folder-scoped approle is not utilized when retrieving folder-scoped credentials

[aajimal]

Observed:
When a folder is configured to use a specific approle (different from the globally configured approle) the credentials which are also scoped to the folder (used for SCM checkout) are retrieved through the global approle instead of the one which the folder is configured to use.

To reproduce:

1. Create a new folder in jenkins with approle credential inside this folder along with vault credentials (e.g. vault string credential)
2. Configure folder property to use this new approle (and not the global approle)
3. Create new pipeline (with bitbucket/github scm) which uses vault credentials + approle from this folder
4. Observe error (such as: FAILED to retrieve username key: java.lang.RuntimeException: com.datapipe.jenkins.vault.exception.VaultPluginException: Key folder_specific_key could not be found in path secret/folder/credentials

This seems to prevent the ability to use per-folder approle / credentials for pipeline checkouts.

[zubcevic]

I have this issue as well. I want to use a Jenkins controller with only a global vault id for retrieving elements that are allowed to be accessed by anyone. For instance the retrieval of Jenkins Templating Engine libraries. But all folder or job specific configuration will have its own authorised access groups. So I would like to use the vault id (approle) for retrieving the job specific secrets. Especially necessary for centrally managed Jenkins controllers. But the documentation suggests that the expected behaviour is that the vault url and id of the job scope should overrule the global scope when retrieving job specific secrets.

[aajimal]

@zubcevic Right. It seems that the plugin would need to implement CredentialProvider which is logged as issue 110 (here) in order to provide this.

One alternative might be to have multiple jenkins masters/controllers and then move folders to be at the root per each master instance. Seems a little bit too cumbersome that way but that could work.

The underlying problem seems to be that the folder/job level vault creds can only be retrieved inside of a pipeline execution instead of being used as part of its configuration. So you just can't use folder/job creds to pull the Jenkinsfile itself but you can use folder/job creds while the Jenkinsfile is executing.

[zubcevic]

I agree we need the same kind of solution as for aws and azure secrets.
For migration purposes I would just like to be able to replace all secrets by vault secret references and just add a vault configuration per folder. So all jobs and pipeline jobs could still run without any changes.

[jetersen]

The problem is we have two ways of accessing vault secrets during a build, one is folder aware the other is not.

VaultHelper is NOT folder aware
While VaultBuildWrapper is folder aware.

The problem is those calling into VaultHelper ie. AbstractVaultBaseStandardCredentials is being called directly without making the Run aware so it can either discover the Job or Folder above.
If you take a look at how VaultBuildWrapper resolves Vault Configuration as it will attempt to resolve config from Run to Folder to Global Config.

hashicorp-vault-plugin/src/main/java/com/datapipe/jenkins/vault/VaultBuildWrapper.java

Lines 237 to 250 in 005818d

	private void pullAndMergeConfiguration(Run<?, ?> build) {
	for (VaultConfigResolver resolver : ExtensionList.lookup(VaultConfigResolver.class)) {
	if (configuration != null) {
	configuration = configuration.mergeWithParent(resolver.forJob(build.getParent()));
	} else {
	configuration = resolver.forJob(build.getParent());
	}
	}
	if (configuration == null) {
	throw new VaultPluginException(
	"No configuration found - please configure the VaultPlugin.");
	}
	configuration.fixDefaults();
	}

Although I agree this plugin would be better implemented as a CredentialProvider and should ideally have singular way of access vault with the required context.

[hchakroun]

Hi guys,
I worked on this issue lately and I fixed all those unexpected behaviours, I would like to know how can I get a token to push my modifications to this repository, so one of you guys can review my pull request.

@jetersen can you help me on that ?

Thanks,

[jetersen]

@hchakrouun You don't need permission to this repo.

You will fork the repo and submit a pull request.

https://docs.github.com/en/get-started/quickstart/contributing-to-projects

[hchakroun]

Thank you @jetersen
The pull request was created #195