Azure Key Vault using JCaSC configuration fails to initialize unset variables using :- method

bnfbiz commented 2 years ago

Version report

Jenkins and plugins versions report:

Jenkins: 2.289.3
OS: Linux - 4.19.128-microsoft-standard
---
Office-365-Connector:4.15.0
ace-editor:1.1
active-directory:2.24
allure-jenkins-plugin:2.29.0
ansicolor:1.0.0
ant:1.11
antisamy-markup-formatter:2.1
apache-httpcomponents-client-4-api:4.5.13-1.0
artifactdeployer:1.2
artifactory:3.12.5
authentication-tokens:1.4
authorize-project:1.4.0
azure-commons:1.1.3
azure-credentials:198.vf9c2fdfde55c
azure-keyvault:126.v4dff96057a47
azure-sdk:61.v6a8af1f5f5b6
badge:1.8
blueocean:1.24.8
blueocean-autofavorite:1.2.4
blueocean-bitbucket-pipeline:1.24.8
blueocean-commons:1.24.8
blueocean-config:1.24.8
blueocean-core-js:1.24.8
blueocean-dashboard:1.24.8
blueocean-display-url:2.4.1
blueocean-events:1.24.8
blueocean-git-pipeline:1.24.8
blueocean-github-pipeline:1.24.8
blueocean-i18n:1.24.8
blueocean-jira:1.24.8
blueocean-jwt:1.24.8
blueocean-personalization:1.24.8
blueocean-pipeline-api-impl:1.24.8
blueocean-pipeline-editor:1.24.8
blueocean-pipeline-scm-api:1.24.8
blueocean-rest:1.24.8
blueocean-rest-impl:1.24.8
blueocean-web:1.24.8
bootstrap4-api:4.6.0-3
bootstrap5-api:5.0.2-1
bouncycastle-api:2.25
branch-api:2.7.0
build-name-setter:2.2.0
build-timeout:1.20
build-timestamp:1.0.3
build-user-vars-plugin:1.7
build-with-parameters:1.5.1
built-on-column:1.1
caffeine-api:2.9.2-29.v717aac953ff3
categorized-view:1.12
changes-since-last-success:0.6
checks-api:1.7.2
claim:2.18.2
clearcase:1.6.8
clone-workspace-scm:0.6
cloudbees-bitbucket-branch-source:2.9.10
cloudbees-folder:6.16
cobertura:1.16
code-coverage-api:1.4.0
command-launcher:1.6
compact-columns:1.13
conditional-buildstep:1.4.1
config-file-provider:3.8.1
configuration-as-code:1.54
configuration-as-code-groovy:1.1
configurationslicing:1.52
configure-job-column-plugin:1.0
copyartifact:1.46.1
credentials:2.6.1
credentials-binding:1.27
dashboard-view:2.17
data-tables-api:1.10.25-2
description-setter:1.10
display-url-api:2.3.5
docker-commons:1.17
docker-workflow:1.26
doxygen:0.18
dtkit-api:3.0.0
durable-task:1.39
echarts-api:5.1.2-3
email-ext:2.83
envinject:2.4.0
envinject-api:1.7
extended-choice-parameter:0.82
external-monitor-job:1.7
extra-columns:1.24
favorite:2.3.3
font-awesome-api:5.15.3-4
forensics-api:1.2.1
git:4.10.0
git-client:3.10.0
git-server:1.10
github:1.33.1
github-api:1.123
github-branch-source:2.11.2
gitlab-api:1.0.6
gitlab-branch-source:1.5.9
gitlab-plugin:1.5.20
gradle:1.37.1
greenballs:1.15.1
groovy:2.4
groovy-postbuild:2.5
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-1.0
heavy-job:1.1
htmlpublisher:1.25
ivy:2.1
jackson2-api:2.13.0-230.v59243c64b0a5
javadoc:1.6
jdk-tool:1.5
jenkins-design-language:1.24.8
jira:3.5
jjwt-api:0.11.2-9.c8b45b8bb173
job-dsl:1.77
jobConfigHistory:2.28.1
jquery:1.12.4-1
jquery-detached:1.2.1
jquery3-api:3.6.0-2
jsch:0.1.55.2
jslint:0.8.2
junit:1.51
kubernetes:1.30.1
kubernetes-cd:2.3.1
kubernetes-client-api:5.4.1
kubernetes-credentials:0.9.0
ldap:2.7
locale:1.4
lockable-resources:2.11
log-parser:2.1
mailer:1.34
mapdb-api:1.0.9.0
matrix-auth:2.6.8
matrix-project:1.19
maven-plugin:3.12
mercurial:2.15
metrics:4.0.2.8
momentjs:1.1.1
mstest:1.0.0
naginator:1.18.1
nested-view:1.20
next-executions:1.0.15
nodelabelparameter:1.9.0
nodenamecolumn:1.2
okhttp-api:3.14.9
pam-auth:1.6
parameter-separator:1.3
parameterized-trigger:2.41
pipeline-build-step:2.14
pipeline-graph-analysis:1.11
pipeline-input-step:2.12
pipeline-milestone-step:1.3.2
pipeline-model-api:1.9.1
pipeline-model-definition:1.9.1
pipeline-model-extensions:1.9.1
pipeline-rest-api:2.19
pipeline-stage-step:2.5
pipeline-stage-tags-metadata:1.9.1
pipeline-stage-view:2.19
pipeline-utility-steps:2.8.0
plain-credentials:1.7
plot:2.1.9
plugin-util-api:2.4.0
popper-api:1.16.1-2
popper2-api:2.5.4-3
powershell:1.5
preSCMbuildstep:0.3
progress-bar-column-plugin:1.0
project-description-setter:1.2
project-health-report:1.2
prometheus:2.0.6
promoted-builds:3.10
publish-over:0.22
publish-over-ssh:1.22
pubsub-light:1.16
python:1.3
rebuild:1.32
resource-disposer:0.16
role-strategy:3.2.0
run-condition:1.5
saferestart:0.3
saml:2.0.7
schedule-build:0.5.1
scm-api:2.6.5
script-security:1.78
sectioned-view:1.25
sidebar-link:1.12.0
simple-theme-plugin:0.7
slave-setup:1.10
snakeyaml-api:1.29.1
sse-gateway:1.24
ssh:2.6.1
ssh-agent:1.23
ssh-credentials:1.19
ssh-slaves:1.32.0
sshd:3.1.0
structs:1.23
subversion:2.14.4
summary_report:1.15
swarm:3.28
test-results-analyzer:0.3.5
test-stability:2.3
throttle-concurrents:2.3
timestamper:1.13
token-macro:266.v44a80cf277fd
trilead-api:1.0.13
uno-choice:2.5.6
validating-string-parameter:2.8
variant:1.4
windows-slaves:1.8
workflow-aggregator:2.6
workflow-api:2.47
workflow-basic-steps:2.23
workflow-cps:2.93
workflow-cps-global-lib:2.21
workflow-durable-task-step:2.39
workflow-job:2.42
workflow-multibranch:2.26
workflow-remote-loader:1.5
workflow-scm-step:2.13
workflow-step-api:2.24
workflow-support:3.8
ws-cleanup:0.39
xunit:3.0.2

What Operating System are you using (both controller, and any agents involved in the problem)?

OS: Linux - 4.19.128-microsoft-standard

Reproduction steps

Create JCaSC environment using Azure Key Vault as security provider
Use an environment variable that is not initialized but as per JCaSC set a default (see example snippet) (Jenkins Passing Secrets through variables):
```
globalNodeProperties:
- envVars:
    # Unset these environment variables as they may contain the secret
    env:
      - key: MYTAG
        value: "${IMAGE_TAG:-tf-v0.14}"
```
NOTE: The ":-" for setting a default
redeploy jenkins using updated JCaSC configuration

Results

Expected result:

In the example above the environment variable MYTAG would be set with the value "tf-v0.14" as "IMAGE_TAG is not set via the environment or via Azure Key Vault

Actual result:

Jenkins stops with a java stack trace that contains:

2021-11-04 15:33:53.106+0000 [id=48]    WARNING c.a.c.util.logging.ClientLogger#performLogging: Failed to get secret - IMAGE_TAG
...
com.azure.core.exception.HttpResponseException: Status code 400, "{"error":{"code":"BadParameter","message":"The request URI contains an invalid name: IMAGE_TAG"}}"

CzapBran commented 1 year ago

@bnfbiz The bug comes from the actual API call to the Keyvault. Underscores are not valid query parameter characters in the AKV API. Try this with a hyphen.

blfarrel commented 1 year ago

@CzapBran but this variable doesn't need to come from Azure it could come from the environment. In this case since it isn't from Azure it should not cause an error and allow the expansion to happen correctly.

It should be set to tf-v0.14 as in the example from above:

 "${IMAGE_TAG:-tf-v0.14}"

jenkinsci / azure-keyvault-plugin