When installing ADOP on-premise we noticed that the sensitive passwords were shown in the ENVIRONMENT VARIABLES of all jobs.

This means any person with access to "View" any job in Jenkins will be able to see these sensitive passwords, the following we picked out:

• CREDENTIALS_LDAP_SERVICE_USER_PASSWORD
• GERRIT_JENKINS_PASSWORD
• INITIAL_ADMIN_PASSWORD
• LDAP_MANAGER_PASSWORD
• SONAR_ACCOUNT_PASSWORD

I suggest that we change the way docker provisionins Jenkins so they are loaded in as credentials rather than system variables.

The problem is that they are passed in as environment variables to the container, often to be injected into Jenkins as global environment variables or into the other configuration performed by init.groovy.d stuff - some of which doesn't support the notion of credentials.

I think what would need to happen inside the image is that the environment variables would have to be scrubbed somehow, if that's even possible.

It's also only going to be on jobs running on the master/slave container that has these variables passed in - if you create your own slave it won't have them.

I think the designer's intent is clear in the prefix "INITIAL_". However we can make this a lot more visible and well understood e.g. in the quickstart documentation that people should change them (and how and when).

How this is normally handled in Kubernetes or Openshift Pods (containers) is via Secret resource.

Luckily, Docker 1.13 has implemented the same! https://docs.docker.com/engine/swarm/secrets/

@bzon yep, this is something we keep in mind in near future, I already tested it and it's requires changes in Docker images as well (check entrypoint scripts, official images started to add support of reading secrets from files vs before it was from ENV), however before that, we have to upgrade Compose to v3.1, 'cause secrets support supported only since v3.1 of Compose YAML