Use curl instead of jenkins-cli

lcarva · lcarva · commit 0fb6d4fa22e0 · 2025-03-10T13:31:35.000-04:00
This change removes the need to execute the embedded jenkins-cli JAR in
this repo. Instead, Jenkins' REST API is used via curl to create and
retrieve secrets from a Jenkins server.

Signed-off-by: Luiz Carvalho &lt;lucarval@redhat.com&gt;
diff --git a/hack/jenkins-cli.jar b/hack/jenkins-cli.jar
diff --git a/hack/jenkins-create-secret b/hack/jenkins-create-secret
@@ -1,25 +1,28 @@
 #!/bin/bash
+set -euo pipefail
+
 SCRIPTDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)"
 
 SECRET_NAME=$1
 SECRET_VALUE=$2
 
-CREDS=$(mktemp)
-cat << CREDS > $CREDS
-<org.jenkinsci.plugins.plaincredentials.impl.StringCredentialsImpl plugin="plain-credentials@183.va_de8f1dd5a_2b_">
-  <scope>GLOBAL</scope>
-  <id>$SECRET_NAME</id>
-  <description></description>
-  <secret>$SECRET_VALUE</secret>
-</org.jenkinsci.plugins.plaincredentials.impl.StringCredentialsImpl>
-CREDS
+CREDS=$(
+    cat << EOF
+{
+  "": "0",
+  "credentials": {
+    "scope": "GLOBAL",
+    "id": "${SECRET_NAME}",
+    "secret": "${SECRET_VALUE}",
+    "description": "",
+    "\$class": "org.jenkinsci.plugins.plaincredentials.impl.StringCredentialsImpl"
+  }
+}
+EOF
+)
 
-#cat $CREDS
 echo "Creating Jenkins credential $SECRET_NAME"
-java -jar $SCRIPTDIR/jenkins-cli.jar -s $MY_JENKINS_SERVER \
-    -auth $MY_JENKINS_USER:$MY_JENKINS_TOKEN \
-    delete-credentials system::system::jenkins _ $SECRET_NAME
-java -jar $SCRIPTDIR/jenkins-cli.jar -s $MY_JENKINS_SERVER \
-    -auth $MY_JENKINS_USER:$MY_JENKINS_TOKEN \
-    create-credentials-by-xml system::system::jenkins _ \
-    < $CREDS
+
+curl "${MY_JENKINS_SERVER}/credentials/store/system/domain/_/createCredentials" \
+    --user "${MY_JENKINS_USER}:${MY_JENKINS_TOKEN}" \
+    --data-urlencode "json=${CREDS}"
diff --git a/hack/jenkins-create-user-password b/hack/jenkins-create-user-password
@@ -1,26 +1,30 @@
 #!/bin/bash
+set -euo pipefail
+
 SCRIPTDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)"
 
 SECRET_NAME=$1
 USER_NAME=$2
 USER_PW=$3
 
-CREDS=$(mktemp)
-cat << CREDS > $CREDS
-<com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl plugin="credentials@1344.v5a_3f65a_1e173">
-  <scope>GLOBAL</scope>
-  <id>$SECRET_NAME</id>
-  <description></description>
-  <username>$USER_NAME</username>
-  <password>$USER_PW</password>
-  <usernameSecret>false</usernameSecret>
-</com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
-CREDS
+CREDS=$(
+    cat << EOF
+{
+  "": "0",
+  "credentials": {
+    "scope": "GLOBAL",
+    "id": "${SECRET_NAME}",
+    "username": "${USER_NAME}",
+    "password": "${USER_PW}",
+    "description": "",
+    "\$class": "com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl"
+  }
+}
+EOF
+)
 
-#cat $CREDS
 echo "Creating Jenkins credential $SECRET_NAME"
 
-java -jar $SCRIPTDIR/jenkins-cli.jar -http -s $MY_JENKINS_SERVER \
-    -auth $MY_JENKINS_USER:$MY_JENKINS_TOKEN \
-    create-credentials-by-xml system::system::jenkins _ \
-    < $CREDS
+curl "${MY_JENKINS_SERVER}/credentials/store/system/domain/_/createCredentials" \
+    --user "${MY_JENKINS_USER}:${MY_JENKINS_TOKEN}" \
+    --data-urlencode "json=${CREDS}"
diff --git a/hack/jenkins-get-credentials b/hack/jenkins-get-credentials
@@ -1,31 +1,21 @@
 #!/bin/bash
+set -euo pipefail
+
 SCRIPTDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)"
 
 SECRET_NAME=$1
-CREDS=$(mktemp)
-java -jar $SCRIPTDIR/jenkins-cli.jar -http -s $MY_JENKINS_SERVER \
-    -auth $MY_JENKINS_USER:$MY_JENKINS_TOKEN \
-    get-credentials-as-xml system::system::jenkins _ $SECRET_NAME \
-    > $CREDS
 
-ERR=$?
-if [ $ERR != 0 ]; then
-    echo "No credentials named $SECRET_NAME"
-    exit $ERR
-fi
+SECRET_INFO="$(curl -s \
+    "${MY_JENKINS_SERVER}/credentials/store/system/domain/_/credential/${SECRET_NAME}/api/json" \
+    --user "${MY_JENKINS_USER}:${MY_JENKINS_TOKEN}")"
+
+TYPE_NAME="$(echo "${SECRET_INFO}" | jq -r '.typeName')"
 
-ID=$(cat $CREDS | sed -ne '/<id>/s#\s*<[^>]*>\s*##gp')
-if [ $(grep -ic "<secret>" $CREDS) -eq 1 ]; then
-    TEMP=$(cat $CREDS | tr -d '\n' | tr -d ' ')
-    one=${TEMP#*<secret>}
-    SECRET=${one%</secret>*}
-    echo "$ID with secret $SECRET"
+if [[ "$TYPE_NAME" =~ ^(S|s)ecret ]]; then
+    echo "${SECRET_NAME} with secret <redacted>"
+elif [[ "$TYPE_NAME" =~ ^(U|u)sername ]]; then
+    username="$(echo "${SECRET_INFO}" | jq -r '.displayName | split("/")[0]')"
+    echo "${SECRET_NAME} with user ${username} and password <redacted>"
 else
-    TEMP=$(cat $CREDS | tr -d '\n' | tr -d ' ')
-    one=${TEMP#*<username>}
-    USER=${one%</username>*}
-    TEMP=$(cat $CREDS | tr -d '\n' | tr -d ' ')
-    one=${TEMP#*<password>}
-    PW=${one%</password>*}
-    echo "$ID with user <$USER> and password $PW"
+    echo "${SECRET_NAME} with unknown type name: ${TYPE_NAME}"
 fi
diff --git a/hack/jenkins-get-secrets b/hack/jenkins-get-secrets
@@ -1,7 +1,9 @@
 #!/bin/bash
+set -euo pipefail
+
 SCRIPTDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)"
 
-source $SCRIPTDIR/../rhtap/verify-deps-exist "MY_JENKINS_SERVER MY_JENKINS_USER MY_JENKINS_TOKEN" "java tr grep"
+source $SCRIPTDIR/../rhtap/verify-deps-exist "MY_JENKINS_SERVER MY_JENKINS_USER MY_JENKINS_TOKEN" "curl jq"
 
 bash $SCRIPTDIR/jenkins-get-credentials ROX_API_TOKEN
 bash $SCRIPTDIR/jenkins-get-credentials ROX_CENTRAL_ENDPOINT
diff --git a/hack/jenkins-set-secrets b/hack/jenkins-set-secrets
@@ -1,21 +1,35 @@
 #!/bin/bash
+set -euo pipefail
+
 SCRIPTDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)"
 
 ENV="MY_JENKINS_SERVER MY_JENKINS_USER MY_JENKINS_TOKEN COSIGN_SECRET_PASSWORD COSIGN_SECRET_KEY COSIGN_PUBLIC_KEY "
 
 ENV+=" ACS__API_TOKEN ACS__CENTRAL_ENDPOINT GITOPS_AUTH_PASSWORD "
-source $SCRIPTDIR/../rhtap/verify-deps-exist "$ENV" "java "
+source $SCRIPTDIR/../rhtap/verify-deps-exist "$ENV" "curl"
 
-bash $SCRIPTDIR/jenkins-create-secret ROX_API_TOKEN $ACS__API_TOKEN
-bash $SCRIPTDIR/jenkins-create-secret ROX_CENTRAL_ENDPOINT $ACS__CENTRAL_ENDPOINT
-bash $SCRIPTDIR/jenkins-create-secret GITOPS_AUTH_PASSWORD $GITOPS_AUTH_PASSWORD
-bash $SCRIPTDIR/jenkins-create-secret COSIGN_SECRET_PASSWORD $COSIGN_SECRET_PASSWORD
-bash $SCRIPTDIR/jenkins-create-secret COSIGN_SECRET_KEY $COSIGN_SECRET_KEY
-bash $SCRIPTDIR/jenkins-create-secret COSIGN_PUBLIC_KEY $COSIGN_PUBLIC_KEY
-bash $SCRIPTDIR/jenkins-create-secret TRUSTIFICATION_BOMBASTIC_API_URL "$TRUSTIFICATION_BOMBASTIC_API_URL"
-bash $SCRIPTDIR/jenkins-create-secret TRUSTIFICATION_OIDC_ISSUER_URL "$TRUSTIFICATION_OIDC_ISSUER_URL"
-bash $SCRIPTDIR/jenkins-create-secret TRUSTIFICATION_OIDC_CLIENT_ID "$TRUSTIFICATION_OIDC_CLIENT_ID"
-bash $SCRIPTDIR/jenkins-create-secret TRUSTIFICATION_OIDC_CLIENT_SECRET "$TRUSTIFICATION_OIDC_CLIENT_SECRET"
-bash $SCRIPTDIR/jenkins-create-secret TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION "$TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION"
+bash $SCRIPTDIR/jenkins-create-secret ROX_API_TOKEN "${ACS__API_TOKEN}"
+bash $SCRIPTDIR/jenkins-create-secret ROX_CENTRAL_ENDPOINT "${ACS__CENTRAL_ENDPOINT}"
+bash $SCRIPTDIR/jenkins-create-secret GITOPS_AUTH_PASSWORD "${GITOPS_AUTH_PASSWORD}"
+bash $SCRIPTDIR/jenkins-create-secret COSIGN_SECRET_PASSWORD "${COSIGN_SECRET_PASSWORD}"
+bash $SCRIPTDIR/jenkins-create-secret COSIGN_SECRET_KEY "${COSIGN_SECRET_KEY}"
+bash $SCRIPTDIR/jenkins-create-secret COSIGN_PUBLIC_KEY "${COSIGN_PUBLIC_KEY}"
+if [[ -n "${TRUSTIFICATION_BOMBASTIC_API_URL:-}" ]]; then
+    bash $SCRIPTDIR/jenkins-create-secret TRUSTIFICATION_BOMBASTIC_API_URL "${TRUSTIFICATION_BOMBASTIC_API_URL}"
+fi
+if [[ -n "${TRUSTIFICATION_OIDC_ISSUER_URL:-}" ]]; then
+    bash $SCRIPTDIR/jenkins-create-secret TRUSTIFICATION_OIDC_ISSUER_URL "${TRUSTIFICATION_OIDC_ISSUER_URL}"
+fi
+if [[ -n "${TRUSTIFICATION_OIDC_CLIENT_ID:-}" ]]; then
+    bash $SCRIPTDIR/jenkins-create-secret TRUSTIFICATION_OIDC_CLIENT_ID "${TRUSTIFICATION_OIDC_CLIENT_ID}"
+fi
+if [[ -n "${TRUSTIFICATION_OIDC_CLIENT_SECRET:-}" ]]; then
+    bash $SCRIPTDIR/jenkins-create-secret TRUSTIFICATION_OIDC_CLIENT_SECRET "${TRUSTIFICATION_OIDC_CLIENT_SECRET}"
+fi
+if [[ -n "${TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION:-}" ]]; then
+    bash $SCRIPTDIR/jenkins-create-secret TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION "${TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION}"
+fi
 
-bash $SCRIPTDIR/jenkins-create-user-password QUAY_IO_CREDS $MY_QUAY_USER $MY_QUAY_PW
+if [[ -n "${MY_QUAY_USER:-}" && -n "${MY_QUAY_PW:-}" ]]; then
+    bash $SCRIPTDIR/jenkins-create-user-password QUAY_IO_CREDS "${MY_QUAY_USER}" "${MY_QUAY_PW}"
+fi
