sap-jenkins-library/documentation/developer_hints/VaultResourceReference.md

# The Vault ResourceRef

## Preconditions

Parameters that have a ResourceReference of type `vaultSecret` will be looked up from Vault when all of the following things are true...

* The environment variables `PIPER_vaultAppRoleID` and `PIPER_vaultAppRoleSecretID` must both be set to the Vault AppRole role ID and to the Vault AppRole secret ID. See [Vault AppRole docs](https://www.vaultproject.io/docs/auth/approle)
* `vaultServerUrl` ist set in the `general` section of the configuration file.
* The parameter must not be set by the configuration file, as a CLI Parameter or an environment variable. Any parameter that has already been set won't be resolved via vault.

## Lookup

```
- name: token
        type: string
        description: "Token used to authenticate with the Sonar Server."
        scope:
          - PARAMETERS
        secret: true
        resourceRef:
          - type: vaultSecret
            paths:
            - $(vaultBasePath)/$(vaultPipelineName)/sonar
            - $(vaultBasePath)/__group/sonar
```

With the example above piper will check whether the the `token` parameter has already been set when the config was resolved. If `token` hasn't be resolved yet we will go through every item of the `paths` array, interpolate every string by using the already resolved config and then check whether there is a secret stored at the given path.

In case we find a secret we check whether it has a field (secrets in Vault are **flat** json documents) that matches the parameters name (or one of the alias names), in the example above this would be `token`.
feat(vault): fetch secrets from vault (#2032) * cloud-foundry & sonar from vault * add vault development hint * don't abort on vault errors * cloudfoundry make credentialsId only mandatory when vault is not configured * add vault ref to step ymls * rename vaultAddress to vaultServerUrl * rename PIPER_vaultRole* to PIPER_vaultAppRole* * add resourceRef for detect step * fix error when no namespace is set * added debug logs * added debug logs * fix vault resolving * add vaultCustomBasePath * rename vault_test.go to client_test.go * refactored vault logging * refactored config param lookup for vault * added tüddelchen * rename vaultCustomBasePath to vaultPath * fix tests * change lookup path for group secrets * fix interpolation tests * added vault resource ref to versioning * execute go generate * rename Approle to AppRole * change verbose back to false Co-authored-by: Leander Schulz <leander.schulz01@sap.com> Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> 2020-10-13 14:14:47 +02:00			`# The Vault ResourceRef`

			`## Preconditions`

chore: align Vault naming (#3372) * Align Vault naming * remove duplicate debug output * correct message * align vault naming * Update vault.md 2021-12-21 11:52:10 +01:00			Parameters that have a ResourceReference of type `vaultSecret` will be looked up from Vault when all of the following things are true...
feat(vault): fetch secrets from vault (#2032) * cloud-foundry & sonar from vault * add vault development hint * don't abort on vault errors * cloudfoundry make credentialsId only mandatory when vault is not configured * add vault ref to step ymls * rename vaultAddress to vaultServerUrl * rename PIPER_vaultRole* to PIPER_vaultAppRole* * add resourceRef for detect step * fix error when no namespace is set * added debug logs * added debug logs * fix vault resolving * add vaultCustomBasePath * rename vault_test.go to client_test.go * refactored vault logging * refactored config param lookup for vault * added tüddelchen * rename vaultCustomBasePath to vaultPath * fix tests * change lookup path for group secrets * fix interpolation tests * added vault resource ref to versioning * execute go generate * rename Approle to AppRole * change verbose back to false Co-authored-by: Leander Schulz <leander.schulz01@sap.com> Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> 2020-10-13 14:14:47 +02:00
			* The environment variables `PIPER_vaultAppRoleID` and `PIPER_vaultAppRoleSecretID` must both be set to the Vault AppRole role ID and to the Vault AppRole secret ID. See [Vault AppRole docs](https://www.vaultproject.io/docs/auth/approle)
			* `vaultServerUrl` ist set in the `general` section of the configuration file.
			`* The parameter must not be set by the configuration file, as a CLI Parameter or an environment variable. Any parameter that has already been set won't be resolved via vault.`

			`## Lookup`

			```
			`- name: token`
			`type: string`
			`description: "Token used to authenticate with the Sonar Server."`
			`scope:`
			`- PARAMETERS`
			`secret: true`
			`resourceRef:`
			`- type: vaultSecret`
			`paths:`
			`- $(vaultBasePath)/$(vaultPipelineName)/sonar`
			`- $(vaultBasePath)/__group/sonar`
			```

			With the example above piper will check whether the the `token` parameter has already been set when the config was resolved. If `token` hasn't be resolved yet we will go through every item of the `paths` array, interpolate every string by using the already resolved config and then check whether there is a secret stored at the given path.

chore: align Vault naming (#3372) * Align Vault naming * remove duplicate debug output * correct message * align vault naming * Update vault.md 2021-12-21 11:52:10 +01:00			In case we find a secret we check whether it has a field (secrets in Vault are flat json documents) that matches the parameters name (or one of the alias names), in the example above this would be `token`.