Hi all,
I have a pipeline stage below that runs in Kubernetes (not on a jenkins manager node, but on a k8s worker).
script {
withVault([configuration: configuration, vaultSecrets: secrets]) {
sshagent(credentials: ['our-jenkins-git-ssh-key']) {
/* We push tags and stuff Via Jenkins, dont want to infinitely push */
def committer = githubHandler.getCommitAuthor()
def committer_email = githubHandler.getCommitEmail()
env.END_EARLY = (
committer == "Jenkins" ||
committer_email == "jenkins@getsporttrade.com"
)
if (env.BRANCH_NAME == env.MASTER_BRANCH) {
env.VERSION = sh(
script:"./scripts/get-next-version.sh",
returnStdout: true
).trim()
}
}
}
println("Setting version specifier for published artifacts to ${env.VERSION}")
}
As of credentials plugin 6.26, this did work. However, we updated to 6.36, and all of our pipelines are seeing issues similar to the below:
java.lang.IllegalStateException: Not running on the Jenkins controller JVM
at jenkins.util.JenkinsJVM.checkJenkinsJVM(JenkinsJVM.java:46)
at org.jenkinsci.plugins.credentialsbinding.masking.SecretPatterns.getAggregateSecretPattern(SecretPatterns.java:57)
at com.datapipe.jenkins.vault.log.MaskingConsoleLogFilter.lambda$decorateLogger$0(MaskingConsoleLogFilter.java:43)
at org.jenkinsci.plugins.credentialsbinding.masking.SecretPatterns$MaskingOutputStream.eol(SecretPatterns.java:93)
at hudson.console.LineTransformationOutputStream.eol(LineTransformationOutputStream.java:61)
at hudson.console.LineTransformationOutputStream.write(LineTransformationOutputStream.java:57)
at hudson.console.LineTransformationOutputStream.write(LineTransformationOutputStream.java:75)
at java.base/java.io.PrintStream.write(PrintStream.java:568)
at java.base/sun.nio.cs.StreamEncoder.writeBytes(StreamEncoder.java:234)
at java.base/sun.nio.cs.StreamEncoder.implFlushBuffer(StreamEncoder.java:313)
at java.base/sun.nio.cs.StreamEncoder.flushBuffer(StreamEncoder.java:111)
at java.base/java.io.OutputStreamWriter.flushBuffer(OutputStreamWriter.java:178)
at java.base/java.io.PrintStream.writeln(PrintStream.java:723)
at java.base/java.io.PrintStream.println(PrintStream.java:1028)
I’ve seen some feedback about running these steps on the manager node, but that doesn’t really work for our use case. Has anyone come across this and found a good configuration or work around?
We can also remove the corresponding line in the plugin, and build the hpi… but again that doesnt sound awesome.
This relates to this PR - [SECURITY-3075] `getAggregateSecretPattern` to fail when run inside agent JVM by jglick · Pull Request #260 · jenkinsci/credentials-binding-plugin · GitHub