nodejs jenkins-agent can not import private keys into gpg keyring to use with helm secrets
matzehecht opened this issue · 1 comments
Describe the bug
I was using the nodejs16 jenkins-agent with helm to deploy my application. The deployment failed with the following error message (while trying to load the private key into the gpg keyring):
gpg: WARNING: unsafe ownership on homedir '/home/jenkins/.gnupg'
gpg: failed to create temporary file '/home/jenkins/.gnupg/.#l...': Permission denied
gpg: keyblock resource '/home/jenkins/.gnupg/pubring.kbx': Permission denied
gpg: no writable keyring found: Not found
gpg: key ****: failed to re-lookup public key: No public key
gpg: error reading ****: No public key
gpg: import from **** failed: No public key
gpg: Total number processed: 0
gpg: secret keys read: 1Workaround
Switching to the base jenkins-agent and use containerTemplates for stages in which you need nodejs.
To Reproduce
Steps to reproduce the behavior:
- Start a pipeline that uses helm secrets and any nodejs jenkins-agent
Expected behavior
helm secrets should work with the nodejs jenkins-agents
Affected version (please complete the following information):
- OpenShift: 4.x
- OpenDevStack 4.x
Additional context
Further debugging revealed, that in the base jenkins-agent there is no /home/jenkins/.gnupg folder existing in the image (on pipeline start). See Screenshot 1. This works fine as the user used in the pipeline is in the root group and has write permissions on this folder. That way the user can create the .gnupg folder and the keyring in it, the first time gpg is used.
In the nodejs16 jenkins-agent there is already a /home/jenkins/.gnupg folder existing in the image (on pipeline start). As this folder was created during the docker build, this folder is owned by the user used during the build and afterwards handed over to user 1001 (in L59 in the Dockerfile). See Screenshot 2. If this image is now used in the pipeline the pipeline will run with a different user (no the USER 1001 directive does not change anything as 1001 is not in the user id range that OpenShift is using (See RedHat KB)). Therefore this user does not have the x permission on this folder and can not access files in it, including the keyring file.
I looked also into the other nodejs jenkins-agents: They seem to have the same issue (I don't know if it is the same for other jenkins-agents as well)
I looked into what is causing the creation of the .gnupg folder on image build. At least for the nodejs16 agent it is installing yarn (L36) and google-chrome (L44).
For the yarn part, this can be fixed by switching to the recommended installation methods from yarn (legacy or the recommended). For the google-chrome part I don't have any idea yet. Maybe the easier fix would be to delete the .gnupg folder as last step in the image builds.
Screenshots
Screenshot 1
Screenshot 2
I just realized: Changing L60 from g+rw to g+rwx should also solve this issue.
Maybe this should be changed in all other jenkins-agents as well...