Credentials Binding Plugin - Not running on the Jenkins controller JVM

Community
1

Hi all,

I have a pipeline stage below that runs in Kubernetes (not on a jenkins manager node, but on a k8s worker).

        script {
          withVault([configuration: configuration, vaultSecrets: secrets]) {
            sshagent(credentials: ['our-jenkins-git-ssh-key']) {
              /* We push tags and stuff Via Jenkins, dont want to infinitely push */
              def committer        = githubHandler.getCommitAuthor()
              def committer_email  = githubHandler.getCommitEmail()
              env.END_EARLY = (
                committer == "Jenkins" ||
                committer_email == "jenkins@getsporttrade.com"
              )
              if (env.BRANCH_NAME == env.MASTER_BRANCH) {
                env.VERSION = sh(
                  script:"./scripts/get-next-version.sh",
                  returnStdout: true
                ).trim()
              }
            }
          }
          println("Setting version specifier for published artifacts to ${env.VERSION}")
        }

As of credentials plugin 6.26, this did work. However, we updated to 6.36, and all of our pipelines are seeing issues similar to the below:

java.lang.IllegalStateException: Not running on the Jenkins controller JVM
	at jenkins.util.JenkinsJVM.checkJenkinsJVM(JenkinsJVM.java:46)
	at org.jenkinsci.plugins.credentialsbinding.masking.SecretPatterns.getAggregateSecretPattern(SecretPatterns.java:57)
	at com.datapipe.jenkins.vault.log.MaskingConsoleLogFilter.lambda$decorateLogger$0(MaskingConsoleLogFilter.java:43)
	at org.jenkinsci.plugins.credentialsbinding.masking.SecretPatterns$MaskingOutputStream.eol(SecretPatterns.java:93)
	at hudson.console.LineTransformationOutputStream.eol(LineTransformationOutputStream.java:61)
	at hudson.console.LineTransformationOutputStream.write(LineTransformationOutputStream.java:57)
	at hudson.console.LineTransformationOutputStream.write(LineTransformationOutputStream.java:75)
	at java.base/java.io.PrintStream.write(PrintStream.java:568)
	at java.base/sun.nio.cs.StreamEncoder.writeBytes(StreamEncoder.java:234)
	at java.base/sun.nio.cs.StreamEncoder.implFlushBuffer(StreamEncoder.java:313)
	at java.base/sun.nio.cs.StreamEncoder.flushBuffer(StreamEncoder.java:111)
	at java.base/java.io.OutputStreamWriter.flushBuffer(OutputStreamWriter.java:178)
	at java.base/java.io.PrintStream.writeln(PrintStream.java:723)
	at java.base/java.io.PrintStream.println(PrintStream.java:1028)

I’ve seen some feedback about running these steps on the manager node, but that doesn’t really work for our use case. Has anyone come across this and found a good configuration or work around?

We can also remove the corresponding line in the plugin, and build the hpi… but again that doesnt sound awesome.

This relates to this PR - [SECURITY-3075] `getAggregateSecretPattern` to fail when run inside agent JVM by jglick · Pull Request #260 · jenkinsci/credentials-binding-plugin · GitHub

2

Make sure you have updated your plugins: Release 361.v44fea_4fc08d9 · jenkinsci/hashicorp-vault-plugin · GitHub

3

Thank you, @jglick ! I’ll give that a try. Cheers!