[JENKINS-68209] Credentials disappear after controller upgrade to Jenkins LTS 2.332.2 using custom initScripts credential providers

Type: Bug
Resolution: Fixed
Priority: Blocker
Component/s: credentials-plugin
Labels:
- jenkins
- plugins
Environment:
Fixing Controller Vulnerabilities in Production

Similar Issues:
Powered by SuggestiMate

Show

Hello,

Upgrading from jenkins/jenkins:2.303.3-lts-jdk11 to jenkins/jenkins:2.332.2-lts-jdk11 causes the credential assignments to dissappear in Manage Jenkins => Configure System. This is specifically to jenkins helm chart with below initScripts:

initScripts:
- |
      import com.cloudbees.plugins.credentials.CredentialsProviderManager
      import com.cloudbees.plugins.credentials.CredentialsProviderFilter
      import com.cloudbees.plugins.credentials.CredentialsTypeFilter      def allowedCredentialsProviders = [
        'com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider',
        'com.cloudbees.plugins.credentials.SystemCredentialsProvider$ProviderImpl'
      ]
      // vault provider class to use in the future: com.datapipe.jenkins.vault.credentials.VaultCredentialsProvider
      CredentialsProviderFilter providerFilter = new CredentialsProviderFilter.Includes(allowedCredentialsProviders)
      CredentialsProviderManager.getInstance().setProviderFilter(providerFilter)      def allowedCredentialTypes = [         'com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl$DescriptorImpl',
        'com.dabsquared.gitlabjenkins.connection.GitLabApiTokenImpl$DescriptorImpl',
        'io.jenkins.plugins.gitlabserverconfig.credentials.PersonalAccessTokenImpl$DescriptorImpl',
        'org.jenkinsci.plugins.kubernetes.credentials.FileSystemServiceAccountCredential$DescriptorImpl',
        'com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$DescriptorImpl',
        'org.jenkinsci.plugins.plaincredentials.impl.FileCredentialsImpl$DescriptorImpl',
        'org.jenkinsci.plugins.plaincredentials.impl.StringCredentialsImpl$DescriptorImpl',
        'org.jenkinsci.plugins.docker.commons.credentials.DockerServerCredentials$DescriptorImpl',
        'com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl$DescriptorImpl'
        // 'org.csanchez.jenkins.plugins.kubernetes.OpenShiftTokenCredentialImpl$DescriptorImpl',
        // 'org.jenkinsci.plugins.kubernetes.credentials.OpenShiftBearerTokenCredentialImpl$DescriptorImpl',
        // 'com.datapipe.jenkins.vault.credentials.VaultAwsIamCredential$DescriptorImpl',
        // 'com.datapipe.jenkins.vault.credentials.VaultAppRoleCredential$DescriptorImpl',
        // 'com.datapipe.jenkins.vault.credentials.common.VaultCertificateCredentialsImpl$DescriptorImpl',
        // 'com.datapipe.jenkins.vault.credentials.VaultGCPCredential$DescriptorImpl',
        // 'com.datapipe.jenkins.vault.credentials.VaultGithubTokenCredential$DescriptorImpl',
        // 'com.datapipe.jenkins.vault.credentials.common.VaultGCRLoginImpl$DescriptorImpl',
        // 'com.datapipe.jenkins.vault.credentials.VaultKubernetesCredential$DescriptorImpl',
        // 'com.datapipe.jenkins.vault.credentials.common.VaultSSHUserPrivateKeyImpl$DescriptorImpl',
        // 'com.datapipe.jenkins.vault.credentials.common.VaultFileCredentialImpl$DescriptorImpl',
        // 'com.datapipe.jenkins.vault.credentials.common.VaultStringCredentialImpl$DescriptorImpl',
        // 'com.datapipe.jenkins.vault.credentials.VaultTokenCredential$DescriptorImpl',
        // 'com.datapipe.jenkins.vault.credentials.VaultTokenFileCredential$DescriptorImpl',
        // 'com.datapipe.jenkins.vault.credentials.common.VaultUsernamePasswordCredentialImpl$DescriptorImpl',
      ]
      CredentialsTypeFilter typeFilter = new CredentialsTypeFilter.Includes(allowedCredentialTypes)
      CredentialsProviderManager.getInstance().setTypeFilter(typeFilter)

Best Regards,

Anand

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

Screen Shot 2022-04-06 at 2.08.57 PM.png
45 kB
2022-04-06 22:33

Anand Vijayan created issue - 2022-04-06 22:39

Anand Vijayan made changes - 2022-05-05 00:40

Released As	Original: LTS Change Logs
Description	Original: Hello, Upgrading from jenkins/jenkins:2.303.3-lts-jdk11 to jenkins/jenkins:2.332.1-lts-jdk11 causes the credential assignments to dissappear in Manage Jenkins => Configure System. Is this something that would be fixed in the Credentials plugin for a future version LTS release? Best Regards, Anand	New: Hello, Upgrading from jenkins/jenkins:2.303.3-lts-jdk11 to jenkins/jenkins:2.332.2-lts-jdk11 causes the credential assignments to dissappear in Manage Jenkins => Configure System. This is specifically to jenkins helm chart with below initScripts: {code:java} initScripts: - \| import com.cloudbees.plugins.credentials.CredentialsProviderManager import com.cloudbees.plugins.credentials.CredentialsProviderFilter import com.cloudbees.plugins.credentials.CredentialsTypeFilter def allowedCredentialsProviders = [ 'com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider', 'com.cloudbees.plugins.credentials.SystemCredentialsProvider$ProviderImpl' ] // vault provider class to use in the future: com.datapipe.jenkins.vault.credentials.VaultCredentialsProvider CredentialsProviderFilter providerFilter = new CredentialsProviderFilter.Includes(allowedCredentialsProviders) CredentialsProviderManager.getInstance().setProviderFilter(providerFilter) def allowedCredentialTypes = [ 'com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl', 'com.dabsquared.gitlabjenkins.connection.GitLabApiTokenImpl', 'io.jenkins.plugins.gitlabserverconfig.credentials.PersonalAccessTokenImpl', 'org.jenkinsci.plugins.kubernetes.credentials.FileSystemServiceAccountCredential', 'com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey', 'org.jenkinsci.plugins.plaincredentials.impl.FileCredentialsImpl', 'org.jenkinsci.plugins.plaincredentials.impl.StringCredentialsImpl', 'org.jenkinsci.plugins.docker.commons.credentials.DockerServerCredentials', 'com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl' // 'org.csanchez.jenkins.plugins.kubernetes.OpenShiftTokenCredentialImpl$DescriptorImpl', // 'org.jenkinsci.plugins.kubernetes.credentials.OpenShiftBearerTokenCredentialImpl$DescriptorImpl', // 'com.datapipe.jenkins.vault.credentials.VaultAwsIamCredential$DescriptorImpl', // 'com.datapipe.jenkins.vault.credentials.VaultAppRoleCredential$DescriptorImpl', // 'com.datapipe.jenkins.vault.credentials.common.VaultCertificateCredentialsImpl$DescriptorImpl', // 'com.datapipe.jenkins.vault.credentials.VaultGCPCredential$DescriptorImpl', // 'com.datapipe.jenkins.vault.credentials.VaultGithubTokenCredential$DescriptorImpl', // 'com.datapipe.jenkins.vault.credentials.common.VaultGCRLoginImpl$DescriptorImpl', // 'com.datapipe.jenkins.vault.credentials.VaultKubernetesCredential$DescriptorImpl', // 'com.datapipe.jenkins.vault.credentials.common.VaultSSHUserPrivateKeyImpl$DescriptorImpl', // 'com.datapipe.jenkins.vault.credentials.common.VaultFileCredentialImpl$DescriptorImpl', // 'com.datapipe.jenkins.vault.credentials.common.VaultStringCredentialImpl$DescriptorImpl', // 'com.datapipe.jenkins.vault.credentials.VaultTokenCredential$DescriptorImpl', // 'com.datapipe.jenkins.vault.credentials.VaultTokenFileCredential$DescriptorImpl', // 'com.datapipe.jenkins.vault.credentials.common.VaultUsernamePasswordCredentialImpl$DescriptorImpl', ] CredentialsTypeFilter typeFilter = new CredentialsTypeFilter.Includes(allowedCredentialTypes) CredentialsProviderManager.getInstance().setTypeFilter(typeFilter) {code} Best Regards, Anand
Summary	Original: Credentials disappear after controller upgrade to Jenkins LTS 2.332.1	New: Credentials disappear after controller upgrade to Jenkins LTS 2.332.2 using custom initScripts credential providers

Anand Vijayan made changes - 2022-05-05 00:44

Description

Original: Hello,

Upgrading from jenkins/jenkins:2.303.3-lts-jdk11 to jenkins/jenkins:2.332.2-lts-jdk11 causes the credential assignments to dissappear in Manage Jenkins => Configure System. This is specifically to jenkins helm chart with below initScripts:
{code:java}
initScripts:
- |
import com.cloudbees.plugins.credentials.CredentialsProviderManager
import com.cloudbees.plugins.credentials.CredentialsProviderFilter
import com.cloudbees.plugins.credentials.CredentialsTypeFilter def allowedCredentialsProviders = [
'com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider',
'com.cloudbees.plugins.credentials.SystemCredentialsProvider$ProviderImpl'
]
// vault provider class to use in the future: com.datapipe.jenkins.vault.credentials.VaultCredentialsProvider
CredentialsProviderFilter providerFilter = new CredentialsProviderFilter.Includes(allowedCredentialsProviders)
CredentialsProviderManager.getInstance().setProviderFilter(providerFilter) def allowedCredentialTypes = [
'com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl',
'com.dabsquared.gitlabjenkins.connection.GitLabApiTokenImpl',
'io.jenkins.plugins.gitlabserverconfig.credentials.PersonalAccessTokenImpl',
'org.jenkinsci.plugins.kubernetes.credentials.FileSystemServiceAccountCredential',
'com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey',
'org.jenkinsci.plugins.plaincredentials.impl.FileCredentialsImpl',
'org.jenkinsci.plugins.plaincredentials.impl.StringCredentialsImpl',
'org.jenkinsci.plugins.docker.commons.credentials.DockerServerCredentials',
'com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl'
// 'org.csanchez.jenkins.plugins.kubernetes.OpenShiftTokenCredentialImpl$DescriptorImpl',
// 'org.jenkinsci.plugins.kubernetes.credentials.OpenShiftBearerTokenCredentialImpl$DescriptorImpl',
// 'com.datapipe.jenkins.vault.credentials.VaultAwsIamCredential$DescriptorImpl',
// 'com.datapipe.jenkins.vault.credentials.VaultAppRoleCredential$DescriptorImpl',
// 'com.datapipe.jenkins.vault.credentials.common.VaultCertificateCredentialsImpl$DescriptorImpl',
// 'com.datapipe.jenkins.vault.credentials.VaultGCPCredential$DescriptorImpl',
// 'com.datapipe.jenkins.vault.credentials.VaultGithubTokenCredential$DescriptorImpl',
// 'com.datapipe.jenkins.vault.credentials.common.VaultGCRLoginImpl$DescriptorImpl',
// 'com.datapipe.jenkins.vault.credentials.VaultKubernetesCredential$DescriptorImpl',
// 'com.datapipe.jenkins.vault.credentials.common.VaultSSHUserPrivateKeyImpl$DescriptorImpl',
// 'com.datapipe.jenkins.vault.credentials.common.VaultFileCredentialImpl$DescriptorImpl',
// 'com.datapipe.jenkins.vault.credentials.common.VaultStringCredentialImpl$DescriptorImpl',
// 'com.datapipe.jenkins.vault.credentials.VaultTokenCredential$DescriptorImpl',
// 'com.datapipe.jenkins.vault.credentials.VaultTokenFileCredential$DescriptorImpl',
// 'com.datapipe.jenkins.vault.credentials.common.VaultUsernamePasswordCredentialImpl$DescriptorImpl',
]
CredentialsTypeFilter typeFilter = new CredentialsTypeFilter.Includes(allowedCredentialTypes)
CredentialsProviderManager.getInstance().setTypeFilter(typeFilter) {code}
Best Regards,

Anand

New: Hello,

Upgrading from jenkins/jenkins:2.303.3-lts-jdk11 to jenkins/jenkins:2.332.2-lts-jdk11 causes the credential assignments to dissappear in Manage Jenkins => Configure System. This is specifically to jenkins helm chart with below initScripts:
{code:java}
initScripts:
- |
import com.cloudbees.plugins.credentials.CredentialsProviderManager
import com.cloudbees.plugins.credentials.CredentialsProviderFilter
import com.cloudbees.plugins.credentials.CredentialsTypeFilter def allowedCredentialsProviders = [
'com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider',
'com.cloudbees.plugins.credentials.SystemCredentialsProvider$ProviderImpl'
]
// vault provider class to use in the future: com.datapipe.jenkins.vault.credentials.VaultCredentialsProvider
CredentialsProviderFilter providerFilter = new CredentialsProviderFilter.Includes(allowedCredentialsProviders)
CredentialsProviderManager.getInstance().setProviderFilter(providerFilter) def allowedCredentialTypes = [ 'com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl$DescriptorImpl',
'com.dabsquared.gitlabjenkins.connection.GitLabApiTokenImpl$DescriptorImpl',
'io.jenkins.plugins.gitlabserverconfig.credentials.PersonalAccessTokenImpl$DescriptorImpl',
'org.jenkinsci.plugins.kubernetes.credentials.FileSystemServiceAccountCredential$DescriptorImpl',
'com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$DescriptorImpl',
'org.jenkinsci.plugins.plaincredentials.impl.FileCredentialsImpl$DescriptorImpl',
'org.jenkinsci.plugins.plaincredentials.impl.StringCredentialsImpl$DescriptorImpl',
'org.jenkinsci.plugins.docker.commons.credentials.DockerServerCredentials$DescriptorImpl',
'com.cloudbees.plugins.credentials.impl.CertificateCredentialsImpl$DescriptorImpl'
// 'org.csanchez.jenkins.plugins.kubernetes.OpenShiftTokenCredentialImpl$DescriptorImpl',
// 'org.jenkinsci.plugins.kubernetes.credentials.OpenShiftBearerTokenCredentialImpl$DescriptorImpl',
// 'com.datapipe.jenkins.vault.credentials.VaultAwsIamCredential$DescriptorImpl',
// 'com.datapipe.jenkins.vault.credentials.VaultAppRoleCredential$DescriptorImpl',
// 'com.datapipe.jenkins.vault.credentials.common.VaultCertificateCredentialsImpl$DescriptorImpl',
// 'com.datapipe.jenkins.vault.credentials.VaultGCPCredential$DescriptorImpl',
// 'com.datapipe.jenkins.vault.credentials.VaultGithubTokenCredential$DescriptorImpl',
// 'com.datapipe.jenkins.vault.credentials.common.VaultGCRLoginImpl$DescriptorImpl',
// 'com.datapipe.jenkins.vault.credentials.VaultKubernetesCredential$DescriptorImpl',
// 'com.datapipe.jenkins.vault.credentials.common.VaultSSHUserPrivateKeyImpl$DescriptorImpl',
// 'com.datapipe.jenkins.vault.credentials.common.VaultFileCredentialImpl$DescriptorImpl',
// 'com.datapipe.jenkins.vault.credentials.common.VaultStringCredentialImpl$DescriptorImpl',
// 'com.datapipe.jenkins.vault.credentials.VaultTokenCredential$DescriptorImpl',
// 'com.datapipe.jenkins.vault.credentials.VaultTokenFileCredential$DescriptorImpl',
// 'com.datapipe.jenkins.vault.credentials.common.VaultUsernamePasswordCredentialImpl$DescriptorImpl',
]
CredentialsTypeFilter typeFilter = new CredentialsTypeFilter.Includes(allowedCredentialTypes)
CredentialsProviderManager.getInstance().setTypeFilter(typeFilter) {code}
Best Regards,

Anand

Anand Vijayan added a comment - 2022-05-05 20:21

The issue was resolved by removing the commented out TypeFilter classes.

Anand Vijayan added a comment - 2022-05-05 20:21 The issue was resolved by removing the commented out TypeFilter classes.

Anand Vijayan added a comment - 2022-05-05 20:22

Removing the type filters in comments fixed the issue.

Anand Vijayan added a comment - 2022-05-05 20:22 Removing the type filters in comments fixed the issue.

Anand Vijayan made changes - 2022-05-05 20:22

Resolution		New: Fixed [ 1 ]
Status	Original: Open [ 1 ]	New: Resolved [ 5 ]

Assignee:: Unassigned

Reporter:: Anand Vijayan

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2022-04-06 22:39

Updated:: 2022-05-05 20:22

Resolved:: 2022-05-05 20:22

Jenkins

Details

Description

Attachments

Attachments

Activity

Collapse comment: Anand Vijayan added a comment - 2022-05-05 20:21

Expand comment: Anand Vijayan added a comment - 2022-05-05 20:21

Collapse comment: Anand Vijayan added a comment - 2022-05-05 20:22

Expand comment: Anand Vijayan added a comment - 2022-05-05 20:22

People

Dates