Gitlab-plugin: Feature: Support Jenkins Credentials for "Secret Token"

Created on 30 Jan 2017  路  5Comments  路  Source: jenkinsci/gitlab-plugin

Currently, the "Secret Token" has the following behavior:

  • Can only be randomly generated
  • Can not be viewed after Jenkins job is saved.
  • Is stored encoded/encrypted on disk

It would be nice if the plugin used the Jenkins Credential functionality. This would allow re-use of secret tokens which is much easier to maintain. (e.g. A handful of entries in your password manager instead of a unique one for every single job).

It would also allow for easier rolling of the secret token(s). Currently, each individual jenkins job must be opened, a new code generated, the new code captured by user (i.e. written down, added to password manager, etc.), then relevant GitLab webhooks deleted and re-created with new tokens.

feature request

Most helpful comment

Any news?

All 5 comments

You should not need to create a separate token for every job. You CAN do that, but if you want a global token it is possible. See my notes in https://github.com/jenkinsci/gitlab-plugin/issues/418.

Thanks @omehegan.

A couple of things... I'm not sure I love the idea of putting an API key (secret) into the URL of a webhook, since that becomes visible in the gitlab webhooks/integrations UI whereas secret tokens are not. Maybe that's not a huge deals if permissions are set up properly on GitLab, but I generally consider displaying secrets anywhere to be less-than-ideal.

It also doesn't account for a case where you want to use multiple tokens, but not individual tokens. For example, a token for each group of related jobs.

Technically speaking, just making "secret token" field editable in the Jenkins job configuration would allow for this, but it would still be a pita to change the secret(s).

For example, if somebody who knows a secret leaves the company it would be important to change that secret. If it used the Jenkins credential system, then it would be as simple as updating the exposed secret(s) in the credential manager. Of course, all of the webhooks would need to be configured again on the GitLab side before integration would work... but at least Jenkins could be quickly secured instead of having to drill into each individual project to set a new secret.

These are excellent points. Adding this as a feature request.

Hi, do you have any news about adding gitlab-token creds to withCredentials?

Any news?

Was this page helpful?
0 / 5 - 0 ratings

Related issues

MarcelNehring picture MarcelNehring  路  5Comments

robphoenix picture robphoenix  路  3Comments

almozavr picture almozavr  路  6Comments

nussera picture nussera  路  5Comments

pablobirukov picture pablobirukov  路  5Comments