How to find your Jenkins admin password on Kubernetes

Tracking down your Jenkins admin password is surprisingly mysterious after installing via Helm. Here's how to do it.

How Kubernetes became the solution for migrating legacy applications

Image by:

Opensource.com

The tooling to make Kubernetes easier to navigate is so good at times, I get surprised when I can't find a simple way to get an answer. As someone who doesn't use Kubernetes day-to-day, any intermediate level of troubleshooting turns into an afternoon of first, questioning my sanity and second, considering a job as a shepherd or something else that's away from the keyboard.

It began simply. In this case, I was following a tutorial that depended on a Kubernetes cluster, so I used Minikube, which is a nice and easy virtual environment that makes running a clustered environment possible on a laptop. That installation went well, so I got started with Helm, which is a wonderfully straightforward package manager for Kubernetes. I used one of Helm's Charts to install Jenkins, and I was up and running without a problem. Jenkins is the de facto standard for DevOps pipelines and to have it running in just a few minutes is pretty great.

I had my environment configured and everything was responding. Now, what's the admin password to log into Jenkins?

As part of the Helm Chart, Jenkins configures a default username and password for its graphical user interface (GUI). I had the GUI up and running, but I had no idea how to log in.

I had no clue what I missed, so I looked at the GitHub repository for the chart and searched as much as I could. I tried googling all the related search patterns I could think of:

How to retrieve a Jenkins admin password on Kubernetes
Kubernetes Jenkins password Helm
Jenkins admin password Helm Chart
Helm Jenkins how-to

While there are a ton of great tutorials out there, there wasn't an answer that met me where I was at the beginner level.

TL;DR the answer

If you just want to look up your Jenkins password and don't care about why this works, run the following:

printf $(kubectl get secret --namespace jenkins jenkins -o jsonpath="{.data.jenkins-admin-password}" | base64 --decode);echo

The default user is admin. Now that you know both of those details, you can log into the UI. Where is the UI you ask? Run this:

# Be sure to update your jenkins pod name in the following command
$ kubectl port-forward jenkins-7565554b8f-cvhbd 8088:8080

Then you can navigate to 127.0.0.1:8088 to access the UI.

The scenario

Here's the background on this solution. I have a working local Kubernetes environment, thanks to Minikube. I installed the Kubernetes package manager Helm via Homebrew (as a MacOS user) and took the next step:

$ helm install --name jenkins stable/jenkins --namespace jenkins
Error: could not find tiller

Just kidding—whenever Helms runs for the first time in a cluster, you have to initialize the Tiller service. The Helm glossary says:

Tiller is the in-cluster component of Helm. It interacts directly with the Kubernetes API server to install, upgrade, query, and remove Kubernetes resources. It also stores the objects that represent releases.

Let's do this right:

$ helm init
Creating /Users/mbbroberg/.helm
Creating /Users/mbbroberg/.helm/repository
Creating /Users/mbbroberg/.helm/repository/cache
Creating /Users/mbbroberg/.helm/repository/local
Creating /Users/mbbroberg/.helm/plugins
Creating /Users/mbbroberg/.helm/starters
Creating /Users/mbbroberg/.helm/cache/archive
Creating /Users/mbbroberg/.helm/repository/repositories.yaml
Adding stable repo with URL: https://kubernetes-charts.storage.googleapis.com
Adding local repo with URL: http://127.0.0.1:8879/charts
$HELM_HOME has been configured at /Users/mbbroberg/.helm.

Tiller (the Helm server-side component) has been installed into your Kubernetes Cluster.

Please note: by default, Tiller is deployed with an insecure 'allow unauthenticated users' policy.
To prevent this, run `helm init` with the --tiller-tls-verify flag.
For more information on securing your installation see: https://docs.helm.sh/using_helm/#securing-your-helm-installation

Now it's time to install Jenkins and confirm it is online:

helm install --name jenkins stable/jenkins --namespace jenkins
NAME:   jenkins
LAST DEPLOYED: Tue May 28 11:12:39 2019
NAMESPACE: jenkins
STATUS: DEPLOYED

RESOURCES:
==> v1/ConfigMap
NAME           DATA  AGE
jenkins        5     0s
jenkins-tests  1     0s

==> v1/Deployment
NAME     READY  UP-TO-DATE  AVAILABLE  AGE
jenkins  0/1    1           0          0s

==> v1/PersistentVolumeClaim
NAME     STATUS   VOLUME    CAPACITY  ACCESS MODES  STORAGECLASS  AGE
jenkins  Pending  standard  0s

==> v1/Pod(related)
NAME                      READY  STATUS   RESTARTS  AGE
jenkins-7565554b8f-cvhbd  0/1    Pending  0         0s

==> v1/Role
NAME                     AGE
jenkins-schedule-agents  0s

==> v1/RoleBinding
NAME                     AGE
jenkins-schedule-agents  0s

==> v1/Secret
NAME     TYPE    DATA  AGE
jenkins  Opaque  2     0s

==> v1/Service
NAME           TYPE          CLUSTER-IP    EXTERNAL-IP  PORT(S)         AGE
jenkins        LoadBalancer  10.96.90.0    <pending>    8080:32015/TCP  0s
jenkins-agent  ClusterIP     10.103.85.49  <none>       50000/TCP       0s

==> v1/ServiceAccount
NAME     SECRETS  AGE
jenkins  1        0s


NOTES:
1. Get your 'admin' user password by running:
  printf $(kubectl get secret --namespace jenkins jenkins -o jsonpath="{.data.jenkins-admin-password}" | base64 --decode);echo
2. Get the Jenkins URL to visit by running these commands in the same shell:
  NOTE: It may take a few minutes for the LoadBalancer IP to be available.
        You can watch the status of by running 'kubectl get svc --namespace jenkins -w jenkins'
  export SERVICE_IP=$(kubectl get svc --namespace jenkins jenkins --template "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}")
  echo http://$SERVICE_IP:8080/login

3. Login with the password from step 1 and the username: admin


For more information on running Jenkins on Kubernetes, visit:
https://cloud.google.com/solutions/jenkins-on-container-engine

$ kubectl get pods --namespace jenkins
NAME                       READY     STATUS    RESTARTS   AGE
jenkins-7565554b8f-cvhbd   1/1       Running   0          9m

You'll notice that the magical command to get the admin password is part of the lengthy output above (in Note 1). This incredibly helpful command:

Executes a kubectl command to extract the secret created by Jenkins
Sends that execution, thanks to printf and $(), as input to the pipe operator
Decodes the password, which is stored in base64 encoding, then outputs it to the screen

I didn't notice that line in the output at first, and I couldn't easily find the answer by searching, so hopefully, it's simpler for everyone now.

One more thing…

There is still a bit of a dead end here. My configuration never assigned a SERVICE_IP, as explained in the output (Note 2) above. Jessica Repka recommends setting up port forwarding from the pod to the local host so it can be addressed locally. By doing so, I'll be able to access the UI as if it's running locally on my laptop and not within a container within Minikube.

# Be sure to update your jenkins pod name in the following command
$ kubectl port-forward jenkins-7565554b8f-cvhbd 8088:8080

By leaving that terminal window running, I have a port forwarded to a locally available port–I chose 8088 here–and can get going with Jenkins at http://127.0.0.1:8088/login.

I hope this how-to will help other people getting started with Jenkins on Kubernetes.