[JIRA] (JENKINS-60908) AWS Secrets Manager Plugin Breaking Change

12 views
Skip to first unread message

ethan@fama.io (JIRA)

unread,
Jan 29, 2020, 12:14:02 PM1/29/20
to jenkinsc...@googlegroups.com
Ethan Stein created an issue
 
Jenkins / Improvement JENKINS-60908
AWS Secrets Manager Plugin Breaking Change
Issue Type: Improvement Improvement
Assignee: Chris Kilding
Components: aws-secrets-manager-credentials-provider-plugin
Created: 2020-01-29 17:13
Labels: documentation
Priority: Minor Minor
Reporter: Ethan Stein

Release 0.2.X+ of the plugin has added a new tag requirement in order for the plugin to know which data to pull in from AWS Secrets Manager.  Existing secrets without this tag will not be pulled in.  I would classify this as a breaking change and a note should be added to the README.

 

This can be tested by installing version 0.1.4 and only specify a tag that one can use to Filter the secret against.  It will come in.  If you then upgrade to 0.2.0 or higher and create a similar tag without the necessary credentials type tag, then it will appear.

 

Interestingly enough, this does not impact recognizing if the secret key has been deleted.
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo

chris+jenkins@chriskilding.com (JIRA)

unread,
Jan 29, 2020, 12:42:03 PM1/29/20
to jenkinsc...@googlegroups.com
Chris Kilding commented on Improvement JENKINS-60908
 
Re: AWS Secrets Manager Plugin Breaking Change

Hi Ethan, could you clarify the last sentence? Not quite sure what it means, but there might be something worth investigating in it.

You are correct that it’s a breaking change. I kept the previous auto-detection strategy going as long as I could, but unfortunately the multi-type credential object this entailed broke fundamental assumptions of important credential consumers, like the Git plugin. So it was a tough call but I had to change it. I’ll add a doc notice as you suggest.

The only in-band mechanism Jenkins currently provides to announce a breaking change is the plugin version number. However per the Semantic Versioning standard, this only really works if you are post version 1 (when you can indicate a breaking change with a major version increment). Therefore I intend to finish the last 2 or 3 minor changes I’m working on, sit on it for a while, then if all looks good release stable version 1.0.0.

ethan@fama.io (JIRA)

unread,
Jan 29, 2020, 12:52:02 PM1/29/20
to jenkinsc...@googlegroups.com

Sure, just wanted you to be aware of what made me struggle for the past 24 hrs when I setup a new environment with the latest version of this plugin while my older environments had the previous version.

As far as my final statement, it seemed that after adding that jenkins:credentials:type=string tag into the secret within AWS Secrets Manager and it getting displayed in Jenkins, if I remove the tag, the entry still remains in Jenkins even after the 5 minute mark.  It will only disappear after I initiate a delete to remove the secret altogether, regardless of whether that tag was present or later removed.

 

Also, a strange thing I noticed previously, if I mark the secret as deleted but it is still recoverable, the secret is still seen in Jenkins. Not sure whether you've tested/coded for this.

 

Finally, any chance you can parameterize the 5 minute-check. Sometimes I'd like to have it be less (at least initially).

chris+jenkins@chriskilding.com (JIRA)

unread,
Jan 30, 2020, 6:32:02 AM1/30/20
to jenkinsc...@googlegroups.com

User-configurable cache duration has a ticket: JENKINS-57577. I'll note your interest there.

The soft deletion of secrets is problematic in Moto (the AWS mock I use) because it doesn't have an effective notion of time (at least, not the kind of time frames we have in integration test lifecycles). This makes testing soft deletion very awkward and there could be a mistake there. I'll investigate.

chris+jenkins@chriskilding.com (JIRA)

unread,
Feb 17, 2020, 6:03:03 AM2/17/20
to jenkinsc...@googlegroups.com

I've logged the soft-deleted secrets problem in JENKINS-61111

chris+jenkins@chriskilding.com (JIRA)

unread,
Feb 17, 2020, 6:11:03 AM2/17/20
to jenkinsc...@googlegroups.com

I've logged the problem with credentials sticking around after the jenkins:credentials:type tag is removed in JENKINS-61112

chris+jenkins@chriskilding.com (JIRA)

unread,
Feb 17, 2020, 6:15:02 AM2/17/20
to jenkinsc...@googlegroups.com

I've enabled Release Drafter on the repo, which will automatically write the changelog for each plugin release on the GitHub Releases page. This seems to be the best place to communicate changes in new versions, breaking or otherwise.

chris+jenkins@chriskilding.com (JIRA)

unread,
Feb 17, 2020, 6:46:03 AM2/17/20
to jenkinsc...@googlegroups.com

Release Drafter doesn't go back in time to before it was enabled, so I have annotated the most recent tags with release notes manually.

Ethan Stein could you look at the linked release notes, and indicate if they're clear enough about the breaking change in 0.2.0? (Or if not, what you'd modify - nothing else is dependent on these notes, so I can update them once or twice if needed.)

https://github.com/jenkinsci/aws-secrets-manager-credentials-provider-plugin/releases#0.2.0

chris+jenkins@chriskilding.com (JIRA)

unread,
Mar 4, 2020, 5:36:04 AM3/4/20
to jenkinsc...@googlegroups.com
Chris Kilding started work on Improvement JENKINS-60908
 
Change By: Chris Kilding
Status: Open In Progress
This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)
Atlassian logo

chris+jenkins@chriskilding.com (JIRA)

unread,
Mar 5, 2020, 5:16:03 AM3/5/20
to jenkinsc...@googlegroups.com
Change By: Chris Kilding
Status: In Progress Review
Reply all
Reply to author
Forward
0 new messages