Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-60908

AWS Secrets Manager Plugin Breaking Change

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Release 0.2.X+ of the plugin has added a new tag requirement in order for the plugin to know which data to pull in from AWS Secrets Manager.  Existing secrets without this tag will not be pulled in.  I would classify this as a breaking change and a note should be added to the README.

       

      This can be tested by installing version 0.1.4 and only specify a tag that one can use to Filter the secret against.  It will come in.  If you then upgrade to 0.2.0 or higher and create a similar tag without the necessary credentials type tag, then it will appear.

       

      Interestingly enough, this does not impact recognizing if the secret key has been deleted.

        Attachments

          Activity

          Hide
          chriskilding Chris Kilding added a comment -

          Release Drafter doesn't go back in time to before it was enabled, so I have annotated the most recent tags with release notes manually.

          Ethan Stein could you look at the linked release notes, and indicate if they're clear enough about the breaking change in 0.2.0? (Or if not, what you'd modify - nothing else is dependent on these notes, so I can update them once or twice if needed.)

          https://github.com/jenkinsci/aws-secrets-manager-credentials-provider-plugin/releases#0.2.0

          Show
          chriskilding Chris Kilding added a comment - Release Drafter doesn't go back in time to before it was enabled, so I have annotated the most recent tags with release notes manually. Ethan Stein could you look at the linked release notes, and indicate if they're clear enough about the breaking change in 0.2.0? (Or if not, what you'd modify - nothing else is dependent on these notes, so I can update them once or twice if needed.) https://github.com/jenkinsci/aws-secrets-manager-credentials-provider-plugin/releases#0.2.0
          Hide
          chriskilding Chris Kilding added a comment -

          I've enabled Release Drafter on the repo, which will automatically write the changelog for each plugin release on the GitHub Releases page. This seems to be the best place to communicate changes in new versions, breaking or otherwise.

          Show
          chriskilding Chris Kilding added a comment - I've enabled Release Drafter on the repo, which will automatically write the changelog for each plugin release on the GitHub Releases page. This seems to be the best place to communicate changes in new versions, breaking or otherwise.
          Hide
          chriskilding Chris Kilding added a comment -

          I've logged the problem with credentials sticking around after the jenkins:credentials:type tag is removed in JENKINS-61112

          Show
          chriskilding Chris Kilding added a comment - I've logged the problem with credentials sticking around after the jenkins:credentials:type tag is removed in JENKINS-61112
          Hide
          chriskilding Chris Kilding added a comment -

          I've logged the soft-deleted secrets problem in JENKINS-61111

          Show
          chriskilding Chris Kilding added a comment - I've logged the soft-deleted secrets problem in JENKINS-61111
          Hide
          chriskilding Chris Kilding added a comment -

          User-configurable cache duration has a ticket: JENKINS-57577. I'll note your interest there.

          The soft deletion of secrets is problematic in Moto (the AWS mock I use) because it doesn't have an effective notion of time (at least, not the kind of time frames we have in integration test lifecycles). This makes testing soft deletion very awkward and there could be a mistake there. I'll investigate.

          Show
          chriskilding Chris Kilding added a comment - User-configurable cache duration has a ticket: JENKINS-57577 . I'll note your interest there. The soft deletion of secrets is problematic in Moto (the AWS mock I use) because it doesn't have an effective notion of time (at least, not the kind of time frames we have in integration test lifecycles). This makes testing soft deletion very awkward and there could be a mistake there. I'll investigate.
          Hide
          esteinfama Ethan Stein added a comment -

          Sure, just wanted you to be aware of what made me struggle for the past 24 hrs when I setup a new environment with the latest version of this plugin while my older environments had the previous version.

          As far as my final statement, it seemed that after adding that jenkins:credentials:type=string tag into the secret within AWS Secrets Manager and it getting displayed in Jenkins, if I remove the tag, the entry still remains in Jenkins even after the 5 minute mark.  It will only disappear after I initiate a delete to remove the secret altogether, regardless of whether that tag was present or later removed.

           

          Also, a strange thing I noticed previously, if I mark the secret as deleted but it is still recoverable, the secret is still seen in Jenkins. Not sure whether you've tested/coded for this.

           

          Finally, any chance you can parameterize the 5 minute-check. Sometimes I'd like to have it be less (at least initially).

          Show
          esteinfama Ethan Stein added a comment - Sure, just wanted you to be aware of what made me struggle for the past 24 hrs when I setup a new environment with the latest version of this plugin while my older environments had the previous version. As far as my final statement, it seemed that after adding that jenkins:credentials:type=string tag into the secret within AWS Secrets Manager and it getting displayed in Jenkins, if I remove the tag, the entry still remains in Jenkins even after the 5 minute mark.  It will only disappear after I initiate a delete to remove the secret altogether, regardless of whether that tag was present or later removed.   Also, a strange thing I noticed previously, if I mark the secret as deleted but it is still recoverable, the secret is still seen in Jenkins. Not sure whether you've tested/coded for this.   Finally, any chance you can parameterize the 5 minute-check. Sometimes I'd like to have it be less (at least initially).
          Hide
          chriskilding Chris Kilding added a comment -

          Hi Ethan, could you clarify the last sentence? Not quite sure what it means, but there might be something worth investigating in it.

          You are correct that it’s a breaking change. I kept the previous auto-detection strategy going as long as I could, but unfortunately the multi-type credential object this entailed broke fundamental assumptions of important credential consumers, like the Git plugin. So it was a tough call but I had to change it. I’ll add a doc notice as you suggest.

          The only in-band mechanism Jenkins currently provides to announce a breaking change is the plugin version number. However per the Semantic Versioning standard, this only really works if you are post version 1 (when you can indicate a breaking change with a major version increment). Therefore I intend to finish the last 2 or 3 minor changes I’m working on, sit on it for a while, then if all looks good release stable version 1.0.0.

          Show
          chriskilding Chris Kilding added a comment - Hi Ethan, could you clarify the last sentence? Not quite sure what it means, but there might be something worth investigating in it. You are correct that it’s a breaking change. I kept the previous auto-detection strategy going as long as I could, but unfortunately the multi-type credential object this entailed broke fundamental assumptions of important credential consumers, like the Git plugin. So it was a tough call but I had to change it. I’ll add a doc notice as you suggest. The only in-band mechanism Jenkins currently provides to announce a breaking change is the plugin version number. However per the Semantic Versioning standard, this only really works if you are post version 1 (when you can indicate a breaking change with a major version increment). Therefore I intend to finish the last 2 or 3 minor changes I’m working on, sit on it for a while, then if all looks good release stable version 1.0.0.

            People

            Assignee:
            chriskilding Chris Kilding
            Reporter:
            esteinfama Ethan Stein
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: