credentials-plugin icon indicating copy to clipboard operation
credentials-plugin copied to clipboard
verified publisher icon jenkinsci

feat: add merge support for casc defined system credentials

Open cronik opened this issue 2 years ago • 1 comments

Enables support for merging casc defined credentials with existing credentials (i.e. manually created).

In some environments it is desirable to define some credentials declaratively while also be able to define credentials through the UI (which out otherwise be defined in plain text or in encoded format which could be easily transferable).

One such example is mixing vault credentials defined in casc config with those defined directly through Jenkins. In the below casc example it is assumed the the vault-approle credential was created through the Jenkins UI. Currently this is not possible since the casc system credentials will remove all non-casc defined credentials on restart.

unclassified:
  hashicorpVault:
    configuration:
      vaultCredentialId: "vault-approle"
      vaultUrl: "https://myvault.mycorp.net"
credentials:
  system:
    domainCredentials:
      - credentials:
          - vaultUsernamePasswordCredentialImpl:
              description: "vault managed credential"
              id: "my-vault-cred"
              path: "kv/jenkins"
              scope: GLOBAL

To enable merging behavior set the env var CASC_CREDENTIALS_MERGE_STRATEGY=merge or system property -Dcasc.credentials.merge.strategy=merge

fixes JENKINS-64079

  • [x] Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • [x] Ensure that the pull request title represents the desired changelog entry
  • [ ] Please describe what you did
  • [x] Link to relevant issues in GitHub or Jira
  • [x] Link to relevant pull requests, esp. upstream and downstream changes
  • [ ] Ensure you have provided tests - that demonstrates feature works or fixes the issue

cronik avatar Jan 24 '23 19:01 cronik

If I understand this correctly it means you can only ever add or update credentials via CasC. If you added one via CasC it can only be removed via the UI (as once persisted there is no way to tell the difference)?

Currently this is not possible since the casc system credentials will remove all non-casc defined credentials on restart.

That is kind of the point of CasC though, you are managing your instance via code - not via the UI?

I agree the behavior introduced is not in the true spirit of CasC being the source of config. If the merge strategy is configured then it would require manual removal of credentials that were added via CasC.

In our Jenkins deployments we are trying to get teams to transition to vault credentials configured via CasC. Some credentials would be manually created while others are defined in CasC during this transition. We would accept the extra work of having to manually remove items no longer defined in CasC.

Would something like a CasC specific CredentialStore implementation be a better solution? I'm thinking along the lines of something similar to KubernetesCredentialStore. This would mean:

  • cascCredentials could not be added/removed/updated via the UI
  • Removed items in cascCredentials would be reflected without manual intervention
  • Credentials added via the UI would not be impacted since they would be managed under domainCredentials
credentials:
  system:
    domainCredentials:
      - credentials:
          - usernamePasswordCredential: {id: foo}
    cascCredentials: 
      - credentials:
          - usernamePasswordCredential: {id: bar}

cronik avatar May 12 '23 01:05 cronik

Hello, We want to use credentials-plugins with casc declaration in order to specify default credentials of jenkins instance. And we need to keep to users the ability to add credentials also in global system creds. For this reason, we need this feature to be added to next release if possible ? we need to have this option to merge credentials defined by casc and credentials defined by UI.

lasfarnabil avatar Mar 13 '25 13:03 lasfarnabil

Hello, We want to use credentials-plugins with casc declaration in order to specify default credentials of jenkins instance. And we need to keep to users the ability to add credentials also in global system creds. For this reason, we need this feature to be added to next release if possible ? we need to have this option to merge credentials defined by casc and credentials defined by UI.

This PR will not be merged as is given the outstanding comments (use of a property or env var).

If this is blocking you then feel free to create an updated PR based on this.

jtnord avatar Jun 19 '25 18:06 jtnord