Configure CloudBees CI (CloudBees Core) with Google’s Cloud Identity Secure LDAP

Article ID:360018132372
3 minute readKnowledge base

Issue

  • How do I setup CloudBees Core to work with Google’s Cloud Identity secure LDAP?

Environment

Resolution

Add CloudBees Core as a LDAP Client in Cloud Identity

1 . Follow the steps on Google’s Cloud Identity Help site to add CloudBees Core as a client. Download the client certificate and private key. Record the access credentials.

Add the Client Certificate

2 . Convert the client certificate and private key to PKCS 12 format with openssl.

openssl pkcs12 -export -in <client-cert>.crt -inkey <private-key>.key -out <pkcs12>.p12

3 . Connect to your Kubernetes cluster that is hosting your CloudBees Core Operations Center. Follow your Kubernetes service provider instructions for authenticating and connecting to your cluster.

4 . Copy the resulting PKCS 12 file to the CloudBees Core Operations Center pod.

cp <pkcs12>.p12 <namespace>/<cloudbees-operation-center-pod>:/var/jenkins_home/.keystore/Google_2021_10_03_19352.p12

Example:

cp ~/Google_2021_10_03_19352/Google_2021_10_03_19352.p12 goog-sec-ldap/cloudbees-core-1-cjoc-0:/var/jenkins_home/.keystore/Google_2021_10_03_19352.p12

5 . Start a shell on the CloudBees Core Operations Center (CJOC) pod.

kubectl exec -it <cjoc-pod> -n <namespace> -- /bin/bash

Example:

kubectl exec -it cloudbees-core-1-cjoc-0 -n goog-sec-ldap -- /bin/bash

6 . Determine the JENKINS_HOME.

printenv JENKINS_HOME

This is typically /var/jenkins_home.

7 . Change directory to JENKINS_HOME.

cd $JENKINS_HOME

8 . Use keytool to create a new keystore and import your client cert and private key.

keytool -importkeystore -srckeystore <pkcs12>.p12 -srcstoretype PKCS12 -destkeystore keystore.jks

Example:

keytool -importkeystore -srckeystore Google_2021_10_03_19352.p12 -srcstoretype PKCS12 -destkeystore keystore.jks

Add the Cloud Identity LDAP Server Certificate

9 . In order to add the Cloud Identity server certificate, we need to add it to a custom keystore. If one already exists use that. Otherwise, create a new custom keystore.

CUSTOM_KEYSTORE=$JENKINS_HOME/.keystore/
mkdir -p $CUSTOM_KEYSTORE
cp $JAVA_HOME/jre/lib/security/cacerts $CUSTOM_KEYSTORE
chmod 777 $CUSTOM_KEYSTORE

10 . Use keytool to get the Cloud Identity LDAP server certificate and the add the contents to a file.

keytool -printcert -rfc -sslServer ldap.google.com

11 . Copy your Cloud Identity LDAP server certificate to JENKINS_HOME.

12 . Import your certificate into the custom keystore.

$JAVA_HOME/bin/keytool -keystore $JENKINS_HOME/.keystore/cacerts \ -import -alias <an alias name> -file <LDAP server certificate>

Configure the CloudBees Core to Use the New Keystores

13 . You will now need to set CloudBees Core to use the new keystores. Exit the bash shell to return to your terminal.

14 . Using kubectl, add the following additional Java arguments by modifying the CJOC statefulset.

15 . List your statefulsets.

kubectl get statefulsets -n <namespace>

Example:

kubectl get statefulsets -n goog-sec-ldap
NAME                    AGE
cloudbees-core-1-cjoc   1h

16 . Now edit the CJOC statefulset.

kubectl edit statefulset <cjoc statefulset> -n <namespace>

Example:

kubectl edit statefulset cloudbees-core-1-cjoc -n goog-sec-ldap

17 . Under the JAVA_OPTS environment variable, add the following.

-Djavax.net.ssl.trustStore=$JENKINS_HOME/.keystore/cacerts
-Djavax.net.ssl.trustStorePassword=<password>
-Djavax.net.ssl.keyStore=/var/jenkins_home/.keystore/keystore.jks
-Djavax.net.ssl.keyStorePassword=<password>

Example:

- name: JAVA_OPTS
  value: -XshowSettings:vm
         -Djavax.net.ssl.trustStore=/var/jenkins_home/.keystore/cacerts -Djavax.net.ssl.trustStorePassword=changeit
         -Djavax.net.ssl.keyStore=/var/jenkins_home/.keystore/keystore.jks -Djavax.net.ssl.keyStorePassword=changeit

Restart the CloudBees Core Operations Center (CJOC) Pod

18 . Delete the cjoc pod to restart it.

kubectl delete pod <cjoc pod> -n=<namespace>

Example:

kubectl delete pod cloudbees-core-1-cjoc-0 -n=goog-sec-ldap

19 . Validate that the new cjoc pod is using the new Java options.

kubectl get pod <cjoc pod> -n=<namespace> -o yaml

Example:

kubectl get pod cloudbees-core-1-cjoc-0 -n=goog-sec-ldap -o yaml

Configure LDAP

20 . Log into CloudBees Core and go to Manage Jenkins.

21 . Go to Configure Global Security.

22 . Under Security Realm, select LDAP.

23 . Enter ldaps://ldap.google.com for the server.

24 . Under advanced configuration, enter the root DN.

24 . Add additional user or group values as required by your LDAP configuration.

25 . Add the access credentials to the Manager DN and password.

26 Test a LDAP user and save the configuration.

Tested product/plugin versions

  • CloudBees Core 2.138.1.2

  • LDAP Plugin 1.2.0

  • Google Cloud Identity Secure LDAP 11/8/2018 Release

This article is part of our Knowledge Base and is provided for guidance-based purposes only. The solutions or workarounds described here are not officially supported by CloudBees and may not be applicable in all environments. Use at your own discretion, and test changes in a safe environment before applying them to production systems.