Vault username-password credential is not working with git plugin

[guwenqing]

Hi,

We are using Jenkins pipeline in our CICD and we are in a phase to replace all Jenkins crendentials with Vault ones. But it seems git plugin is not happy with Vault username-password credential. (Pipeline is stored in git, and we need to checkout with git plugin).

The pipeline is very simple: pipeline { agent { label "adp" } stages { stage('Hello') { steps { sh 'find *' sh 'hello' } } } }

And the pipeline log is this: Started by user Wenqing Gu Checking out git https://useraccount@gerrit.example.com/a/example-repo into /proj/eiffel162_config_fem16s10/eiffel_home/jobs/test/workspace@script to read pipelines/minimal/Jenkinsfile The recommended git tool is: NONE using credential useraccount-vault Wiping out workspace first. Cloning the remote Git repository Cloning repository https://useraccount@gerrit.example.com/a/example-repo

git init /proj/eiffel162_config_fem16s10/eiffel_home/jobs/test/workspace@script # timeout=10 Fetching upstream changes from https://useraccount@gerrit.example.com/a/example-repo git --version # timeout=10 git --version # 'git version 1.8.3.1' using GIT_ASKPASS to set credentials For logging into docker and other services Vault: username and password git fetch --tags --progress https://useraccount@gerrit.example.com/a/example-repo +refs/heads/:refs/remotes/origin/ # timeout=10 git config remote.origin.url https://useraccount@gerrit.example.com/a/example-repo # timeout=10 git config --add remote.origin.fetch +refs/heads/:refs/remotes/origin/ # timeout=10 Avoid second fetch git rev-parse origin/eguwenq^{commit} # timeout=10 Checking out Revision 587bd5de1323882f0a5478badadfec94661ac94e (origin/eguwenq) git config core.sparsecheckout # timeout=10 git checkout -f 587bd5de1323882f0a5478badadfec94661ac94e # timeout=10 Commit message: "test" git rev-list --no-walk 476d61c46135f4153fb6d5f7696bf558ae80a0b8 # timeout=10 Running in Durability level: MAX_SURVIVABILITY [Pipeline] Start of Pipeline [Pipeline] node Running on vector-adp-vm-slave in /home/useraccount/jenkins/ws_fem16/workspace/test [Pipeline] { [Pipeline] stage [Pipeline] { (Declarative: Checkout SCM) [Pipeline] checkout The recommended git tool is: NONE using credential useraccount-vault Wiping out workspace first. Cloning the remote Git repository [Pipeline] } [Pipeline] // stage [Pipeline] } [Pipeline] // node [Pipeline] End of Pipeline Also: hudson.remoting.Channel$CallSiteStackTrace: Remote call to vector-adp-vm-slave at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1788) at hudson.remoting.UserRequest$ExceptionResponse.retrieve(UserRequest.java:356) at hudson.remoting.Channel.call(Channel.java:998) at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.execute(RemoteGitImpl.java:146) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler.invoke(RemoteGitImpl.java:132) at com.sun.proxy.$Proxy170.execute(Unknown Source) at hudson.plugins.git.GitSCM.retrieveChanges(GitSCM.java:1219) at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1297) at org.jenkinsci.plugins.workflow.steps.scm.SCMStep.checkout(SCMStep.java:125) at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:93) at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:80) at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) java.lang.IllegalStateException: Jenkins.instance is missing. Read the documentation of Jenkins.getInstanceOrNull to see what you are doing wrong. at jenkins.model.Jenkins.get(Jenkins.java:779) at jenkins.security.ConfidentialStore.get(ConfidentialStore.java:67) at jenkins.security.CryptoConfidentialKey.getKey(CryptoConfidentialKey.java:36) at jenkins.security.CryptoConfidentialKey.decrypt(CryptoConfidentialKey.java:131) at hudson.util.HistoricalSecrets.decrypt(HistoricalSecrets.java:55) at hudson.util.Secret.decrypt(Secret.java:212) at hudson.util.Secret.fromString(Secret.java:252) at com.datapipe.jenkins.vault.credentials.common.VaultUsernamePasswordCredentialImpl.getPassword(VaultUsernamePasswordCredentialImpl.java:69) at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.createPasswordFile(CliGitAPIImpl.java:2190) at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:2009) at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.access$500(CliGitAPIImpl.java:84) at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:573) at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$2.execute(CliGitAPIImpl.java:802) at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$GitCommandMasterToSlaveCallable.call(RemoteGitImpl.java:161) at org.jenkinsci.plugins.gitclient.RemoteGitImpl$CommandInvocationHandler$GitCommandMasterToSlaveCallable.call(RemoteGitImpl.java:154) at hudson.remoting.UserRequest.perform(UserRequest.java:211) at hudson.remoting.UserRequest.perform(UserRequest.java:54) at hudson.remoting.Request$2.run(Request.java:369) at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72) at java.util.concurrent.FutureTask.run(FutureTask.java:264) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.lang.Thread.run(Thread.java:834) Finished: FAILURE

[guwenqing]

Apparently, the clone in master slave works without issue, so that the pipeline definition is obtained from the git remote server (in our case Gerrit). But when running in actual slaves for the actual workload, it does not work to clone the repo and prepare the workspace.