[JIRA] (JENKINS-56598) Unable to bind withCredentials variables inside running pod

1 view
Skip to first unread message

thomascooperca@gmail.com (JIRA)

unread,
Mar 18, 2019, 10:29:03 AM3/18/19
to jenkinsc...@googlegroups.com
Thomas Cooper created an issue
 
Jenkins / Improvement JENKINS-56598
Unable to bind withCredentials variables inside running pod
Issue Type: Improvement Improvement
Assignee: Carlos Sanchez
Components: kubernetes-plugin
Created: 2019-03-18 14:28
Environment: Jenkins 2.166
Kubernetes Plugin 1.14.8
Credentials Binding Plugin 1.18
Priority: Major Major
Reporter: Thomas Cooper

When running via declarative pipeline, any variables bound via Credentials Binding plugin are empty and cannot be used on the running pod. The environment variable should be set via the `withCredentials` but never does. 

stage('Run Playbook') { 
  steps { 
    script { 
      withCredentials([string(credentialsId: "ocp-${params.Environment}-ansible-sa-token", variable: 'K8S_AUTH_API_KEY')]) { 
        sh "printenv" // K8S_AUTH_API_KEY env var is completely missing
...
// Any steps relying on K8S_AUTH_API_KEY (the k8s Ansible module in this case) fails since that variable is never set.

 

I've seen a number of PRs opened to address other environment variables set by Jenkins itself (ie. COMMIT_ID and other SCM related vars). However, no combination of withCredentials seems to work when running inside a pod. 
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

thomascooperca@gmail.com (JIRA)

unread,
Mar 18, 2019, 10:30:03 AM3/18/19
to jenkinsc...@googlegroups.com
Thomas Cooper updated an issue
 
Jenkins / Bug JENKINS-56598
Change By: Thomas Cooper
Issue Type: Improvement Bug

thomascooperca@gmail.com (JIRA)

unread,
Mar 18, 2019, 10:32:01 AM3/18/19
to jenkinsc...@googlegroups.com
Thomas Cooper updated an issue
When running via declarative pipeline, any variables bound via Credentials Binding plugin are empty and cannot be used on the running pod. The environment variable should be set via the `withCredentials` but never does. 

{code:java}

stage('Run Playbook') {
  steps {
    script {
      withCredentials([string(credentialsId: "ocp-${params.Environment}-ansible-sa-token", variable: 'K8S_AUTH_API_KEY')]) {
        sh "printenv" // K8S_AUTH_API_KEY env var is completely missing
...
        ansiblePlaybook playbook: "playbooks / something.yml", extraVars: ... / Any steps relying on K8S_AUTH_API_KEY ( / the k8s Ansible module in this case) fails since that variable is never relies on K8S_AUTH_API_KEY being set .
and fails due to 401 UNAUTHORIZED {code}
 

 I've seen a number of PRs opened to address other environment variables set by Jenkins itself (ie. COMMIT_ID and other SCM related vars). However, no combination of withCredentials seems to work when running inside a pod. 

thomascooperca@gmail.com (JIRA)

unread,
Mar 21, 2019, 11:48:05 AM3/21/19
to jenkinsc...@googlegroups.com
Thomas Cooper updated an issue
When running via declarative pipeline, any variables bound via Credentials Binding plugin are empty and cannot be used on the running pod. The environment variable should be set via the `withCredentials` but never does. 
{code:java}
pipeline {
  agent { label 'my-pod-label-from-config' }
  stages {
...
stage('Run Playbook') {
  steps {
    script {
      withCredentials([string(credentialsId: "ocp-${params.Environment}-ansible-sa-token", variable: 'K8S_AUTH_API_KEY')]) {
        sh "printenv" // K8S_AUTH_API_KEY env var is completely missing
...
        ansiblePlaybook playbook: "playbooks/something.yml", extraVars: ... // the k8s Ansible module relies on K8S_AUTH_API_KEY being set and fails due to 401 UNAUTHORIZED{code}

I've seen a number of PRs opened to address other environment variables set by Jenkins itself (ie. COMMIT_ID and other SCM related vars). However, no combination of withCredentials seems to work when running inside a pod. 

thomascooperca@gmail.com (JIRA)

unread,
Mar 21, 2019, 11:48:10 AM3/21/19
to jenkinsc...@googlegroups.com
Thomas Cooper updated an issue
When running via declarative pipeline, any variables bound via Credentials Binding plugin are empty and cannot be used on the running pod. The environment variable should be set via the `withCredentials` but never does. 
{code:java}
pipeline {
  agent { label 'my-pod-label-from-config' }
  stages {
...
    stage('Run Playbook') {
      steps {
        script {
          withCredentials([string(credentialsId: " ocp k8s - ${params.Environment}-ansible-sa- token -credential ", variable: 'K8S_AUTH_API_KEY')]) {
            sh "printenv" // K8S_AUTH_API_KEY env var is completely missing
...
            ansiblePlaybook playbook: "playbooks/something.yml", extraVars: ... // the k8s Ansible module relies on K8S_AUTH_API_KEY being set and fails due to 401 UNAUTHORIZED{code}
I've seen a number of PRs opened to address other environment variables set by Jenkins itself (ie. COMMIT_ID and other SCM related vars). However, no combination of withCredentials seems to work when running inside a pod. 

jglick@cloudbees.com (JIRA)

unread,
Jun 4, 2019, 2:02:03 PM6/4/19
to jenkinsc...@googlegroups.com
Jesse Glick resolved as Cannot Reproduce
  
podTemplate(label: BUILD_TAG) {
    node (BUILD_TAG) {
        withCredentials([string(credentialsId: 'text', variable: 'SECRET')]) {
            sh 'env; env | tr "[a-z]" "[A-Z]"'
        }
    }
}

working for me.
Change By: Jesse Glick
Status: Open Resolved
Resolution: Cannot Reproduce
Reply all
Reply to author
Forward
0 new messages