Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-73872

Folder credential injection in kubernetes cloud from declarative pipeline

      We use the jenkins cloudbees folder plugin to give a jenkins space per software team. They also store their own credentials in their own scoped folder.  With the kubernetes plugin we would like to give each software team their own configured cloud, while using their own folder scoped credential to be used with the configured cloud

      With the Kubernetes plugin the cloud configuration is stored globally, and thus also the credential. This means that scoped software teams could possibly read/misuse each other credential ID's which is bad from security perspective.

      We programmatically tried changing the credential ID (using groovy) to a folder scoped credential, however this was not allowed as the routine assumes the credential is in the global credential store because of default context being set here
      https://github.com/jenkinsci/kubernetes-plugin/blob/4296.v20a_7e4d77cf6/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesFactoryAdapter.java#L126

      And eventually being used here
      https://github.com/jenkinsci/kubernetes-plugin/blob/4296.v20a_7e4d77cf6/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesFactoryAdapter.java#L285

      So it would be nice to store the cloud configuration without a credential (which is already possible), and then dynamically inject the credentialsId on the spot, which also provides the right folder context (from the job). Such a declarative pipeline would look something like this:

      pipeline {
        agent {
          kubernetes {
            cloud 'team-a-cloud'
            credentialsId 'team-a-credential-id'
            yamlFile 'KubernetesPod.yaml'
          }
        }
        // ... stages, etc
      } 

      The credentialId and context should NOT be stored in the Cloud object as these values are temporary and only applicable for this job.

       

          [JENKINS-73872] Folder credential injection in kubernetes cloud from declarative pipeline

          Marco created issue -
          Marco made changes -
          Summary Original: Dynamic credential injection New: Dynamic credential injection kubernetes cloud
          Marco made changes -
          Assignee New: Marco [ markri ]
          Marco made changes -
          Description Original: We use the jenkins cloudbees folder plugin to give a jenkins space per software team. They also store their own credentials in their folder scope.  With the kubernetes plugin we would like to give each software team their own configured cloud (locked to their folder)

          With the Kubernetes plugin the cloud configuration is stored globally. This is fine, however the used credential ID must therefore also be in the global credential store. This means that scoped software teams could possibly read each other credential ID's which is not fine.

          We tried changing the credential ID (programmatically) to a folder scoped credential, however this is not allowed as the routine assumes the credential is in the global credential store: [https://github.com/jenkinsci/kubernetes-plugin/blob/master/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesFactoryAdapter.java#L256]

          So it would be nice to store the cloud configuration without a credential (which is already possible), and then dynamically inject the credential on the spot using an extra property (in the declarative pipeline), something like this


          {code:java}
          pipeline {
            agent {
              kubernetes {
                cloud 'team-a-cloud'
                credentialId 'team-a-credential-id'
                yamlFile 'KubernetesPod.yaml'
              }
            }
            // ... stages, etc
          } {code}

          So when "credentialId" is specified it would do a dynamic lookup (in global AND folder scoped credential folder), find it and use it instead



           
          New: We use the jenkins cloudbees folder plugin to give a jenkins space per software team. They also store their own credentials in their own scoped folder.  With the kubernetes plugin we would like to give each software team their own configured cloud, while using their own folder scoped credential to be used with the configured cloud

          With the Kubernetes plugin the cloud configuration is stored globally, and thus also the credential. This means that scoped software teams could possibly read/misuse each other credential ID's which is bad from security perspective.

          We programmatically tried changing the credential ID (using groovy) to a folder scoped credential, however this was not allowed as the routine assumes the credential is in the global credential store because of default context being set here
          [https://github.com/jenkinsci/kubernetes-plugin/blob/4296.v20a_7e4d77cf6/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesFactoryAdapter.java#L126]

          And eventually being used here
          https://github.com/jenkinsci/kubernetes-plugin/blob/4296.v20a_7e4d77cf6/src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubernetesFactoryAdapter.java#L285



          So it would be nice to store the cloud configuration without a credential (which is already possible), and then dynamically inject the credentialsId on the spot, which also provides the right folder context (from the job). Such a declarative pipeline would look something like this:
          {code:java}
          pipeline {
            agent {
              kubernetes {
                cloud 'team-a-cloud'
                credentialsId 'team-a-credential-id'
                yamlFile 'KubernetesPod.yaml'
              }
            }
            // ... stages, etc
          } {code}

          The credentialId and context should NOT be stored in the Cloud object as these values are temporary and only applicable for this job.

           
          Marco made changes -
          Summary Original: Dynamic credential injection kubernetes cloud New: Folder credential injection in kubernetes cloud from declarative pipeline

            markri Marco
            markri Marco
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: