Page MenuHomePhabricator

Better way to restrict credentials available to pipelinelib
Closed, ResolvedPublic


Credentials use in pipelines served by pipelinelib is restricted by adding allowed credentials to the pipelinelib library. Find a more user-friendly way to do this.

Event Timeline

We've decided to take multiple steps to restrict credentials usage in Jenkins:

  1. Create a whitelist of credentials for usage in test pipelines on a per-project basis
  2. Create a whitelist of credentials for usage in gate-and-submit and post-merge pipelines on a per-project basis
  3. Possibly create a global whitelist of credentials that are likely to be used by many projects in the test pipeline
  4. Move credentials outside of the global jenkins scope to be contained in jenkins folders so that they can only be accessed by certain jobs

The whitelists are intended to be defined in the integration/config repo and passed as parameters to the pipeline builder so that it's clear which projects are allowed to use which credentials.

Final subtask deemed not a blocker in 2021-03-30 mw-on-k8s planning meeting