This sounds like something that belongs in an identity and access management solution in general since it's a common problem to be solved for all your other applications using those auth sources.
On Fri, Feb 12, 2021 at 5:40 AM Chris Kilding <[email protected]> wrote: > > Hello, > > Interest in multi-cloud and multi-account cloud setups is increasing at my > company, and I have had correspondence from people in other companies about > this too. It's worth thinking about how Jenkins is going to work in this > scenario going forward. > > There are quite a few Jenkins plugins that connect to cloud providers (e.g. > EC2 plugin, S3 plugin, my own Secrets Manager plugin, plus all the Azure, > GCP, Kubernetes equivalents). At the moment, these plugins are (at the risk > of generalising) built with the assumption that they connect to a single > cloud account. They work well within this assumption, but not outside it. > > The key issues at the moment are: > > 1. Name clashes (due to lack of namespacing facilities) when two resources in > different accounts have the same name. > 2. Slowness/unavailability from interactions with one cloud account affecting > interactions with other accounts. > > To resolve the first problem, I would propose that we introduce a namespacing > feature of some kind, to allow resources from different accounts to safely > coexist. > > For the second problem, perhaps some partitioning of operations could be done > within the namespacing feature, so that if one API call goes bad or slower > than the others, it doesn't affect interactions with other accounts. > > At a minimum this would need to be done in the credentials API plugin: I'm > thinking an optional `namespace` argument could be specified for the > `withCredentials` or `credentials` bindings, implemented by the credential > providers. But I'm not sure that namespaces should be limited to just the > credentials system. Are there other parts of the Jenkins pipeline which deal > with cloud resources, and so would need to be aware of the namespacing > feature as well? > > Regards, > > Chris > > PS: In the past I have considered generalising the folders credentials > provider for this purpose, but this does not seem like the right fit. This is > really a namespacing problem, not an access control problem (which is what > folders are for). > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/3e423f19-b3d1-4827-9881-b89d3b73b051%40www.fastmail.com. -- Matt Sicker Senior Software Engineer, CloudBees -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4owhMdnn5gNQGrkCdv%3D_dCD9oMHmy81khELxZfzgHiTOOA%40mail.gmail.com.
