Skip to content

[feature] Folders support #262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

[feature] Folders support #262

wants to merge 3 commits into from

Conversation

@chriskilding
Copy link
Contributor

@chriskilding chriskilding commented Jan 31, 2023
edited
Loading

Add support for folders.

This enables a couple of use cases including:

  • Multi-tenancy via per-folder configuration
  • Hierarchical configuration

Implements #261

To do

  • Configuration (get it to show up at folder-level)
  • Hierarchical configuration merging
  • Connect configuration to the CredentialsProvider (show the right credentials in the right places with domains)
  • Docs
  • Tests

@chriskilding
Copy link
Contributor Author

chriskilding commented Jan 31, 2023

So far I've tried adapting the FolderVaultConfiguration class from the Vault plugin into this plugin. Unfortunately it does not show up in the per-folder configuration screen, so something's not quite right.

@edwardprzeniczny
Copy link

edwardprzeniczny commented Feb 1, 2023

Does it need a jelly config for the folder level?
https://github.com/jenkinsci/hashicorp-vault-plugin/tree/master/src/main/resources/com/datapipe/jenkins/vault/configuration/FolderVaultConfiguration

@chriskilding
Copy link
Contributor Author

chriskilding commented Feb 1, 2023

Yep - nice catch, it did indeed need a jelly.config for the FolderPluginConfiguration. It shows up in the folder config screen now

@chriskilding
Copy link
Contributor Author

chriskilding commented Feb 1, 2023

Next step is to get a configuration test in. Testing the CasC pathway is usually easier than testing the Web config UI pathway. Might you happen to know how to do folders configuration via CasC? (I didn't see an example in the Vault plugin)

@edwardprzeniczny
Copy link

edwardprzeniczny commented Feb 2, 2023

maybe something like this ?

jobs:
    - script: >
        folder('Folder') {
        description('This Folder is configured as code')
            properties {}
        }

@chriskilding
Copy link
Contributor Author

chriskilding commented Feb 6, 2023

Yep that worked. The properties bit doesn't have any methods on it so I had to use the weird it syntax that modifies its XML representation instead.

There's a few questions to work out in the code for that as you can see in the diffs.

@chriskilding
Copy link
Contributor Author

chriskilding commented Feb 6, 2023

There is also the consideration that this ends up embedding the Cloudbees Folders Plugin at a fairly fundamental level; I hope it could be made an optional dependency, but I'm not sure it can be.

This might be a problem because there is also an enterprise version of the folders plugin (the code is proprietary), and the current approach wouldn't work with that.

@chriskilding
Copy link
Contributor Author

chriskilding commented Feb 13, 2023

Okay, some ideas for working around the above problems...

The idea is to create a new plugin which inherits from this one, which will offer a folder-scoped version of the Secrets Manager credentials provider (using the OSS cloudbees-folders-plugin).

The dependency hierarchy would look like

io.jenkins.plugins:aws-secrets-manager-credentials-provider
\- io.jenkins.plugins:aws-secrets-manager-credentials-provider-folders

This ensures that:

  • The base Secrets Manager plugin does not incur a dependency on the OSS folders plugin. This leaves the door open to do Jenkins multi-tenancy using some other mechanism (e.g. the enterprise version of the folders plugin), if it turns out that the OSS folders plugin is not suitable in all cases.
  • The base Secrets Manager plugin does not have to wrangle the increased complexity brought by folder-scoped credentials.

Initially, this approach supports 2 use cases:

  • Global credentials (what you get by installing the Secrets Manager plugin today)
  • Global + Folder credentials (base plugin loads credentials into the global context, folder-scoped extension plugin loads them into per-folder contexts using per-folder config)

Additionally, with a little alteration, this approach would support what I'll call a strict multi-tenant mode, where there are no global credentials loaded from Secrets Manager. Instead, only folder-scoped credentials would be loaded.

In this case, the dependency hierarchy would look like:

io.jenkins.plugins:lib-aws-secrets-manager-credentials-provider            # shared code
\- io.jenkins.plugins:aws-secrets-manager-credentials-provider             # current plugin
\- io.jenkins.plugins:aws-secrets-manager-credentials-provider-folders     # folders extension plugin

If a Jenkins admin wanted only global credentials, they would install just the current plugin.
If they wanted only folder-scoped credentials, they would install just the folders extension plugin.
If they wanted both global and folder-scoped credentials, they would install both plugins.

I'll upload the plugin I've been working on to a separate repo soon. It's very experimental for the moment, but hopefully a starting point.

@chriskilding
Copy link
Contributor Author

chriskilding commented Feb 13, 2023

Here it is...

https://github.com/chriskilding/aws-secrets-manager-credentials-provider-folders-plugin

Note that you'll need to use the initial-dev branch for now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@chriskilding @edwardprzeniczny