How to put maven settings.xml with password in source control

Question

I'm building a docker image for a jenkins slave. That jenkins slave will have to push and pull artifacts to/from an artifacts repository.

This is for Java and maven projects. So I need to have in my docker container a settings.xml so that I can authenticate in several private repositories.

My idea would be to copy a settings.xml in the Dockerfile, but because it has sensitive information (username, password), I'm concerned about security. Can I encrypt this content in the source control? And more important, can I avoid people from just downloading this file and being able to use the encrypted credentials? Ideally I should have a mechanism to make sure the encrypted file only works in the context of the docker container.

Answer 1

As I understand credentials for upload should be available to jenkins slave only. Several options here:

1. Create special settings.xml just for jenkins slaves. Access for jenkins slave is prohibited for all users except admin, so password will be safe. Everyone will use another settings.xml with creds for download only.

2. Parametrize settings.xml with env variables:

   <server>
      <id>repo</id>
      <username>${env.REPO_USER}</username>
      <password>${env.REPO_PASSWORD}</password>
    </server>
   

On jenkins slaves, REPO_USER/PASSWORD will be set with credentials plugin: https://support.cloudbees.com/hc/en-us/articles/203802500-Injecting-Secrets-into-Jenkins-Build-Jobs. Users will set this vars to download-only creds.