Hello,

Interest in multi-cloud and multi-account cloud setups is increasing at my 
company, and I have had correspondence from people in other companies about 
this too. It's worth thinking about how Jenkins is going to work in this 
scenario going forward.

There are quite a few Jenkins plugins that connect to cloud providers (e.g. EC2 
plugin, S3 plugin, my own Secrets Manager plugin, plus all the Azure, GCP, 
Kubernetes equivalents). At the moment, these plugins are (at the risk of 
generalising) built with the assumption that they connect to a single cloud 
account. They work well within this assumption, but not outside it.

The key issues at the moment are:

1. Name clashes (due to lack of namespacing facilities) when two resources in 
different accounts have the same name.
2. Slowness/unavailability from interactions with one cloud account affecting 
interactions with other accounts.

To resolve the first problem, I would propose that we introduce a namespacing 
feature of some kind, to allow resources from different accounts to safely 
coexist.

For the second problem, perhaps some partitioning of operations could be done 
within the namespacing feature, so that if one API call goes bad or slower than 
the others, it doesn't affect interactions with other accounts.

At a minimum this would need to be done in the credentials API plugin: I'm 
thinking an optional `namespace` argument could be specified for the 
`withCredentials` or `credentials` bindings, implemented by the credential 
providers. But I'm not sure that namespaces should be limited to just the 
credentials system. Are there other parts of the Jenkins pipeline which deal 
with cloud resources, and so would need to be aware of the namespacing feature 
as well?

Regards,

Chris

PS: In the past I have considered generalising the folders credentials provider 
for this purpose, but this does not seem like the right fit. This is really a 
namespacing problem, not an access control problem (which is what folders are 
for).

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/3e423f19-b3d1-4827-9881-b89d3b73b051%40www.fastmail.com.

Reply via email to