Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure Key Vault using JCaSC configuration fails to initialize unset variables using :- method #100

Open
bnfbiz opened this issue Nov 4, 2021 · 2 comments
Open

Azure Key Vault using JCaSC configuration fails to initialize unset variables using :- method #100

bnfbiz opened this issue Nov 4, 2021 · 2 comments
Labels
bug Something isn't working

Comments

@bnfbiz
Copy link

bnfbiz commented Nov 4, 2021

Version report

Jenkins and plugins versions report:

Jenkins: 2.289.3
OS: Linux - 4.19.128-microsoft-standard
---
Office-365-Connector:4.15.0
ace-editor:1.1
active-directory:2.24
allure-jenkins-plugin:2.29.0
ansicolor:1.0.0
ant:1.11
antisamy-markup-formatter:2.1
apache-httpcomponents-client-4-api:4.5.13-1.0
artifactdeployer:1.2
artifactory:3.12.5
authentication-tokens:1.4
authorize-project:1.4.0
azure-commons:1.1.3
azure-credentials:198.vf9c2fdfde55c
azure-keyvault:126.v4dff96057a47
azure-sdk:61.v6a8af1f5f5b6
badge:1.8
blueocean:1.24.8
blueocean-autofavorite:1.2.4
blueocean-bitbucket-pipeline:1.24.8
blueocean-commons:1.24.8
blueocean-config:1.24.8
blueocean-core-js:1.24.8
blueocean-dashboard:1.24.8
blueocean-display-url:2.4.1
blueocean-events:1.24.8
blueocean-git-pipeline:1.24.8
blueocean-github-pipeline:1.24.8
blueocean-i18n:1.24.8
blueocean-jira:1.24.8
blueocean-jwt:1.24.8
blueocean-personalization:1.24.8
blueocean-pipeline-api-impl:1.24.8
blueocean-pipeline-editor:1.24.8
blueocean-pipeline-scm-api:1.24.8
blueocean-rest:1.24.8
blueocean-rest-impl:1.24.8
blueocean-web:1.24.8
bootstrap4-api:4.6.0-3
bootstrap5-api:5.0.2-1
bouncycastle-api:2.25
branch-api:2.7.0
build-name-setter:2.2.0
build-timeout:1.20
build-timestamp:1.0.3
build-user-vars-plugin:1.7
build-with-parameters:1.5.1
built-on-column:1.1
caffeine-api:2.9.2-29.v717aac953ff3
categorized-view:1.12
changes-since-last-success:0.6
checks-api:1.7.2
claim:2.18.2
clearcase:1.6.8
clone-workspace-scm:0.6
cloudbees-bitbucket-branch-source:2.9.10
cloudbees-folder:6.16
cobertura:1.16
code-coverage-api:1.4.0
command-launcher:1.6
compact-columns:1.13
conditional-buildstep:1.4.1
config-file-provider:3.8.1
configuration-as-code:1.54
configuration-as-code-groovy:1.1
configurationslicing:1.52
configure-job-column-plugin:1.0
copyartifact:1.46.1
credentials:2.6.1
credentials-binding:1.27
dashboard-view:2.17
data-tables-api:1.10.25-2
description-setter:1.10
display-url-api:2.3.5
docker-commons:1.17
docker-workflow:1.26
doxygen:0.18
dtkit-api:3.0.0
durable-task:1.39
echarts-api:5.1.2-3
email-ext:2.83
envinject:2.4.0
envinject-api:1.7
extended-choice-parameter:0.82
external-monitor-job:1.7
extra-columns:1.24
favorite:2.3.3
font-awesome-api:5.15.3-4
forensics-api:1.2.1
git:4.10.0
git-client:3.10.0
git-server:1.10
github:1.33.1
github-api:1.123
github-branch-source:2.11.2
gitlab-api:1.0.6
gitlab-branch-source:1.5.9
gitlab-plugin:1.5.20
gradle:1.37.1
greenballs:1.15.1
groovy:2.4
groovy-postbuild:2.5
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-1.0
heavy-job:1.1
htmlpublisher:1.25
ivy:2.1
jackson2-api:2.13.0-230.v59243c64b0a5
javadoc:1.6
jdk-tool:1.5
jenkins-design-language:1.24.8
jira:3.5
jjwt-api:0.11.2-9.c8b45b8bb173
job-dsl:1.77
jobConfigHistory:2.28.1
jquery:1.12.4-1
jquery-detached:1.2.1
jquery3-api:3.6.0-2
jsch:0.1.55.2
jslint:0.8.2
junit:1.51
kubernetes:1.30.1
kubernetes-cd:2.3.1
kubernetes-client-api:5.4.1
kubernetes-credentials:0.9.0
ldap:2.7
locale:1.4
lockable-resources:2.11
log-parser:2.1
mailer:1.34
mapdb-api:1.0.9.0
matrix-auth:2.6.8
matrix-project:1.19
maven-plugin:3.12
mercurial:2.15
metrics:4.0.2.8
momentjs:1.1.1
mstest:1.0.0
naginator:1.18.1
nested-view:1.20
next-executions:1.0.15
nodelabelparameter:1.9.0
nodenamecolumn:1.2
okhttp-api:3.14.9
pam-auth:1.6
parameter-separator:1.3
parameterized-trigger:2.41
pipeline-build-step:2.14
pipeline-graph-analysis:1.11
pipeline-input-step:2.12
pipeline-milestone-step:1.3.2
pipeline-model-api:1.9.1
pipeline-model-definition:1.9.1
pipeline-model-extensions:1.9.1
pipeline-rest-api:2.19
pipeline-stage-step:2.5
pipeline-stage-tags-metadata:1.9.1
pipeline-stage-view:2.19
pipeline-utility-steps:2.8.0
plain-credentials:1.7
plot:2.1.9
plugin-util-api:2.4.0
popper-api:1.16.1-2
popper2-api:2.5.4-3
powershell:1.5
preSCMbuildstep:0.3
progress-bar-column-plugin:1.0
project-description-setter:1.2
project-health-report:1.2
prometheus:2.0.6
promoted-builds:3.10
publish-over:0.22
publish-over-ssh:1.22
pubsub-light:1.16
python:1.3
rebuild:1.32
resource-disposer:0.16
role-strategy:3.2.0
run-condition:1.5
saferestart:0.3
saml:2.0.7
schedule-build:0.5.1
scm-api:2.6.5
script-security:1.78
sectioned-view:1.25
sidebar-link:1.12.0
simple-theme-plugin:0.7
slave-setup:1.10
snakeyaml-api:1.29.1
sse-gateway:1.24
ssh:2.6.1
ssh-agent:1.23
ssh-credentials:1.19
ssh-slaves:1.32.0
sshd:3.1.0
structs:1.23
subversion:2.14.4
summary_report:1.15
swarm:3.28
test-results-analyzer:0.3.5
test-stability:2.3
throttle-concurrents:2.3
timestamper:1.13
token-macro:266.v44a80cf277fd
trilead-api:1.0.13
uno-choice:2.5.6
validating-string-parameter:2.8
variant:1.4
windows-slaves:1.8
workflow-aggregator:2.6
workflow-api:2.47
workflow-basic-steps:2.23
workflow-cps:2.93
workflow-cps-global-lib:2.21
workflow-durable-task-step:2.39
workflow-job:2.42
workflow-multibranch:2.26
workflow-remote-loader:1.5
workflow-scm-step:2.13
workflow-step-api:2.24
workflow-support:3.8
ws-cleanup:0.39
xunit:3.0.2
  • What Operating System are you using (both controller, and any agents involved in the problem)?
OS: Linux - 4.19.128-microsoft-standard

Reproduction steps

  • Create JCaSC environment using Azure Key Vault as security provider
  • Use an environment variable that is not initialized but as per JCaSC set a default (see example snippet) (Jenkins Passing Secrets through variables):
globalNodeProperties:
    - envVars:
        # Unset these environment variables as they may contain the secret
        env:
          - key: MYTAG
            value: "${IMAGE_TAG:-tf-v0.14}"

NOTE: The ":-" for setting a default

  • redeploy jenkins using updated JCaSC configuration

Results

Expected result:

In the example above the environment variable MYTAG would be set with the value "tf-v0.14" as "IMAGE_TAG is not set via the environment or via Azure Key Vault

Actual result:

Jenkins stops with a java stack trace that contains:

2021-11-04 15:33:53.106+0000 [id=48]    WARNING c.a.c.util.logging.ClientLogger#performLogging: Failed to get secret - IMAGE_TAG
...
com.azure.core.exception.HttpResponseException: Status code 400, "{"error":{"code":"BadParameter","message":"The request URI contains an invalid name: IMAGE_TAG"}}"
@bnfbiz bnfbiz added the bug Something isn't working label Nov 4, 2021
@CzapBran
Copy link
Contributor

@bnfbiz The bug comes from the actual API call to the Keyvault. Underscores are not valid query parameter characters in the AKV API. Try this with a hyphen.

@blfarrel
Copy link

@CzapBran but this variable doesn't need to come from Azure it could come from the environment. In this case since it isn't from Azure it should not cause an error and allow the expansion to happen correctly.

It should be set to tf-v0.14 as in the example from above:

 "${IMAGE_TAG:-tf-v0.14}"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bnfbiz @blfarrel @CzapBran