I believe the JENKINS-60897 proposal can do what you ultimately are trying to achieve (having some credentials restricted to jobs in folder A, some restricted to jobs in folder B, some restricted to jobs in folders A and B, and some global credentials with no folder restrictions). But there is a fundamental constraint in the way: a plugin has only one instance in Jenkins. You couldn't run multiple instances of a plugin (e.g. to apply different configurations) on the same Jenkins server. So under the proposal, you'd achieve it like this instead:
- Install credential provider plugin.
- Install folders plugin.
- Configure the credentials access control layer (ACL) on the folders plugin.
Example: If I have 4 secrets in Secrets Manager that I want to use in Jenkins like this:
- foo (visible to jobs in folders A and B)
- bar (visible to jobs in folder A)
- baz (visible to jobs in folder B)
- qux (global, visible to all jobs)
I would configure the ACL like this in JCasC (I suppose you could also use Job DSL or the GUI):
folders:
a:
someUnrelatedProperty: 'hello'
credentials:
- 'foo'
- 'bar'
b:
someUnrelatedProperty: 'world'
credentials:
- 'foo'
- 'baz'
(The implication in this particular design is that if you access a credential like qux which has no folder restrictions, it is treated as global.) Does that sound like what you're after? |