feat: adding per-secret credential and namespace overrides along with…

[annepavan]

Add multi-credential and multi-namespace support per-secret

Previously, the plugin supported a single Vault credential and a single namespace per job, applied to all secret retrievals. This update introduces per-secret overrides, enabling jobs to authenticate to Vault using different AppRole credentials and namespaces for each secret.

• Per-secret credential override: Add vaultCredentialId to VaultSecret to select a credential per secret.
• Per-secret namespace override: Add vaultNamespace to VaultSecret to select a namespace per secret.
• Retrieval logic: For each secret, the plugin selects the appropriate credential and namespace, falling back to job-level settings when no override is provided.
• Verbose logging: Optional job-level flag to enable detailed diagnostic logs for troubleshooting.

Backward compatible: existing jobs continue to use the job-level credential and namespace unless per-secret overrides are configured.

Summary of Changes

• Per-secret AppRole override

  • Added vaultCredentialId to VaultSecret to select a credential per secret.
    • Code: src/main/java/com/datapipe/jenkins/vault/model/VaultSecret.java
    • UI: src/main/resources/com/datapipe/jenkins/vault/model/VaultSecret/config.jelly (Advanced → “Credential (override job-level)”)
    • Dropdown filler: VaultSecret.DescriptorImpl#doFillVaultCredentialIdItems(...)

• Per-secret Namespace override

  • Added vaultNamespace to VaultSecret to override namespace per secret.
    • Code: src/main/java/com/datapipe/jenkins/vault/model/VaultSecret.java
    • UI: src/main/resources/com/datapipe/jenkins/vault/model/VaultSecret/config.jelly (Advanced → “Namespace (override job-level)”)

• Core logic updates

  • Enhanced VaultAccessor.retrieveVaultSecrets(...) to apply per-secret overrides:
    • Resolve per-secret credential via retrieveVaultCredentialById(...) when vaultCredentialId is set.
    • Build per-secret VaultConfig when vaultNamespace is provided (copy address, engine version, skip-SSL, prefix).
    • Initialize a per-secret VaultAccessor for secrets with overrides; otherwise use job-level settings.
    • Fallback order for credentials per secret:
      • VaultSecret.vaultCredentialId → VaultConfiguration.getVaultCredential() → VaultConfiguration.getVaultCredentialId() → else error.
    • Files:
      • src/main/java/com/datapipe/jenkins/vault/VaultAccessor.java

• Verbose logging toggle

  • Added verboseLogging on VaultConfiguration with UI checkbox.
    • Code: src/main/java/com/datapipe/jenkins/vault/configuration/VaultConfiguration.java
    • UI: src/main/resources/com/datapipe/jenkins/vault/configuration/VaultConfiguration/config.jelly
  • Guarded diagnostic logs in VaultAccessor.retrieveVaultSecrets(...) (e.g., base config line at VaultAccessor.java:L189-L191) so they print only when verboseLogging is true.

• Improved error handling

  • New explicit message when no credential is applicable for a secret:
    • “No credential configured for secret '…'. Set a job-level credential or a per-secret credential override.”
  • Context-rich message when per-secret login fails:
    • “Failed to connect/login to Vault for secret (credentialId=…, namespace=…)”

• Tests

  • Added VaultAccessorOverridesTest:
    • verboseLogging_off_doesNotPrintBaseConfig()
    • verboseLogging_on_printsBaseConfig()
    • noCredentialConfiguredForSecret_throwsHelpfulError()
  • Fixed Mockito generics mismatch by using raw Run/Job in test helper.
  • File: src/test/java/com/datapipe/jenkins/vault/VaultAccessorOverridesTest.java

• Build notes

  • Ensure resources are copied before HPI packaging:
    • mvn clean resources:resources hpi:hpi
    • or mvn -q -DskipTests clean package
  • src/main/resources/index.jelly exists to satisfy HPI packaging.

Testing done

• Added unit tests to test the newly added override code

  

• Testing existing jobs to continue to use the job-level credential and namespace unless per-secret overrides are configured.

• Running the parallel jobs with enabled overrides to make to there is no issues

Submitter checklist

• Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
• Ensure that the pull request title represents the desired changelog entry
• Please describe what you did
• Link to relevant issues in GitHub or Jira
• Link to relevant pull requests, esp. upstream and downstream changes
• Ensure you have provided tests that demonstrate the feature works or the issue is fixed