Resolution
Add CloudBees Core as a LDAP Client in Cloud Identity
1 . Follow the steps on Google’s Cloud Identity Help site to add CloudBees Core as a client. Download the client certificate and private key. Record the access credentials.
Add the Client Certificate
2 . Convert the client certificate and private key to PKCS 12 format with openssl.
openssl pkcs12 -export -in <client-cert>.crt -inkey <private-key>.key -out <pkcs12>.p12
3 . Connect to your Kubernetes cluster that is hosting your CloudBees Core Operations Center. Follow your Kubernetes service provider instructions for authenticating and connecting to your cluster.
4 . Copy the resulting PKCS 12 file to the CloudBees Core Operations Center pod.
cp <pkcs12>.p12 <namespace>/<cloudbees-operation-center-pod>:/var/jenkins_home/.keystore/Google_2021_10_03_19352.p12
Example:
cp ~/Google_2021_10_03_19352/Google_2021_10_03_19352.p12 goog-sec-ldap/cloudbees-core-1-cjoc-0:/var/jenkins_home/.keystore/Google_2021_10_03_19352.p12
5 . Start a shell on the CloudBees Core Operations Center (CJOC) pod.
kubectl exec -it <cjoc-pod> -n <namespace> -- /bin/bash
Example:
kubectl exec -it cloudbees-core-1-cjoc-0 -n goog-sec-ldap -- /bin/bash
6 . Determine the JENKINS_HOME.
printenv JENKINS_HOME
This is typically /var/jenkins_home.
7 . Change directory to JENKINS_HOME.
cd $JENKINS_HOME
8 . Use keytool to create a new keystore and import your client cert and private key.
keytool -importkeystore -srckeystore <pkcs12>.p12 -srcstoretype PKCS12 -destkeystore keystore.jks
Example:
keytool -importkeystore -srckeystore Google_2021_10_03_19352.p12 -srcstoretype PKCS12 -destkeystore keystore.jks
Add the Cloud Identity LDAP Server Certificate
9 . In order to add the Cloud Identity server certificate, we need to add it to a custom keystore. If one already exists use that. Otherwise, create a new custom keystore.
CUSTOM_KEYSTORE=$JENKINS_HOME/.keystore/ mkdir -p $CUSTOM_KEYSTORE cp $JAVA_HOME/jre/lib/security/cacerts $CUSTOM_KEYSTORE chmod 777 $CUSTOM_KEYSTORE
10 . Use keytool to get the Cloud Identity LDAP server certificate and the add the contents to a file.
keytool -printcert -rfc -sslServer ldap.google.com
11 . Copy your Cloud Identity LDAP server certificate to JENKINS_HOME.
12 . Import your certificate into the custom keystore.
$JAVA_HOME/bin/keytool -keystore $JENKINS_HOME/.keystore/cacerts \
-import -alias <an alias name> -file <LDAP server certificate>
Configure the CloudBees Core to Use the New Keystores
13 . You will now need to set CloudBees Core to use the new keystores. Exit the bash shell to return to your terminal.
14 . Using kubectl, add the following additional Java arguments by modifying the CJOC statefulset.
15 . List your statefulsets.
kubectl get statefulsets -n <namespace>
Example:
kubectl get statefulsets -n goog-sec-ldap NAME AGE cloudbees-core-1-cjoc 1h
16 . Now edit the CJOC statefulset.
kubectl edit statefulset <cjoc statefulset> -n <namespace>
Example:
kubectl edit statefulset cloudbees-core-1-cjoc -n goog-sec-ldap
17 . Under the JAVA_OPTS environment variable, add the following.
-Djavax.net.ssl.trustStore=$JENKINS_HOME/.keystore/cacerts -Djavax.net.ssl.trustStorePassword=<password> -Djavax.net.ssl.keyStore=/var/jenkins_home/.keystore/keystore.jks -Djavax.net.ssl.keyStorePassword=<password>
Example:
- name: JAVA_OPTS value: -XshowSettings:vm -Djavax.net.ssl.trustStore=/var/jenkins_home/.keystore/cacerts -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStore=/var/jenkins_home/.keystore/keystore.jks -Djavax.net.ssl.keyStorePassword=changeit
Restart the CloudBees Core Operations Center (CJOC) Pod
18 . Delete the cjoc pod to restart it.
kubectl delete pod <cjoc pod> -n=<namespace>
Example:
kubectl delete pod cloudbees-core-1-cjoc-0 -n=goog-sec-ldap
19 . Validate that the new cjoc pod is using the new Java options.
kubectl get pod <cjoc pod> -n=<namespace> -o yaml
Example:
kubectl get pod cloudbees-core-1-cjoc-0 -n=goog-sec-ldap -o yaml
Configure LDAP
20 . Log into CloudBees Core and go to Manage Jenkins.
21 . Go to Configure Global Security.
22 . Under Security Realm, select LDAP.
23 . Enter ldaps://ldap.google.com for the server.
24 . Under advanced configuration, enter the root DN.
24 . Add additional user or group values as required by your LDAP configuration.
25 . Add the access credentials to the Manager DN and password.
26 Test a LDAP user and save the configuration.