBAECBBAJuH5YKoCk49nxSHrk8+0VJIIE5wSCBABcDpOpAHyH7mihd2ouhvdftvLtp8QxqqWAOVKcJgLwbZ7Qi6pWX0YFVsS3cMl0cd9WcLimPD77h6IudK3Yw6DUSoUYunqDL5tbfKcnT+bCxZR2UC2quBW1Qwq1qLZfFKXAaW//5o25iSjp0E3ybgocdcTB4qnXw8hDT62P0+fDYzPeFQypSQVwbCTyOfQw2SScJRykks3gcLN6IAb3YaUfq176XENGznamJOeJ9wEZqWdd//7po5/Q7qHQl2fz/1ndAmFiCvEPaQ83ZdTBJMMhA99oYMloxYwu1JR+34h2fGXV3/dZAlRN+6iYnrW7LmztiugGdEwTtuF2PWJWufxC5AtzZ+SOoesh8vAGq4lEj1gI1cXqxC9Kadx9PQ4KadAwEvEV1FmrKUBI1gVm36yjao6ZQ+dlvBy2HA/i87MfXz5ZV1eedR61lHEEQhXI+A2EH33HZkMHyULVLmWoi8kVp/NK5m8v2lNwi7pwt0OXLCu2ifeUaVdSICgyTIQffG5TR5+n8VDwx1vt9Vna9PuKNd95utXdszwsvuEQkLXMEc/jAMa/N29KBzZmyReyWcG29NLG82BhsmO66FuJv4quxqx4Vgt73z44wTItBxBf9ysRr310JD8XbGLKSBSU3N0pB/d7HWyJ59MCpVZ+m6HB4oMOyEw1ybdIaTY24xbYbBlEHC3edkXCEeD0stlndDZSzOElVB0v1cRpxleA0GxfxsG+HcwG7989tZSo5HZmq09XxmZHW51tWCTYltEW9/O3NyTyMaNe7bB/Iyk7QcqWQvRiOBrYxm5JAOE21bChOWkk6/QfIqVNdkdESUpLCCIX8HTsNWJqNzvIPsNzp2IHsYHS2mZhPt0QxOdHUu51IhWZwQd69UQie/7MQcwEtjQEX9N16opLqpOe74a7Tx185ScT/sawEykRow+AklUDYmJ/r9kFgYaXzbkVDhXXUbbNB3wgd8MQF7gMpgl/0vowXHthQemGH4RGvY06V461ufnNdQUV5G+OAb7LeAKTmnhPI5K5W/ndD5qA+QHywnm9VNdw8sRe+r+h3PuVAoe0q0x9Iof+IR/HCOzvZ5ljJqMG+ZvNeFBTyk3uXfqPkjsg1J/I2WaTYGIITfwigxd9oBT8W4jc4sbrvms0NdcFWDaD29mLjbHcIf0w0Yx5hDi32IZKmHfSmRbfV9jAA1wMkiYUNZtCOCboUSnJtou6r7Ui1TNw47ZpzbKAeMZMWpApBpkJkTeh03jHZUwfTOQL/BtXeNSh8Z2QI6y2p1+sqtofEnkJfELs2Qtrz7KFCmxCtTSj1pD4iqEVJ1ZP3HSOlMe44RMUgaaOy8iKRCQkyhdqFpe4CNx7iCWrrijrZBPTBIHgOTx9pONVHDH+10M+qmxCDF8HJMyh6iiK2mSyIU09MayjmCMnang2PqgpI8FopF4VlIUh/ry4iec9ToYEB/89E05fUg6WKOuoJFMwbzkXDv2CJC5XN5CPAIS6Lizu55z84oJpkd+K+keQIAa5jiWrOfMWfJMVpUiprOaR5HUJxgCNkrBVMu4jtw9Liiv2IX27ybbTTerRAYIjWo3lNuMKyd3I5+yJS2mqT4lgUYfK31kU8u9hPLeSHX+i8WaLOWqS/W7WokNBT4IZSFceroBCB0mO4V/TGOauxqFNzFeBAYoxgZswSwYJKoZIhvcNAQkUMT4ePABQAEsAQwBTADgAUwBoAHIAbwB1AGQAZQBkAEsAZQB5AEIAYQBnACAAZgByAG8AbQAgAFAASwBJAGoAczATBgkqhkiG9w0BCRUxBgQEkTNPTDA3BgkrBgEEAYI3EQExKh4oAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBwAGsAaQBqAHMALgBvAHIAZzCCBMEGCSqGSIb3DQEHBqCCBLIwggSuAgEAMIAGCSqGSIb3DQEHATCBkQYJKoZIhvcNAQUNMIGDMGIGCSqGSIb3DQEFDDBVBEArlai/uq9nropHIX3joKpOhLAh/BBdWGDpzC4ukjB52J8e4flQGQza4S6CoYNcd7h2OqDWYFSueA5XBQLKlU4mAgMBhqAwDAYIKoZIhvcNAgcFADAdBglghkgBZQMEAQIEEKpy/yvfUZ1okTO1bBfl8sSggASCBAD85tvvWtok2E6JuEhPE1RAAioP3Dqtoy+9gzFrvmX8hKLfVEsT62OkFaum6xkUL6QgwkWkSfBLt+yywx8LnvIYIHdpvb4urDlu6l99cXKACIFcwu8tdYnhCp6ZhdJ6oWYfP9Wp6BZDU/m2JYOj7lrBebDN2ZnfKYCUnAp8eAMIuXbqHT3BSXD9HXgO3i371pvLO8pjN44s7tdcFQ1EEzDDRG7XjtI2gLKvmj1+CK8BBnV1zcozq/3rNcHymfTGDpyByS89Eh4NARsqRJcCN/tIAiatMt1PxbWZ/vIeRmmr41CwwWt55L3QxxaJi35k7U0HUquex3FA+jHS7EZk5MAuEUrToMuHl5nLUjFjaBOCEGaVvFpxShbRl3jJXlwIY1JuknOPx/jHeoBGV+aRMkQZ0n6BXd2J7/bzwVaWu7eq4HdLdLfr8Sd9Sh7l5jo+4C9+rpIT5fOSj0y2yOa4evhJyRk4qJr3qO6Ba8Alp00n01iSzztprrVnbFoe/kR5IyClRFMBCCCtXioRRcWNq9exbNos6QKMda1u4OjEZCU9T7Z8nsASv3G0w0scY82zJ3m67/uvh7eegQ9z0lYe9L8TwRBcTqpix3jEBQmteUsjPjBRapMBnNP5G7L7HWobEc/2+C0d3wNS2coGdRaXE2nbA8MMTBWqAF0HrkUMiQ8ytf6hNvD3JC973TPsTQmlPynmwwzxwhotOdDGSR6S2A/UKlWCkRcEV02JWoVHPrqLhhdOerfRisnGkQKtuVMT4RkFLftamDYjp2QvAzNstf/QPTxq5agBTDROymRtSrVoMYMa3KFCpa+LhlchT9syB0o0T8bJeddXJdW8eS29SduCrrw3pn+dQTx9QPKCFU7SGouoSrdI2jHqNDVAZj2ThSqBE5lws46Iz+TRMYM73tAka4Vk4w1WQ5qfOcSJHsNtLkCJFFKVfmcvLBt5qohkHJGpgZUCF0n7l9es4GGYATBjewZyPNcEOX/d51qxacxUof/5eCRF2XbB7MNkIaLl5oJ15iawgRJNykBNjh3q6q5Xi4chesY/cKHq4rC4b0sZDzjpDbVmFN9l77qHMmP7uGEmfX6ABw6bM2l29C5o/j86GyX4r+kNUBVhvRW90g6t9nUmhca9MdyKRRuXh1CZp8PdEdTQWqx+H1Gmqbh2pUB5qrTyp20Uzr+3/QV3kBQRNtVjz/pMcHDEEorFVRLZN1vKoWSlAAGI72n1KdRJ5nNC3SwTyZLY4J6IoF2hzOs53MiZ2eIYlyx2PGVZldmXp1UVeYM/5Zqh0YYJWXm4fkXgBqUGyHQ+ezE1OzI5sl+yiUxIp7ZMw/vz3cfl2DvOdo8BldblRFxuOQVcDo9dE+EMAAAAADB4MC8wCwYJYIZIAWUDBAIBBCAhLtCMQX8L3EQN8glHYnraTgpWW6tglTcZHieLldO3SgRAbLmA/wNdSYqA7csmwTrhWXqTYHHumPS9ie2W9Z8/DVfQIYRq/g3CCG4ZbeJ4yrede//t4BV6yURubuIC0gHkaAIDAYag
# CN=A Test, OU=Dev, O=CloudBees, L=Around The World, ST=Cool, C=earth

Basic SSH Private Key

Without passphrase:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

apiVersion: v1
kind: Secret
metadata:
# this is the jenkins id.
  name: "jenkins-key"
  labels:
# so we know what type it is.
    "jenkins.io/credentials-type": "basicSSHUserPrivateKey"
  annotations:
# description - can not be a label as spaces are not allowed
    "jenkins.io/credentials-description" : "basic user private key credential from Kubernetes"
type: Opaque
stringData:
  username: jenkins
  privateKey: |
    -----BEGIN RSA PRIVATE KEY-----
    MIIEowIBAAKCAQEAngWMYnda9vD2utvbAdgCOLVNanA/MW50er5ROW21it/eph1u
    6RCuZ0CiuYUE5Eb8kOOQP7MTL3Ixyv9GW6hmMZwjyvcCamKj7cYuEHBYkn0X2Jgw
    syPGUWZwITgSxgb/VfjRKbAtUdvXNFjHxknUlaVd+G6gQpN5Lv3//O/EglmVqf1d
    CM2xAy9Ixk9roMSmBpgwC7lCsi1W9IGdLrjLAC96BrJkHX1EDQDdB8tWg8qLjZfr
    L1ioddG/NDH8lOUetWX9SB5WF4xi/oBRNvSCwmBAa8v2DvhS/TEwcWAsReclRCNW
    5eGAqhbb0Kl8E0hYJdFlEKYjQH3y5cZtqMAiuwIDAQABAoIBAGQK2TThoYpjRaFJ
    XZ8ONWHXjpqLU8akykOHR/8WsO+qCdibG8OcFv4xkpPnXhBzzKSiHYnmgofwQQvm
    j5GpzIEt/A8cUMAvkN8RL8qihcDAR5+Nwo83X+/a7bRqPqB2f6LbMvi0nAyOJPH0
    Hw4vYdIX7qVAzF855GfW0QE+fueSdtgWviJM8gZHdhCqe/zqYm016zNaavap530r
    tJ/+vhUW8WYqJqBW8+58laW5vTBusNsVjeL40yJF8X/XQQcdZ4XmthNcegx79oim
    j9ELzX0ttchiwAe/trLxTkdWb4rEFz+U50iAOMUdS8T0brb5bxhqNM/ByiqQ28W9
    2NJCVEkCgYEA0phCE9iKVWNZnvWX6+fHgr2NO2ShPexPeRfFxr0ugXGTQvyT0HnM
    /Q//V+LduPMX8b2AsOzI0rQh+4bjohOZvKmGKiuPv3eSvqpi/r6208ZVTBjjFvBO
    UQhMbPUyR6vO1ryFDwBMwMqQ06ldkXArhB+SG0dYnOKb/6g0nO2BVFUCgYEAwBeH
    HGNGuxwum63UAaqyX6lRSpGGm6XSCBhzvHUPnVphgq7nnZOGl0z3U49jreCvuuEc
    fA9YqxJjzoZy5870KOXY2kltlq/U/4Lrb0k75ag6ZVbi0oemACN6KCHtE+Zm2dac
    rW8oKWpRTbsvMOYUvSjF0u8BCrestpRUF977Ks8CgYEAicbLFCjK9+ozq+eJKPFO
    eZ6BU6YWR2je5Z5D6i3CyzT+3whXvECzd6yLpXfrDyEbPTB5jUacbB0lTmWFb3fb
    UK6n89bkCKO2Ab9/XKJxAkPzcgGmME+vLRx8w5v29STWAW78rj/H9ymPbqqTaJ82
    GQ5+jBI1Sw6GeNAW+8P2pLECgYAs/dXBimcosCMih4ZelZKN4WSO6KL0ldQp3UBO
    ZcSwgFjSeRD60XD2wyoywiUAtt2yEcPQMu/7saT63HbRYKHDaoJuLkCiyLBE4G8w
    c6C527tBvSYHVYpGAgk8mSWkQZTZdPDhlmV7vdEpOayF8X3uCDy9eQlvbzHe2cMQ
    jEOb9QKBgG3jSxGfqN/sD8W9BhpVrybCXh2RvhxOBJAFx58wSWTkRcYSwpdyvm7x
    wlMtcEdQgaSBeuBU3HPUdYE07bQNAlYO0p9MQnsLHzd2V9yiCX1Sq5iB6dQpHxyi
    sDZLY2Mym1nUJWfE47GAcxFZtrVh9ojKcmgiHo8qPTkWjFGY7xe/
    -----END RSA PRIVATE KEY-----

With passphrase:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

apiVersion: v1
kind: Secret
metadata:
# this is the jenkins id.
  name: "jenkins-key"
  labels:
# so we know what type it is.
    "jenkins.io/credentials-type": "basicSSHUserPrivateKey"
  annotations:
# description - can not be a label as spaces are not allowed
    "jenkins.io/credentials-description" : "basic user private key credential from Kubernetes"
type: Opaque
stringData:
  username: jenkins
  passphrase: mypassphrase
  privateKey: |
    -----BEGIN RSA PRIVATE KEY-----
    MIIEowIBAAKCAQEAngWMYnda9vD2utvbAdgCOLVNanA/MW50er5ROW21it/eph1u
    6RCuZ0CiuYUE5Eb8kOOQP7MTL3Ixyv9GW6hmMZwjyvcCamKj7cYuEHBYkn0X2Jgw
    syPGUWZwITgSxgb/VfjRKbAtUdvXNFjHxknUlaVd+G6gQpN5Lv3//O/EglmVqf1d
    CM2xAy9Ixk9roMSmBpgwC7lCsi1W9IGdLrjLAC96BrJkHX1EDQDdB8tWg8qLjZfr
    L1ioddG/NDH8lOUetWX9SB5WF4xi/oBRNvSCwmBAa8v2DvhS/TEwcWAsReclRCNW
    5eGAqhbb0Kl8E0hYJdFlEKYjQH3y5cZtqMAiuwIDAQABAoIBAGQK2TThoYpjRaFJ
    XZ8ONWHXjpqLU8akykOHR/8WsO+qCdibG8OcFv4xkpPnXhBzzKSiHYnmgofwQQvm
    j5GpzIEt/A8cUMAvkN8RL8qihcDAR5+Nwo83X+/a7bRqPqB2f6LbMvi0nAyOJPH0
    Hw4vYdIX7qVAzF855GfW0QE+fueSdtgWviJM8gZHdhCqe/zqYm016zNaavap530r
    tJ/+vhUW8WYqJqBW8+58laW5vTBusNsVjeL40yJF8X/XQQcdZ4XmthNcegx79oim
    j9ELzX0ttchiwAe/trLxTkdWb4rEFz+U50iAOMUdS8T0brb5bxhqNM/ByiqQ28W9
    2NJCVEkCgYEA0phCE9iKVWNZnvWX6+fHgr2NO2ShPexPeRfFxr0ugXGTQvyT0HnM
    /Q//V+LduPMX8b2AsOzI0rQh+4bjohOZvKmGKiuPv3eSvqpi/r6208ZVTBjjFvBO
    UQhMbPUyR6vO1ryFDwBMwMqQ06ldkXArhB+SG0dYnOKb/6g0nO2BVFUCgYEAwBeH
    HGNGuxwum63UAaqyX6lRSpGGm6XSCBhzvHUPnVphgq7nnZOGl0z3U49jreCvuuEc
    fA9YqxJjzoZy5870KOXY2kltlq/U/4Lrb0k75ag6ZVbi0oemACN6KCHtE+Zm2dac
    rW8oKWpRTbsvMOYUvSjF0u8BCrestpRUF977Ks8CgYEAicbLFCjK9+ozq+eJKPFO
    eZ6BU6YWR2je5Z5D6i3CyzT+3whXvECzd6yLpXfrDyEbPTB5jUacbB0lTmWFb3fb
    UK6n89bkCKO2Ab9/XKJxAkPzcgGmME+vLRx8w5v29STWAW78rj/H9ymPbqqTaJ82
    GQ5+jBI1Sw6GeNAW+8P2pLECgYAs/dXBimcosCMih4ZelZKN4WSO6KL0ldQp3UBO
    ZcSwgFjSeRD60XD2wyoywiUAtt2yEcPQMu/7saT63HbRYKHDaoJuLkCiyLBE4G8w
    c6C527tBvSYHVYpGAgk8mSWkQZTZdPDhlmV7vdEpOayF8X3uCDy9eQlvbzHe2cMQ
    jEOb9QKBgG3jSxGfqN/sD8W9BhpVrybCXh2RvhxOBJAFx58wSWTkRcYSwpdyvm7x
    wlMtcEdQgaSBeuBU3HPUdYE07bQNAlYO0p9MQnsLHzd2V9yiCX1Sq5iB6dQpHxyi
    sDZLY2Mym1nUJWfE47GAcxFZtrVh9ojKcmgiHo8qPTkWjFGY7xe/
    -----END RSA PRIVATE KEY-----

AWS Credentials

Only AWS AccessKey and SecretKey:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

apiVersion: v1
kind: Secret
metadata:
# this is the jenkins id.
  name: "test-aws-credentials"
  labels:
# so we know what type it is.
    "jenkins.io/credentials-type": "aws"
  annotations:
# description - can not be a label as spaces are not allowed
    "jenkins.io/credentials-description" : "credentials from Kubernetes"
type: Opaque
stringData:
  accessKey: myAWSAccessKey
  secretKey: myAWSSecretKey

Openstack Credential v3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

apiVersion: v1
kind: Secret
metadata:
# this is the jenkins id.
  name: "test-openstack-credential-v3"
  labels:
# so we know what type it is.
    "jenkins.io/credentials-type": "openstackCredentialv3"
  annotations:
# description - can not be a label as spaces are not allowed
    "jenkins.io/credentials-description" : "openstack credentials for you Jenkins in Kubernetes!"
type: Opaque
stringData:
  userName: casualName
  userDomain: meaningfulDomain
  projectName: simpleProject
  projectDomain: everSimplerDomain
  password: s3cr3tPass

GitHub App

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

apiVersion: v1
kind: Secret
metadata:
# this is the jenkins id.
  name: "another-test-githubapp"
  labels:
# so we know what type it is.
    "jenkins.io/credentials-type": "gitHubApp"
  annotations:
# description - can not be a label as spaces are not allowed
    "jenkins.io/credentials-description" : "credentials from Kubernetes"
type: Opaque
stringData:
  owner: my-org # optional, needed when app has multiple installations
  appID: 1234
  apiUri: https://github.example.com/api/v3 # optional, needed when using a GitHub Enterprise server
  privateKey: |-
    -----BEGIN PRIVATE KEY-----
    ...
    -----END PRIVATE KEY-----

Vault AppRole

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

apiVersion: v1
kind: Secret
metadata:
# this is the jenkins id.
  name: "another-test-vault-approle"
  labels:
# so we know what type it is.
    "jenkins.io/credentials-type": "vaultAppRole"
  annotations:
# description - can not be a label as spaces are not allowed
    "jenkins.io/credentials-description" : "credentials from Kubernetes"
type: Opaque
stringData:
  roleId: db02de05-fa39-4855-059b-67221c5c2f63
  secretId: 6a174c20-f6de-a53c-74d2-6018fcceff64
# optional fields
  path: approle-jenkins    # defaults to 'approle'
  namespace: team1         # defaults to global vault jenkins configuration

Vault GitHub Token

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

apiVersion: v1
kind: Secret
metadata:
# this is the jenkins id.
  name: "another-test-vault-github"
  labels:
# so we know what type it is.
    "jenkins.io/credentials-type": "vaultGitHubToken"
  annotations:
# description - can not be a label as spaces are not allowed
    "jenkins.io/credentials-description" : "credentials from Kubernetes"
type: Opaque
stringData:
  accessToken: db02de05-fa39-4855-059b-67221c5c2f63
# optional fields
  mountPath: github-jenkins    # defaults to 'github'
  namespace: team1             # defaults to global vault jenkins configuration

Vault Token

1
2
3
4
5
6
7
8
9
10
11
12
13
14

apiVersion: v1
kind: Secret
metadata:
# this is the jenkins id.
  name: "another-test-vault-token"
  labels:
# so we know what type it is.
    "jenkins.io/credentials-type": "vaultToken"
  annotations:
# description - can not be a label as spaces are not allowed
    "jenkins.io/credentials-description" : "credentials from Kubernetes"
type: Opaque
stringData:
  token: db02de05-fa39-4855-059b-67221c5c2f63

X.509 client certificate

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

apiVersion: v1
kind: Secret
metadata:
# this is the jenkins id.
  name: "x509-client-certificate"
  labels:
# so we know what type it is.
    "jenkins.io/credentials-type": "x509ClientCert"
  annotations:
# description - can not be a label as spaces are not allowed
    "jenkins.io/credentials-description" : "credentials from Kubernetes"
type: Opaque
stringData:
  clientCertificate: |
    -----BEGIN CERTIFICATE-----
    MIIBYjCCAQygAwIBAgIJAKZlQzqGGWu9MA0GCSqGSIb3DQEBBQUAMEExCzAJBgNV
    BAYTAlhYMQswCQYDVQQIDAJYWDELMAkGA1UEBwwCWFgxCzAJBgNVBAoMAlhYMQsw
    CQYDVQQDDAJjYTAeFw0yMjA5MjEwNzQzMzVaFw0yMjEwMjEwNzQzMzVaMBExDzAN
    BgNVBAMMBmNsaWVudDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDB/x6RULr5QOYl
    ulbzZI+8wPZMnrDPwMpP3Kh1MzxJwm1E0LJcI1nY3ePsoIGGQVITNNnjfBbEuYU6
    01sljo5/AgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEB
    BQUAA0EAVP35oeWUOiRaIv9zCDt+3VRMQd6eggmmsx5qyy6ee/mLPpdUWUSt8Ayf
    AiwAD2dca4XziVtJYVK++VnFGG/5EQ==
    -----END CERTIFICATE-----
  clientKeySecret: |
    -----BEGIN PRIVATE KEY-----
    MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEAwf8ekVC6+UDmJbpW
    82SPvMD2TJ6wz8DKT9yodTM8ScJtRNCyXCNZ2N3j7KCBhkFSEzTZ43wWxLmFOtNb
    JY6OfwIDAQABAkAU3CDmUT75pE/bCLFm1I5cJoeVb47ll/5pHfoDODIoYA5LnQy9
    /z4PNYCyw3Cq9m3+nf+HSRs8JcWuU7u93BaBAiEA/9mPwDrTlDhpILnmbsbIxXkq
    zeUgypmM1cxQnhtYS78CIQDCHEPgHCdWYCLPnMxUjwrzXtyrIlWJ89j04uOVyN1t
    QQIhANI4mFYRv/Fk3HSIax+QdD1Vzub4opX1zvOI+qC+xTEPAiBiM/KS+ytbo594
    8ZbeYM/leGSjn+cut9NXcUI6kTiVAQIgd/FTmiUryLcSUxzz6YqmU+wU1+ebSHmx
    U87XDZwmb40=
    -----END PRIVATE KEY-----
  serverCaCertificate: |
    -----BEGIN CERTIFICATE-----
    MIIBdDCCAR4CCQCgzKd3hWBmXTANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJY
    WDELMAkGA1UECAwCWFgxCzAJBgNVBAcMAlhYMQswCQYDVQQKDAJYWDELMAkGA1UE
    AwwCY2EwHhcNMjIwOTIxMDc0MzM1WhcNMjIxMDIxMDc0MzM1WjBBMQswCQYDVQQG
    EwJYWDELMAkGA1UECAwCWFgxCzAJBgNVBAcMAlhYMQswCQYDVQQKDAJYWDELMAkG
    A1UEAwwCY2EwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAruIT3of/2lUvYPY7Azsj
    AtKZnV6gthB6K70AsgKPp63xdlBrMgg5CYH7Xe7VmLXb7xhHLBHBnRJ3vPbH/m7h
    swIDAQABMA0GCSqGSIb3DQEBCwUAA0EAfWb62RJ21i7tlbSttmu7by/k4fML31FQ
    XoR7JjrHmbI+f1BkwSbMVxxadAWpSkk/NNI1+SHR/nYSv/loQ3UjmA==
    -----END CERTIFICATE-----

Custom field mapping

Sometimes you may want the secret to be able to be consumed by another tool as well that has a different requirement for the data fields. In order to facilitate this the plugin supports the remapping fields. In order to achieve this you add an attribute begining with jenkins.io/credentials-keybinding- and ending with the normal field name and having the value of the new field name. The following example remaps the username and password fields to user and pass:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

apiVersion: v1
kind: Secret
metadata:
# this is the jenkins id.
  name: "a-test-usernamepass"
  labels:
# so we know what type it is.
    "jenkins.io/credentials-type": "usernamePassword"
  annotations:
# description - can not be a label as spaces are not allowed
    "jenkins.io/credentials-description" : "credentials from Kubernetes"
    # map the username field to user
    "jenkins.io/credentials-keybinding-username" : "user"
    # map the password field to pass
    "jenkins.io/credentials-keybinding-password" : "pass"
type: Opaque
stringData:
  user: myUsername
  pass: 'Pa$$word'