Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59247

"Fail if path is not found" property not working

XMLWordPrintable

      Plugin version: 2.5.0

       

      Even if the "Fail if path is not found" option is false, the pipeline fails whenever a path doesn't exist.

      java.lang.IllegalArgumentException: Vault Secret <REDACTED> at AWS_ACCESS_KEY_ID is either null or empty. Please check the Secret in Vault.
	at com.datapipe.jenkins.vault.VaultBuildWrapper.provideEnvironmentVariablesFromVault(VaultBuildWrapper.java:152)
	at com.datapipe.jenkins.vault.VaultBuildWrapper.setUp(VaultBuildWrapper.java:94)
	at org.jenkinsci.plugins.workflow.steps.CoreWrapperStep$Execution2.doStart(CoreWrapperStep.java:97)
	at org.jenkinsci.plugins.workflow.steps.GeneralNonBlockingStepExecution.lambda$run$0(GeneralNonBlockingStepExecution.java:77)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
Finished: FAILURE

       

      The logic is:

      if (StringUtils.isBlank(secret)) { 
throw new IllegalArgumentException( "Vault Secret " + vaultKey + " at " + path + " is either null or empty. Please check the Secret in Vault."); 
}

      I didn't fully read the code but my guess is that secrets are still being evaluated in that condition even if the path doesn't exist.

      I'd also like to propose an alternative to the "Fail" property:

      withVault(vaultSecrets: [[path: "$path", required: false, secretValues: [[vaultKey: 'AWS_IAM_ROLE', required: true]]]]) { echo "wassup" }

      In the example above, the Path isn't required BUT if it does exist, then the vaultKey is required. This idea comes from the Python library Cerberus.

      If a "path" isn't required and it doesn't exist, all of its "vaultKeys" should return an empty string. If a "vaultKey" isn't required and it doesn't exist, it should return an empty string.

       This gives a much more granular control over the existence of secrets. Right now I have to use try{}catch(Exception e){} to validate if a secret exists....

       

      withVault(vaultSecrets: [[path: "$path", secretValues: [[vaultKey: 'AWS_ACCESS_KEY_ID'], [vaultKey: 'AWS_SECRET_ACCESS_KEY']]]]) { 
  def iam_role = null 
  try { 
    steps.withVault(vaultSecrets: [[path: path, secretValues: [[vaultKey: 'AWS_IAM_ROLE']]]]) { iam_role = env.AWS_IAM_ROLE } 
  } catch(IllegalArgumentException e) { echo "Path $path doesn't have an AWS_IAM_ROLE" } 
  steps.withAws(role: env.AWS_IAM_ROLE, role_session_name: env.JOB_NAME.replaceAll("/","_")) { 
    echo "wassup"
  } 
}

            jetersen Joseph Petersen
            apineros Andres Pineros
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: