• Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Major Major
    • kubernetes-plugin
    • None

      In our Jenkins pipeline script we pass sensitive environment variables into the pod which come out of the job parameters.

      This sensitive information is unfortunately disclosed via the log.

      #459 / JENKINS-57116 introduced the option showRawYaml but this does not seem to take effect within a Jenkins pipeline when using podTemplate(showRawYaml: false, ...)

      Would be great to make this available.

          [JENKINS-57717] showRawYaml doesn't work inside podTemplate

          showRawYaml is in 1.15.4, what version are you using?

          Carlos Sanchez added a comment - showRawYaml is in 1.15.4, what version are you using?

          Oliver Nocon added a comment -

          Thank you for your feedback, we are exactly on this version.

          I see the respective checkbox in Jenkins system configuration.

          When calling via pipeline script I was not able to get it working. When looking into

          https://github.com/jenkinsci/kubernetes-plugin/blob/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/pipeline/PodTemplateStep.java

          I am not able to find the respective setter but maybe there is a misunderstanding on my side and there is something else I overlooked ...

          Oliver Nocon added a comment - Thank you for your feedback, we are exactly on this version. I see the respective checkbox in Jenkins system configuration. When calling via pipeline script I was not able to get it working. When looking into https://github.com/jenkinsci/kubernetes-plugin/blob/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/pipeline/PodTemplateStep.java I am not able to find the respective setter but maybe there is a misunderstanding on my side and there is something else I overlooked ...

          I see, it is implemented for global templates but not for Jenkinsfiles

          Carlos Sanchez added a comment - I see, it is implemented for global templates but not for Jenkinsfiles

          Oliver Nocon added a comment -

          Oliver Nocon added a comment - addressed via  https://github.com/jenkinsci/kubernetes-plugin/pull/519

          Jesse Glick added a comment -

          What was addressed exactly?

          To go back to the original description:

          we pass sensitive environment variables into the pod which come out of the job parameters

          Can you be more specific please? The credentials-binding and kubernetes plugins automatically mask secrets from the log coming from withCredentials and Kubernetes Secret mounts, respectively. Provide a complete, self-contained job definition which demonstrates your issue.

          Jesse Glick added a comment - What was addressed exactly? To go back to the original description: we pass sensitive environment variables into the pod which come out of the job parameters Can you be more specific please? The credentials-binding and kubernetes plugins automatically mask secrets from the log coming from withCredentials and Kubernetes Secret mounts, respectively. Provide a complete, self-contained job definition which demonstrates your issue.

          Oliver Nocon added a comment -

          PR addressed the issue that showRawYaml: false did not take effect inside a Jenkinsfile.

          It has been merged, thus the issue can be closed.

          Issue was in a job with a password parameter. When passing this parameter as env variable to the pod: name and value (taken from the password parameter) were printed to the log. Now, using showRawYaml: false this can be prevented.

          Oliver Nocon added a comment - PR addressed the issue that showRawYaml: false did not take effect inside a Jenkinsfile. It has been merged, thus the issue can be closed. Issue was in a job with a password parameter. When passing this parameter as env variable to the pod: name and value (taken from the password parameter) were printed to the log. Now, using showRawYaml: false this can be prevented.

          Jesse Glick added a comment - - edited

          When passing this parameter as env variable to the pod: name and value (taken from the password parameter)

          There is no supported way to do this currently: JENKINS-43814

          Jesse Glick added a comment - - edited When passing this parameter as env variable to the pod: name and value (taken from the password parameter) There is no supported way to do this currently: JENKINS-43814

            csanchez Carlos Sanchez
            nocono Oliver Nocon
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: