jenkinsci / hashicorp-vault-plugin

Jenkins plugin to populate environment variables from secrets stored in HashiCorp's Vault.
https://plugins.jenkins.io/hashicorp-vault-plugin/
MIT License
216 stars 146 forks source link

addrVariable and tokenVariable ignored in vaultTokenCredentialBinding when opened in UI, always see default values #296

Closed dshvedchenko closed 8 months ago

dshvedchenko commented 1 year ago

Jenkins and plugins versions report

Environment ```text Jenkins: 2.387.1 OS: Linux - 5.4.0-139-generic Java: 11.0.12 - Azul Systems, Inc. (OpenJDK 64-Bit Server VM) --- Parameterized-Remote-Trigger:3.1.5.1 ace-editor:1.1 active-directory:2.30 ansicolor:1.0.2 ant:481.v7b_09e538fcca antisamy-markup-formatter:159.v25b_c67cd35fb_ apache-httpcomponents-client-4-api:4.5.14-150.v7a_b_9d17134a_5 artifactdeployer:1.3 associated-files:0.2.1 audit-trail:333.vb_e1b_b_0f1238c authentication-tokens:1.4 authorize-project:1.4.0 aws-credentials:191.vcb_f183ce58b_9 aws-java-sdk:1.12.406-370.v8f993c987059 aws-java-sdk-cloudformation:1.12.406-370.v8f993c987059 aws-java-sdk-codebuild:1.12.406-370.v8f993c987059 aws-java-sdk-ec2:1.12.406-370.v8f993c987059 aws-java-sdk-ecr:1.12.406-370.v8f993c987059 aws-java-sdk-ecs:1.12.406-370.v8f993c987059 aws-java-sdk-efs:1.12.406-370.v8f993c987059 aws-java-sdk-elasticbeanstalk:1.12.406-370.v8f993c987059 aws-java-sdk-iam:1.12.406-370.v8f993c987059 aws-java-sdk-logs:1.12.406-370.v8f993c987059 aws-java-sdk-minimal:1.12.406-370.v8f993c987059 aws-java-sdk-sns:1.12.406-370.v8f993c987059 aws-java-sdk-sqs:1.12.406-370.v8f993c987059 aws-java-sdk-ssm:1.12.406-370.v8f993c987059 backup:1.6.1 badge:1.9.1 bootstrap4-api:4.6.0-5 bootstrap5-api:5.2.2-1 bouncycastle-api:2.27 branch-api:2.1071.v1a_188a_562481 build-blocker-plugin:1.7.8 build-environment:1.7 build-failure-analyzer:2.4.1 build-monitor-plugin:1.14-653.va_1c684a_30b_ff build-timeout:1.28 build-token-root:151.va_e52fe3215fc build-token-trigger:1.0.0 build-user-vars-plugin:1.9 buildtriggerbadge:251.vdf6ef853f3f5 built-on-column:1.3 caffeine-api:2.9.3-65.v6a_47d0f4d1fe categorized-view:1.12 checks-api:2.0.0 claim:516.v36293563731d cloudbees-bitbucket-branch-source:796.v6cb_1559e1673 cloudbees-folder:6.815.v0dd5a_cb_40e0e command-launcher:90.v669d7ccb_7c31 commons-lang3-api:3.12.0-36.vd97de6465d5b_ commons-text-api:1.10.0-36.vc008c8fcda_7b_ composer-security-checker:1.7 conditional-buildstep:1.4.2 config-file-provider:3.11.1 configuration-as-code:1569.vb_72405b_80249 configuration-as-code-groovy:1.1 configuration-as-code-secret-ssm:1.0.1 confluence-publisher:136.vc30a_a_0d845d7 console-column-plugin:197.vcf5a_ec1d7b_47 console-tail:15.vc54cb_4ca_6981 copy-data-to-workspace-plugin:1.0 copyartifact:686.v6fd37018d7c2 credentials:1224.vc23ca_a_9a_2cb_0 credentials-binding:523.vd859a_4b_122e6 cvs:2.19.1 data-tables-api:1.13.3-2 depgraph-view:1.0.5 description-setter:1.10 display-url-api:2.3.7 docker-build-publish:1.4.0 docker-build-step:2.9 docker-commons:419.v8e3cd84ef49c docker-custom-build-environment:1.7.3 docker-java-api:3.2.13-68.va_875df25a_b_45 docker-plugin:1.3.0 docker-traceability:1.2 docker-workflow:563.vd5d2e5c4007f doclinks:0.6.1 durable-task:504.vb10d1ae5ba2f echarts-api:5.4.0-2 email-ext:2.95 email-ext-recipients-column:27.vb_9404db_b_018d embeddable-build-status:339.v1edb_5e63da_45 envinject:2.901.v0038b_6471582 envinject-api:1.199.v3ce31253ed13 export-params:1.9 extended-read-permission:3.2 external-monitor-job:203.v683c09d993b_9 extra-columns:1.25 favorite:2.4.1 file-leak-detector:1.11 font-awesome-api:6.3.0-1 gcal:0.4 generic-webhook-trigger:1.86.2 ghprb:1.42.2 git:5.0.0 git-client:4.1.0 git-parameter:0.9.18 git-server:99.va_0826a_b_cdfa_d git-userContent:1.4 github:1.37.0 github-api:1.303-417.ve35d9dd78549 github-branch-source:1701.v00cc8184df93 global-build-stats:244.v27c8a_2e50a_34 google-container-registry-auth:0.3 google-metadata-plugin:0.4 google-oauth-plugin:1.0.7 google-storage-plugin:1.5.7 gravatar:2.2 groovy:453.vcdb_a_c5c99890 groovy-postbuild:2.5 handlebars:3.0.8 handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953 hashicorp-vault-plugin:360.v0a_1c04cf807d htmlpublisher:1.31 http_request:1.16 instance-identity:142.v04572ca_5b_265 ionicons-api:45.vf54fca_5d2154 jackson2-api:2.14.2-319.v37853346a_229 jakarta-activation-api:2.0.1-3 jakarta-mail-api:2.0.1-3 javadoc:226.v71211feb_e7e9 javax-activation-api:1.2.0-6 javax-mail-api:1.6.2-9 jaxb:2.3.8-1 jdk-tool:63.v62d2fd4b_4793 jenkins-design-language:1.27.2 jersey2-api:2.38-1 jira:3.9 jjwt-api:0.11.5-77.v646c772fddb_0 jnr-posix-api:3.1.16-2 job-dsl:1.81.1 job-exporter:0.4 jobConfigHistory:1207.vd28a_54732f92 jquery:1.12.4-1 jquery-detached:1.2.1 jquery3-api:3.6.3-1 jsch:0.1.55.61.va_e9ee26616e7 junit:1177.v90374a_ef4d09 keyboard-shortcuts-plugin:1.4 ldap:671.v2a_9192a_7419d lockable-resources:1131.vb_7c3d377e723 log-parser:2.3.0 login-theme:1.1 mail-watcher-plugin:1.18 mailer:448.v5b_97805e3767 mapdb-api:1.0.9-28.vf251ce40855d mask-passwords:150.vf80d33113e80 matrix-auth:3.1.6 matrix-project:785.v06b_7f47b_c631 maven-plugin:3.21 mercurial:1260.vdfb_723cdcc81 metadata:1.1.0b metrics:4.2.13-420.vea_2f17932dd6 mina-sshd-api-common:2.9.2-50.va_0e1f42659a_a mina-sshd-api-core:2.9.2-50.va_0e1f42659a_a modernstatus:1.3 momentjs:1.1.1 monitoring:1.92.0 naginator:1.18.2 next-executions:1.0.15 nodelabelparameter:1.11.0 notification:1.15 oauth-credentials:0.5 okhttp-api:4.10.0-132.v7a_7b_91cef39c ownership:0.13.0 pam-auth:1.10 parameterized-scheduler:1.2 parameterized-trigger:2.45 pegdown-formatter:1.3 periodicbackup:2.0 permissive-script-security:0.7 pipeline-build-step:486.vd08f550cceee pipeline-graph-analysis:202.va_d268e64deb_3 pipeline-groovy-lib:629.vb_5627b_ee2104 pipeline-input-step:466.v6d0a_5df34f81 pipeline-milestone-step:111.v449306f708b_7 pipeline-model-api:2.2118.v31fd5b_9944b_5 pipeline-model-definition:2.2118.v31fd5b_9944b_5 pipeline-model-extensions:2.2118.v31fd5b_9944b_5 pipeline-rest-api:2.31 pipeline-stage-step:305.ve96d0205c1c6 pipeline-stage-tags-metadata:2.2118.v31fd5b_9944b_5 pipeline-stage-view:2.31 plain-credentials:143.v1b_df8b_d3b_e48 plugin-util-api:3.1.0 popper-api:1.16.1-3 popper2-api:2.11.6-2 progress-bar-column-plugin:11.vdef198c2d6c1 publish-over:0.22 publish-over-cifs:0.16 publish-over-ssh:1.24 pubsub-light:1.17 purge-build-queue-plugin:88.v23b_97b_f2c7a_d rebuild:1.34 resource-disposer:0.21 role-strategy:587.v2872c41fa_e51 run-condition:1.5 s3:0.12.3436.v674b_46258039 saferestart:0.7 saml:4.385.v4dea_91565e9d scm-api:631.v9143df5b_e4a_a script-security:1229.v4880b_b_e905a_6 scriptler:3.5 show-build-parameters:1.0 sidebar-link:2.2.1 sidebar-update-notification:1.1.0 simple-theme-plugin:146.v0e67db_a_9052e slack:631.v40deea_40323b snakeyaml-api:1.33-95.va_b_a_e3e47b_fa_4 splunk-devops:1.10.1 splunk-devops-extend:1.10.1 sse-gateway:1.26 ssh:2.6.1 ssh-agent:327.v230ecd01f86f ssh-credentials:305.v8f4381501156 ssh-slaves:2.877.v365f5eb_a_b_eec sshd:3.275.v9e17c10f2571 structs:324.va_f5d6774f3a_d text-finder:1.22 token-macro:321.vd7cc1f2a_52c8 translation:1.16 trilead-api:2.84.v72119de229b_7 variant:59.vf075fe829ccb view-job-filters:2.3 windows-slaves:1.8.1 workflow-api:1208.v0cc7c6e0da_9e workflow-basic-steps:1010.vf7a_b_98e847c1 workflow-cps:3641.vf58904a_b_b_5d8 workflow-durable-task-step:1234.v019404b_3832a workflow-job:1284.v2fe8ed4573d4 workflow-multibranch:733.v109046189126 workflow-scm-step:400.v6b_89a_1317c9a_ workflow-step-api:639.v6eca_cd8c04a_a_ workflow-support:839.v35e2736cfd5c ws-cleanup:0.44 zentimestamp:4.2 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Ubuntu 20.04

Reproduction steps

Configure Job with

vaultTokenCredentialBinding {

addrVariable("FOO")
tokenVariable("BAR")

}

or manually

Expected Results

JOb configured with env variables

Actual Results

opening job config ( via rest api , or config.xml ) we can see expected result,

but if open job Configuration in UI , then fields Vault Address Variable and Vault Token Variable

have default VAULT_ADDR , VAULT_TOKEN

Anything else?

dshvedchenko commented 1 year ago

Initially i think that it is issue of jobDSl + plugin, but now i think it is something related to only plugin preparing data for UI editing

dshvedchenko commented 1 year ago

https://github.com/jenkinsci/hashicorp-vault-plugin/blob/master/src/main/resources/com/datapipe/jenkins/vault/credentials/VaultTokenCredentialBinding/config-variables.jelly#L4-L7

lines should be

  <f:entry title="${%Vault Address Variable}" field="addrVariable">
    <f:textbox default="VAULT_ADDR"/>
  </f:entry>
  <f:entry title="${%Vault Token Variable}" field="tokenVariable">
    <f:textbox default="VAULT_TOKEN"/>
  </f:entry>