This is my starter for ten for how namespaces could look in the credentials API...
A `credentials` binding in your Jenkinsfile would look like this:
pipeline {
agent any
stages {
stage('Deploy to staging') {
environment {
API_KEY = credentials('api-key', namespace: '1111111111')
}
steps {
sh 'curl -X POST -u "foo:$API_KEY"
https://example.com'
}
}
stage('Deploy to production') {
environment {
API_KEY = credentials('api-key', namespace: '2222222222')
}
steps {
sh 'curl -X POST -u "foo:$API_KEY"
https://example.com'
}
}
}
}
A `withCredentials` binding would look like this:
node {
withCredentials(bindings: [string(credentialsId: 'api-key', variable: 'API_KEY', namespace: '1111111111')]) {
echo 'Hello world'
}
}
It will be up to the credentials providers how to implement namespacing. I would expect this to be driven by the plugin configuration for those providers. For example each AWS account namespace will be accompanied by information to drive the necessary sts:assumeRole operation, which lets the AWS SDK do things in the alternate account.
A namespace could correspond to:
- An AWS/Azure etc account (as shown above).
- An infrastructure environment within an account. (E.g. if secrets are given prefixes, like /environments/staging/api-key and /environments/production/api-key, the prefix should be usable as a namespace qualifier together with filtering.)
An implicit default namespace exists for credentials with no namespace information. This is what will be used if we call `credentials` or `withCredentials` with no `namespace` argument, like we do today.
The default namespace enables:
- Credentials to be put there by choice (e.g. credentials stored in the same AWS account as Jenkins).
- Backwards compatibility (credentials from providers that don't support namespaces - in other words any existing provider - are deemed to be in the default namespace).
Some questions that arise from this:
1. How does this generalise to other parts of Jenkins? (For example, could the EC2 plugin use namespaces to allow instances to be launched in alternate AWS accounts?)
2. How to ensure namespaces are unique? (If namespaces are declared solely within individual plugins' configs, there is the possibility that two configs could declare the same namespace.) Perhaps this dovetails into the next question...
3. Where should namespaces be declared in Jenkins config, so that the access control systems can also use them?
Chris
>
https://groups.google.com/d/msgid/jenkinsci-dev/40b34fd2-06d7-4261-9fef-204fb015223b%40www.fastmail.com.
>