-
Notifications
You must be signed in to change notification settings - Fork 717
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SecretResolver support file and base64 variable expansion #1408
Conversation
plugin/src/main/java/io/jenkins/plugins/casc/SecretSourceResolver.java
Outdated
Show resolved
Hide resolved
Codecov Report
@@ Coverage Diff @@
## master #1408 +/- ##
============================================
+ Coverage 80.66% 81.02% +0.35%
- Complexity 811 812 +1
============================================
Files 66 66
Lines 2333 2361 +28
Branches 329 329
============================================
+ Hits 1882 1913 +31
+ Misses 351 349 -2
+ Partials 100 99 -1
|
public String lookup(final String key) { | ||
if (key == null) { | ||
return null; | ||
} | ||
public String lookup(@NonNull final String key) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This might interest the kubernetes Jenkins helm chart and Jenkins operator maintainers: |
@@ -21,7 +21,7 @@ | |||
private Deprecation deprecation = Deprecation.reject; | |||
private Restriction restriction = Restriction.reject; | |||
private Unknown unknown = Unknown.reject; | |||
private final int yamlMaxAliasesForCollections; | |||
private transient final int yamlMaxAliasesForCollections; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should have been transient since it should not be serialized 😓
private final StringSubstitutor nullSubstitutor; | ||
private final StringSubstitutor substitutor; | ||
|
||
public SecretSourceResolver(ConfigurationContext configurationContext) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Made the class none static to reduce memory footprint of the StringSubstitutor
when JCasC is not actively using them.
/** | ||
* Resolve string with potential secrets | ||
* | ||
* @param context Configuration context | ||
* @param toInterpolate potential variables that need to revealed | ||
* @return original string with any secrets that could be resolved if secrets could not be | ||
* resolved they will be defaulted to default value defined by ':-', otherwise default to empty | ||
* String secrets are defined as anything enclosed by '${}' | ||
* @since 1.42 | ||
* @deprecated use ${link {@link #resolve(String)}} instead. | ||
*/ | ||
@Deprecated | ||
public static String resolve(ConfigurationContext context, String toInterpolate) { | ||
return substitutor(context).replace(toInterpolate); | ||
return context.getSecretSourceResolver().resolve(toInterpolate); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could potentially remove this as usually this is only called directly from test packages in other plugins ie. HashiCorp Vault plugin.
Depeneds if we are okay with yet another breakage 😆
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could restrict it so when they upgrade they are forced to migrate to the new method?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point
@jetersen, Cool, thanks for looking into this! Since the "lookup token" is inside the curly brackets, can |
@olivergondza not sure I entirely understand the question. Most people I seen have been using variable names such as that case is very unlikely as it would have to be Yes you can have a case of |
I added benchmark which revealed some nice performance increases. FYI this speed increase is definitely noticeable when loading configuration. 👏 I will not be adding the benchmark to the CI runs just yet and the current benchmark only provides value for SecretSourceResolver. |
Co-authored-by: Victor Martinez <victormartinezrubio@gmail.com>
Hmm I discovered that So perhaps we could settle for two I am tempted to combine it to one to reduce confusion even more. Than inside the Yeah to avoid any confusion I think a singular Right now we are just trying to make the credential experience better! |
Now that I think about it and started making the code change... I thought about the user experience 😆 Users would get unexpected secret results when files were not found since they would suddenly have secrets with file path in base64. |
As our Lines 20 to 40 in dcd748d
|
@jetersen is there anything left to do on this? |
Any idea how long is left on this one? |
@timja after rethinking the issue. I think I want to reduce the complexity by having more complex logic that detects whether |
@prom3theu5 which part? the base64 encoding? |
after making the code changes... nothing but errors would occur on so many level... What is a valid path? is it a readable file? Do we log it?.... ARGH |
@timja I think this is ready we can always improve it. |
Yes - base64 encoding, file support not so much right now |
@jetersen , when can i get this commit as a release, since i am using jenkins operator, where the base plugins can't be added manually,.and casc is a base plugin. We can only specify the plugin versions. |
You should be able to point plugins to a url as far as I know. |
@sarabesh in any case it is now released with v1.42 :) |
@jetersen, thanks! |
This enables nested variable expansion with included file and base64 encoding support.
If someone could argue for why we should add more String lookups I'd like to understand the use case.
Syntax is as follows:
fixes #1219
fixes #909
Your checklist for this pull request
🚨 Please review the guidelines for contributing to this repository.