Multiple plugins extend Credentials with providers that allow storing credentials in external credential stores, e.g., Hashicorp Vault, AWS Secrets Manager, Kubernetes Secrets, etc. The list of the open-source ones is at https://www.jenkins.io/doc/developer/extensions/credentials/#credentialsprovider

These would generally require network requests to get the actual secrets. Given the default timeout for adding credential types to the deny list is 250 ms starting from https://github.com/jenkinsci/bitbucket-branch-source-plugin/pull/1157 . Any network latency that is over 250ms might result in a valid credentials being removed from the dropdown until the restart of the controller. 

Rough steps I used to reproduce the issue in the test environment:

1. Create a Kind cluster https://kind.sigs.k8s.io/docs/user/quick-start/
2. Launch `cloud-provider-kind` to get Ingress and Gateway APIs https://kind.sigs.k8s.io/docs/user/ingress/
3. Create namespaces: `jenkins`, `vault`, `chaos-mesh`
4. Create a Gateway in the `jenkins` namespace using the attached `gateway.yaml`
5. Install the `jenkins` Helm chart using the attached `jenkins-values.yaml` into the `jenkins` namespace
   1. Ensure Bitbucket Branch Source and HashiCorp Vault plugins are installed
   2. Create a handful of Credentials in the built-in store at the root and Folder level to have some local test credentials.
6. Install the `vault` chart into the `vault` namespace using attached `vault-values.yaml`
   1. Ensure kv v2 secrets engine is enabled
   2. Add `jenkins/bitbucket` secret with a valid email and API token.
   3. Ensure the `approle` authentication method is enabled
   4. Add `jenkins` policy granting access to the secrets under the `jenkins/` prefix (see below)
   5. Use CLI/API to create a Jenkins role with the `jenkins` policy, https://developer.hashicorp.com/vault/docs/auth/approle
7. Back on Jenkins
   1. Add "Vault App Role Credential" to the system credentials store using the Role ID and Secret ID from step 6.5
   2. In "Manage > System" configure "Vault URL" (e.g. `http://vault.vault.svc.cluster.local:8200`) and "Vault Credential" (credential from 7.1)
   3. Back in System Credential Store add "Vault Username-Password Credential". "Path" is `secret/jenkins/bitbucket`. The username and password keys are whatever was used in step 6.2
   4. Create an Organization Folder or Multibranch Pipeline using the credential from 7.3. Ensure that the scan and branch pipeline builds are successful.
8. Install the `chaos-mesh` chart into the `chaos-mesh` namespace using the attached `chaos-mech-values.yaml`, https://chaos-mesh.org/docs/production-installation-using-helm/
   1. `kubectl apply` the attached `chaos-experiment-network-delay.yaml`. It should add the 300ms latency between Jenkins and Vault for 5 minutes
9. Back on Jenkins, open the configuration of Organization Folder or Multibranch Pipeline
10. Try creating a new Multibranch Pipeline or Organization Folder

Expected: The HashiCorp Vault Bitbucket credential is shown in the existing item and available for the creation of a new item

Actual: In the existing item, the "Credentials" field shows `- none -` and when the dropdown is opened, there are no Vault credentials. The scan and builds still work since `config.xml` retains the credential id until overwritten. In the new Organization Folder/Multibranch Pipeline configuration page the Vault credentials are not shown.

Vault Policy example:

// allow jenkins to read secrets
path "secret/data/jenkins/*" {
  capabilities = [ "read", "list" ]
} 

The default timeout can be configured using an undocumented system property: `
bitbucket.credentials.resolutionTimeout`.