`jenkins_credential` failed to add/update credentials with initial Jenkins password and poor documentation

Get Help
,
1

Problem 1: jenkins_credential not working with Initial Jenkins Admin Password

I’m running Jenkins inside a Docker container and using playbooks to configure Jenkins with what I need. I’m using the initial Jenkins admin password to authenticate for installing plugins using the jenkins_plugin module.

However, when I tried adding credentials using jenkins_credential module, the playbook seems to be failing with the initial admin password, but working after I have configured new admin user and password.

The playbook for configuring credentials fails with the error message below, when attempting with initial admin password–

TASK [Add DockerHub credentials] *******************************************************************************************************************************************************
fatal: [52.66.252.99]: FAILED! => {"changed": false, "details": "", "msg": "Failed to add/update credential"}

Additionally, the module doesn’t seem to like using jenkins_password to add the credentials, and asks to use the token parameter for API token.

Playbook for Adding Credentials

---
# Fails with initial Jenkins admin password, but works with new admin password
- name: Configure Credentials in Jenkins
  hosts: jenkins
  vars_prompt:
    - name: dockerhub_username
      prompt: "Enter DockerHub username"
      private: no
    - name: dockerhub_password
      prompt: "Enter DockerHub password"
      private: yes
    - name: sonarqube_secret
      prompt: "Enter SonarQube token"
      private: yes

  tasks:
    - name: Retrieve initial Jenkins admin password
      shell: docker exec jenkins_container cat /var/jenkins_home/secrets/initialAdminPassword
      register: jenkins_password
      changed_when: false

    - name: Generate token
      community.general.jenkins_credential:
        url: "http://{{ ansible_host }}:{{ access_port }}" # vars defined in inventory
        id: "test-token"
        name: "test_token_name"
        jenkins_user: "admin"
        jenkins_password: "{{ jenkins_password.stdout }}"
        type: "token"
      register: token_result

    - name: Add DockerHub credentials
      community.general.jenkins_credential:
        url: "http://{{ ansible_host }}:{{ access_port }}" # vars defined in inventory
        jenkins_user: admin
        #jenkins_password: "{{ jenkins_password.stdout }}"
        token: "{{ token_result.token }}"
        id: "DockerHub-Credentials"
        type: "user_and_pass"
        description: "DockerHub Credentials"
        username: "{{ dockerhub_username }}"
        password: "{{ dockerhub_password }}"

    - name: Add SonarQube credentials
      community.general.jenkins_credential:
        url: "http://{{ ansible_host }}:{{ access_port }}"
        jenkins_user: admin
        #jenkins_password: "{{ jenkins_password.stdout }}"
        token: "{{ token_result.token }}"
        id: "SonarQube-Token"
        description: "SonarQube Token"
        type: "text"
        secret: "{{ sonarqube_secret }}"

Playbook for installing plugins

- name: Install Required Jenkins Plugins
  hosts: jenkins
  tasks:
    - name: Retrieve initial Jenkins admin password
      shell: docker exec jenkins_container cat /var/jenkins_home/secrets/initialAdminPassword
      register: jenkins_password
      changed_when: false

    - name: Install required Jenkins plugins
      community.general.jenkins_plugin:
        url: "http://{{ ansible_host }}:{{ access_port }}" # vars defined in inventory
        url_username: admin
        url_password: "{{ jenkins_password.stdout }}"
        name: "{{ item }}"
        state: present
        with_dependencies: true
      loop:
        - aws-credentials         # AWS Credentials
        - config-file-provider    # Config File Provider
        - docker-plugin           # Docker
        - docker-workflow         # Docker Pipeline
        - adoptopenjdk            # Eclipse Temurin Installer
        - email-ext               # Email Extension
        - htmlpublisher           # HTML Publisher
        - kubernetes              # Kubernetes
        - kubernetes-cli          # Kubernetes CLI
        - maven-plugin            # Maven Integration
        - nexus-artifact-uploader # Nexus Artifact Uploader
        - pipeline-maven          # Pipeline Maven Integration
        - pipeline-aws            # Pipeline: AWS Steps
        - sonar                   # SonarQube Scanner
      register: plugin_install
      when: jenkins_password is defined

    - name: Restart Jenkins for plugin activation
      docker_container:
        name: jenkins_container
        state: started
        restart: true
      when: plugin_install.changed

Problem 2: Incorrect example playbook in documentation

Aside from authentication issue, I believe the jenkins_credential documentation page has a poor/incorrect example, where the parameter “token: {{ token }}” should be “token: {{ token_result.token }}”, if it were to work as a single playbook with the task that generated the token.

As written in my credentials playbook above, it’s working with token: {{ token_result.token }} syntax, when I have set my own admin password. I was getting errors with the syntax in the example playbook even when I had set my own admin password.

Where can I post about correcting the documentation? Or am I misinterpreting it?

2

  • Problem 1
    The module documentation correctly tells you that jenkins_username is always required, and that token is always required except for type: token which requires jenkins_password instead (the only time the password is required). The documentation also tells you that name: is required for type: token and that a new token will be generated everytime unless the id: is specified. In the RETURN section, it mentions that the actual token will only ever be returned once. So you must record the api token securely to re-use it later or otherwise you will want to add a clean-up routine to delete old tokens.

  • Problem 2
    You’re right that the documentation EXAMPLE isn’t consistent with the token syntax and should use "{{ token_result.token }}", and the required name: wasn’t specified either. Since the token id was specified though, then even if the rest of the code was correct, the example would only work on the first pass as only the token_uuid instead of the token itself will be returned on subsequent runs.

The contributing guidelines for that collection is here: community.general/CONTRIBUTING.md at main · ansible-collections/community.general · GitHub
That will point you to the issue tracker to create a bug report, but if you’re willing to update the documentation yourself then review the rest of the contributing guidelines about Opening a Pull Request.

3

Ok, I understood that it requires a token to add credentials. But, what I don’t understand is why the tasks of adding credentials is failing but token creation is succeeding when using the initial admin password.

What I’m trying to do is create the Docker container and configure Jenkins using Ansible playbooks before I create my admin account. As such, I have to use the initial admin password to do that.

If my playbook was not storing the token properly, or a duplicate token can’t be created, then it’d also fail after creating the new admin user/password. I ran the playbook multiple times before creating new admin, but it succeeds on the first try after it.