Add Support of comma separated labels into Azure KeyVault Label Selector variable (#282)

vivienfricadelamadeus · web-flow · commit 166053ddda42 · 2025-02-11T16:54:05.000Z
diff --git a/README.md b/README.md
@@ -482,6 +482,7 @@ To filter out secrets from being set, add a System Property or Environment Varia
 ```
 
 **Via Environment Variable**:
+
 ```bash
 AZURE_KEYVAULT_LABEL_SELECTOR=myCustomLabel
 ```
@@ -504,6 +505,10 @@ az keyvault secret set --vault-name my-vault \
 
 Multiple label selectors can be specified as a comma separated list:
 
+```bash
+AZURE_KEYVAULT_LABEL_SELECTOR=myCustomLabel,anotherCustomLabel
+```
+
 ```bash
 az keyvault secret set --vault-name my-vault \
   --name testUserWithLabel \
diff --git a/src/main/java/org/jenkinsci/plugins/azurekeyvaultplugin/AzureCredentialsProvider.java b/src/main/java/org/jenkinsci/plugins/azurekeyvaultplugin/AzureCredentialsProvider.java
@@ -150,7 +150,7 @@ private static Collection<IdCredentials> fetchCredentials() {
 
             SecretClient client = SecretClientCache.get(credentialID, keyVaultURL);
 
-            String labelSelector = extractLabelSelector();
+            String configuredLabelSelector = extractLabelSelector();
             List<IdCredentials> credentials = new ArrayList<>();
             for (SecretProperties secretItem : client.listPropertiesOfSecrets()) {
                 String id = secretItem.getId();
@@ -160,11 +160,11 @@ private static Collection<IdCredentials> fetchCredentials() {
                     if (tags == null) {
                         tags = new HashMap<>();
                     }
-
-                    if (StringUtils.isNotBlank(labelSelector)) {
-                        String jenkinsLabels = tags.getOrDefault("jenkins-label", "");
-                        List<String> labelSelectors = Arrays.asList(jenkinsLabels.split(","));
-                        if (!labelSelectors.contains(labelSelector)) {
+                    if (StringUtils.isNotBlank(configuredLabelSelector)) {
+                        String secretLabelSelector = tags.getOrDefault("jenkins-label", "");
+                        List<String> secretLabels = Arrays.asList(secretLabelSelector.split(","));
+                        List<String> configuredLabels = Arrays.asList(configuredLabelSelector.split(","));
+                        if (secretLabels.stream().filter(configuredLabels::contains).findAny().isEmpty()) {
                             continue;
                         }
                     }
@@ -176,7 +176,7 @@ private static Collection<IdCredentials> fetchCredentials() {
 
                     CredentialsScope scope = CredentialsScope.GLOBAL;
 
-                    if (tags.containsKey("scope") && labelScope.equals("SYSTEM")) {
+                    if (tags.containsKey("scope") && labelScope.equalsIgnoreCase("SYSTEM")) {
                         scope = CredentialsScope.SYSTEM;
                     }
 
