Configure CloudBees CI (CloudBees Core) with Google’s Cloud Identity Secure LDAP

Article ID:360018132372
3 minute readKnowledge base

Issue

  • How do I setup CloudBees Core to work with Google’s Cloud Identity secure LDAP?

Environment

Resolution

Add CloudBees Core as a LDAP Client in Cloud Identity

1 . Follow the steps on Google’s Cloud Identity Help site to add CloudBees Core as a client. Download the client certificate and private key. Record the access credentials.

Add the Client Certificate

2 . Convert the client certificate and private key to PKCS 12 format with openssl.

openssl pkcs12 -export -in <client-cert>.crt -inkey <private-key>.key -out <pkcs12>.p12

3 . Connect to your Kubernetes cluster that is hosting your CloudBees Core Operations Center. Follow your Kubernetes service provider instructions for authenticating and connecting to your cluster.

4 . Copy the resulting PKCS 12 file to the CloudBees Core Operations Center pod.

cp <pkcs12>.p12 <namespace>/<cloudbees-operation-center-pod>:/var/jenkins_home/.keystore/Google_2021_10_03_19352.p12

Example:

cp ~/Google_2021_10_03_19352/Google_2021_10_03_19352.p12 goog-sec-ldap/cloudbees-core-1-cjoc-0:/var/jenkins_home/.keystore/Google_2021_10_03_19352.p12

5 . Start a shell on the CloudBees Core Operations Center (CJOC) pod.

kubectl exec -it <cjoc-pod> -n <namespace> -- /bin/bash

Example:

kubectl exec -it cloudbees-core-1-cjoc-0 -n goog-sec-ldap -- /bin/bash

6 . Determine the JENKINS_HOME.

printenv JENKINS_HOME

This is typically /var/jenkins_home.

7 . Change directory to JENKINS_HOME.

cd $JENKINS_HOME

8 . Use keytool to create a new keystore and import your client cert and private key.

keytool -importkeystore -srckeystore <pkcs12>.p12 -srcstoretype PKCS12 -destkeystore keystore.jks

Example:

keytool -importkeystore -srckeystore Google_2021_10_03_19352.p12 -srcstoretype PKCS12 -destkeystore keystore.jks

Add the Cloud Identity LDAP Server Certificate

9 . In order to add the Cloud Identity server certificate, we need to add it to a custom keystore. If one already exists use that. Otherwise, create a new custom keystore.

CUSTOM_KEYSTORE=$JENKINS_HOME/.keystore/
mkdir -p $CUSTOM_KEYSTORE
cp $JAVA_HOME/jre/lib/security/cacerts $CUSTOM_KEYSTORE
chmod 777 $CUSTOM_KEYSTORE

10 . Use keytool to get the Cloud Identity LDAP server certificate and the add the contents to a file.

keytool -printcert -rfc -sslServer ldap.google.com

11 . Copy your Cloud Identity LDAP server certificate to JENKINS_HOME.

12 . Import your certificate into the custom keystore.

$JAVA_HOME/bin/keytool -keystore $JENKINS_HOME/.keystore/cacerts \ -import -alias <an alias name> -file <LDAP server certificate>

Configure the CloudBees Core to Use the New Keystores

13 . You will now need to set CloudBees Core to use the new keystores. Exit the bash shell to return to your terminal.

14 . Using kubectl, add the following additional Java arguments by modifying the CJOC statefulset.

15 . List your statefulsets.

kubectl get statefulsets -n <namespace>

Example:

kubectl get statefulsets -n goog-sec-ldap
NAME                    AGE
cloudbees-core-1-cjoc   1h

16 . Now edit the CJOC statefulset.

kubectl edit statefulset <cjoc statefulset> -n <namespace>

Example:

kubectl edit statefulset cloudbees-core-1-cjoc -n goog-sec-ldap

17 . Under the JAVA_OPTS environment variable, add the following.

-Djavax.net.ssl.trustStore=$JENKINS_HOME/.keystore/cacerts
-Djavax.net.ssl.trustStorePassword=<password>
-Djavax.net.ssl.keyStore=/var/jenkins_home/.keystore/keystore.jks
-Djavax.net.ssl.keyStorePassword=<password>

Example:

- name: JAVA_OPTS
  value: -XshowSettings:vm
         -Djavax.net.ssl.trustStore=/var/jenkins_home/.keystore/cacerts -Djavax.net.ssl.trustStorePassword=changeit
         -Djavax.net.ssl.keyStore=/var/jenkins_home/.keystore/keystore.jks -Djavax.net.ssl.keyStorePassword=changeit

Restart the CloudBees Core Operations Center (CJOC) Pod

18 . Delete the cjoc pod to restart it.

kubectl delete pod <cjoc pod> -n=<namespace>

Example:

kubectl delete pod cloudbees-core-1-cjoc-0 -n=goog-sec-ldap

19 . Validate that the new cjoc pod is using the new Java options.

kubectl get pod <cjoc pod> -n=<namespace> -o yaml

Example:

kubectl get pod cloudbees-core-1-cjoc-0 -n=goog-sec-ldap -o yaml

Configure LDAP

20 . Log into CloudBees Core and go to Manage Jenkins.

21 . Go to Configure Global Security.

22 . Under Security Realm, select LDAP.

23 . Enter ldaps://ldap.google.com for the server.

24 . Under advanced configuration, enter the root DN.

24 . Add additional user or group values as required by your LDAP configuration.

25 . Add the access credentials to the Manager DN and password.

26 Test a LDAP user and save the configuration.

Tested product/plugin versions

  • CloudBees Core 2.138.1.2

  • LDAP Plugin 1.2.0

  • Google Cloud Identity Secure LDAP 11/8/2018 Release