From 56be54c504960185e3157488af3262ee7cc6e347 Mon Sep 17 00:00:00 2001 From: Eugene Kortelyov Date: Tue, 21 Sep 2021 14:06:32 +0300 Subject: [PATCH] Feature/vault refactoring (#3113) * refactor vault code * adjust generator * wip: fix tests * regenerate influxdb * fix test * add another test * fix test & docs * fix formatting * Minorupdate and fixes Co-authored-by: Kevin Stiehl Co-authored-by: Oliver Nocon <33484802+OliverNocon@users.noreply.github.com> --- cmd/abapEnvironmentCreateSystem_generated.go | 12 +-- cmd/artifactPrepareVersion_generated.go | 12 +-- cmd/checkmarxExecuteScan_generated.go | 12 +-- cmd/cloudFoundryCreateServiceKey_generated.go | 12 +-- cmd/cloudFoundryCreateService_generated.go | 12 +-- cmd/cloudFoundryDeleteService_generated.go | 12 +-- cmd/cloudFoundryDeploy_generated.go | 12 +-- cmd/cnbBuild_generated.go | 5 +- cmd/detectExecuteScan_generated.go | 6 +- cmd/fortifyExecuteScan_generated.go | 12 +-- cmd/githubCheckBranchProtection_generated.go | 6 +- cmd/githubCommentIssue_generated.go | 6 +- cmd/githubCreateIssue_generated.go | 6 +- cmd/githubCreatePullRequest_generated.go | 6 +- cmd/githubPublishRelease_generated.go | 6 +- cmd/githubSetCommitStatus_generated.go | 6 +- cmd/influxWriteData_generated.go | 6 +- cmd/kanikoExecute_generated.go | 6 +- cmd/kubernetesDeploy_generated.go | 11 +- cmd/mavenBuild_generated.go | 6 +- cmd/protecodeExecuteScan_generated.go | 18 ++-- cmd/sonarExecuteScan_generated.go | 12 +-- cmd/terraformExecute_generated.go | 6 +- cmd/vaultRotateSecretId_generated.go | 23 ++-- cmd/whitesourceExecuteScan_generated.go | 6 +- pkg/config/config.go | 4 +- pkg/config/stepmeta.go | 27 ++++- pkg/config/vault.go | 80 +++++++++++--- pkg/config/vault_test.go | 100 +++++++++--------- pkg/documentation/generator/parameters.go | 5 +- pkg/generator/helper/helper.go | 6 +- .../metadata/abapEnvironmentCreateSystem.yaml | 12 +-- resources/metadata/checkmarx.yaml | 12 +-- .../metadata/cloudFoundryCreateService.yaml | 12 +-- .../cloudFoundryCreateServiceKey.yaml | 12 +-- .../metadata/cloudFoundryDeleteService.yaml | 12 +-- resources/metadata/cloudFoundryDeploy.yaml | 12 +-- resources/metadata/detect.yaml | 6 +- resources/metadata/fortify.yaml | 12 +-- .../metadata/githubbranchprotection.yaml | 6 +- resources/metadata/githubcommentissue.yaml | 6 +- resources/metadata/githubcreateissue.yaml | 6 +- resources/metadata/githubcreatepr.yaml | 6 +- resources/metadata/githubrelease.yaml | 6 +- resources/metadata/githubstatus.yaml | 6 +- resources/metadata/influx.yaml | 6 +- resources/metadata/kaniko.yaml | 6 +- resources/metadata/kubernetesdeploy.yaml | 11 +- resources/metadata/mavenBuild.yaml | 6 +- resources/metadata/protecode.yaml | 18 ++-- resources/metadata/sonar.yaml | 12 +-- resources/metadata/terraformExecute.yaml | 6 +- resources/metadata/vaultRotateSecretId.yaml | 18 ++-- resources/metadata/versioning.yaml | 12 +-- resources/metadata/whitesource.yaml | 6 +- 55 files changed, 338 insertions(+), 348 deletions(-) diff --git a/cmd/abapEnvironmentCreateSystem_generated.go b/cmd/abapEnvironmentCreateSystem_generated.go index 06b67d1f4..067334afc 100644 --- a/cmd/abapEnvironmentCreateSystem_generated.go +++ b/cmd/abapEnvironmentCreateSystem_generated.go @@ -169,9 +169,9 @@ func abapEnvironmentCreateSystemMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)"}, - Type: "vaultSecret", + Name: "cloudfoundryVaultSecretName", + Type: "vaultSecret", + Default: "cloudfoundry-$(org)-$(space)", }, }, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, @@ -190,9 +190,9 @@ func abapEnvironmentCreateSystemMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)"}, - Type: "vaultSecret", + Name: "cloudfoundryVaultSecretName", + Type: "vaultSecret", + Default: "cloudfoundry-$(org)-$(space)", }, }, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, diff --git a/cmd/artifactPrepareVersion_generated.go b/cmd/artifactPrepareVersion_generated.go index 097056db5..42086d6db 100644 --- a/cmd/artifactPrepareVersion_generated.go +++ b/cmd/artifactPrepareVersion_generated.go @@ -368,9 +368,9 @@ func artifactPrepareVersionMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/gitHttpsCredential", "$(vaultBasePath)/$(vaultPipelineName)/gitHttpsCredential", "$(vaultBasePath)/GROUP-SECRETS/gitHttpsCredential"}, - Type: "vaultSecret", + Name: "gitHttpsCredentialVaultSecretName", + Type: "vaultSecret", + Default: "gitHttpsCredential", }, }, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, @@ -425,9 +425,9 @@ func artifactPrepareVersionMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/gitHttpsCredential", "$(vaultBasePath)/$(vaultPipelineName)/gitHttpsCredential", "$(vaultBasePath)/GROUP-SECRETS/gitHttpsCredential"}, - Type: "vaultSecret", + Name: "gitHttpsCredentialVaultSecretName", + Type: "vaultSecret", + Default: "gitHttpsCredential", }, }, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, diff --git a/cmd/checkmarxExecuteScan_generated.go b/cmd/checkmarxExecuteScan_generated.go index 95b225a04..7dc7568ef 100644 --- a/cmd/checkmarxExecuteScan_generated.go +++ b/cmd/checkmarxExecuteScan_generated.go @@ -380,9 +380,9 @@ func checkmarxExecuteScanMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/checkmarx", "$(vaultBasePath)/$(vaultPipelineName)/checkmarx", "$(vaultBasePath)/GROUP-SECRETS/checkmarx"}, - Type: "vaultSecret", + Name: "checkmarxVaultSecretName", + Type: "vaultSecret", + Default: "checkmarx", }, }, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, @@ -464,9 +464,9 @@ func checkmarxExecuteScanMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/checkmarx", "$(vaultBasePath)/$(vaultPipelineName)/checkmarx", "$(vaultBasePath)/GROUP-SECRETS/checkmarx"}, - Type: "vaultSecret", + Name: "checkmarxVaultSecretName", + Type: "vaultSecret", + Default: "checkmarx", }, }, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, diff --git a/cmd/cloudFoundryCreateServiceKey_generated.go b/cmd/cloudFoundryCreateServiceKey_generated.go index e4d118254..0867a8156 100644 --- a/cmd/cloudFoundryCreateServiceKey_generated.go +++ b/cmd/cloudFoundryCreateServiceKey_generated.go @@ -153,9 +153,9 @@ func cloudFoundryCreateServiceKeyMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)"}, - Type: "vaultSecret", + Name: "cloudfoundryVaultSecretName", + Type: "vaultSecret", + Default: "cloudfoundry-$(org)-$(space)", }, }, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, @@ -174,9 +174,9 @@ func cloudFoundryCreateServiceKeyMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)"}, - Type: "vaultSecret", + Name: "cloudfoundryVaultSecretName", + Type: "vaultSecret", + Default: "cloudfoundry-$(org)-$(space)", }, }, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, diff --git a/cmd/cloudFoundryCreateService_generated.go b/cmd/cloudFoundryCreateService_generated.go index 61b39f10e..07c00c84f 100644 --- a/cmd/cloudFoundryCreateService_generated.go +++ b/cmd/cloudFoundryCreateService_generated.go @@ -172,9 +172,9 @@ func cloudFoundryCreateServiceMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)"}, - Type: "vaultSecret", + Name: "cloudfoundryVaultSecretName", + Type: "vaultSecret", + Default: "cloudfoundry-$(org)-$(space)", }, }, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, @@ -193,9 +193,9 @@ func cloudFoundryCreateServiceMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)"}, - Type: "vaultSecret", + Name: "cloudfoundryVaultSecretName", + Type: "vaultSecret", + Default: "cloudfoundry-$(org)-$(space)", }, }, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, diff --git a/cmd/cloudFoundryDeleteService_generated.go b/cmd/cloudFoundryDeleteService_generated.go index 7d6564e73..8014e20d7 100644 --- a/cmd/cloudFoundryDeleteService_generated.go +++ b/cmd/cloudFoundryDeleteService_generated.go @@ -150,9 +150,9 @@ func cloudFoundryDeleteServiceMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)"}, - Type: "vaultSecret", + Name: "cloudfoundryVaultSecretName", + Type: "vaultSecret", + Default: "cloudfoundry-$(org)-$(space)", }, }, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, @@ -171,9 +171,9 @@ func cloudFoundryDeleteServiceMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)"}, - Type: "vaultSecret", + Name: "cloudfoundryVaultSecretName", + Type: "vaultSecret", + Default: "cloudfoundry-$(org)-$(space)", }, }, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, diff --git a/cmd/cloudFoundryDeploy_generated.go b/cmd/cloudFoundryDeploy_generated.go index 0dcad30d6..e67389f00 100644 --- a/cmd/cloudFoundryDeploy_generated.go +++ b/cmd/cloudFoundryDeploy_generated.go @@ -478,9 +478,9 @@ func cloudFoundryDeployMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)"}, - Type: "vaultSecret", + Name: "cloudfoundryVaultSecretName", + Type: "vaultSecret", + Default: "cloudfoundry-$(org)-$(space)", }, }, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, @@ -526,9 +526,9 @@ func cloudFoundryDeployMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space)", "$(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space)"}, - Type: "vaultSecret", + Name: "cloudfoundryVaultSecretName", + Type: "vaultSecret", + Default: "cloudfoundry-$(org)-$(space)", }, }, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, diff --git a/cmd/cnbBuild_generated.go b/cmd/cnbBuild_generated.go index 714cb5514..7e520d426 100644 --- a/cmd/cnbBuild_generated.go +++ b/cmd/cnbBuild_generated.go @@ -229,9 +229,8 @@ func cnbBuildMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/docker-config", "$(vaultBasePath)/$(vaultPipelineName)/docker-config", "$(vaultBasePath)/GROUP-SECRETS/docker-config"}, - Type: "vaultSecretFile", + Name: "", + Type: "vaultSecretFile", }, }, Scope: []string{"PARAMETERS"}, diff --git a/cmd/detectExecuteScan_generated.go b/cmd/detectExecuteScan_generated.go index e81979700..9ad1048cb 100644 --- a/cmd/detectExecuteScan_generated.go +++ b/cmd/detectExecuteScan_generated.go @@ -229,9 +229,9 @@ func detectExecuteScanMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/detect", "$(vaultBasePath)/$(vaultPipelineName)/detect", "$(vaultBasePath)/GROUP-SECRETS/detect"}, - Type: "vaultSecret", + Name: "detectVaultSecretName", + Type: "vaultSecret", + Default: "detect", }, }, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, diff --git a/cmd/fortifyExecuteScan_generated.go b/cmd/fortifyExecuteScan_generated.go index 518d3678f..b9d18402e 100644 --- a/cmd/fortifyExecuteScan_generated.go +++ b/cmd/fortifyExecuteScan_generated.go @@ -329,9 +329,9 @@ func fortifyExecuteScanMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/fortify", "$(vaultBasePath)/$(vaultPipelineName)/fortify", "$(vaultBasePath)/GROUP-SECRETS/fortify"}, - Type: "vaultSecret", + Name: "fortifyVaultSecretName", + Type: "vaultSecret", + Default: "fortify", }, }, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, @@ -367,9 +367,9 @@ func fortifyExecuteScanMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/github", "$(vaultBasePath)/$(vaultPipelineName)/github", "$(vaultBasePath)/GROUP-SECRETS/github"}, - Type: "vaultSecret", + Name: "githubVaultSecretName", + Type: "vaultSecret", + Default: "github", }, }, Scope: []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"}, diff --git a/cmd/githubCheckBranchProtection_generated.go b/cmd/githubCheckBranchProtection_generated.go index 743b97c60..f5d00ee5b 100644 --- a/cmd/githubCheckBranchProtection_generated.go +++ b/cmd/githubCheckBranchProtection_generated.go @@ -215,9 +215,9 @@ func githubCheckBranchProtectionMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/github", "$(vaultBasePath)/$(vaultPipelineName)/github", "$(vaultBasePath)/GROUP-SECRETS/github"}, - Type: "vaultSecret", + Name: "githubVaultSecretName", + Type: "vaultSecret", + Default: "github", }, }, Scope: []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"}, diff --git a/cmd/githubCommentIssue_generated.go b/cmd/githubCommentIssue_generated.go index 6facd1931..60fdd52bc 100644 --- a/cmd/githubCommentIssue_generated.go +++ b/cmd/githubCommentIssue_generated.go @@ -195,9 +195,9 @@ func githubCommentIssueMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/github", "$(vaultBasePath)/$(vaultPipelineName)/github", "$(vaultBasePath)/GROUP-SECRETS/github"}, - Type: "vaultSecret", + Name: "githubVaultSecretName", + Type: "vaultSecret", + Default: "github", }, }, Scope: []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"}, diff --git a/cmd/githubCreateIssue_generated.go b/cmd/githubCreateIssue_generated.go index e130e707a..e85e548ea 100644 --- a/cmd/githubCreateIssue_generated.go +++ b/cmd/githubCreateIssue_generated.go @@ -204,9 +204,9 @@ func githubCreateIssueMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/github", "$(vaultBasePath)/$(vaultPipelineName)/github", "$(vaultBasePath)/GROUP-SECRETS/github"}, - Type: "vaultSecret", + Name: "githubVaultSecretName", + Type: "vaultSecret", + Default: "github", }, }, Scope: []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"}, diff --git a/cmd/githubCreatePullRequest_generated.go b/cmd/githubCreatePullRequest_generated.go index 6e5ec3a5e..fa302a7a0 100644 --- a/cmd/githubCreatePullRequest_generated.go +++ b/cmd/githubCreatePullRequest_generated.go @@ -243,9 +243,9 @@ func githubCreatePullRequestMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/github", "$(vaultBasePath)/$(vaultPipelineName)/github", "$(vaultBasePath)/GROUP-SECRETS/github"}, - Type: "vaultSecret", + Name: "githubVaultSecretName", + Type: "vaultSecret", + Default: "github", }, }, Scope: []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"}, diff --git a/cmd/githubPublishRelease_generated.go b/cmd/githubPublishRelease_generated.go index e6e5beecf..ea7869093 100644 --- a/cmd/githubPublishRelease_generated.go +++ b/cmd/githubPublishRelease_generated.go @@ -283,9 +283,9 @@ func githubPublishReleaseMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/github", "$(vaultBasePath)/$(vaultPipelineName)/github", "$(vaultBasePath)/GROUP-SECRETS/github"}, - Type: "vaultSecret", + Name: "githubVaultSecretName", + Type: "vaultSecret", + Default: "github", }, }, Scope: []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"}, diff --git a/cmd/githubSetCommitStatus_generated.go b/cmd/githubSetCommitStatus_generated.go index c775600ea..4e82ef0c4 100644 --- a/cmd/githubSetCommitStatus_generated.go +++ b/cmd/githubSetCommitStatus_generated.go @@ -240,9 +240,9 @@ func githubSetCommitStatusMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/github", "$(vaultBasePath)/$(vaultPipelineName)/github", "$(vaultBasePath)/GROUP-SECRETS/github"}, - Type: "vaultSecret", + Name: "githubVaultSecretName", + Type: "vaultSecret", + Default: "github", }, }, Scope: []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"}, diff --git a/cmd/influxWriteData_generated.go b/cmd/influxWriteData_generated.go index fdcc18c3c..356a88499 100644 --- a/cmd/influxWriteData_generated.go +++ b/cmd/influxWriteData_generated.go @@ -143,9 +143,9 @@ func influxWriteDataMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/influxdb", "$(vaultBasePath)/$(vaultPipelineName)/influxdb", "$(vaultBasePath)/GROUP-SECRETS/influxdb"}, - Type: "vaultSecret", + Name: "influxVaultSecretName", + Type: "vaultSecret", + Default: "influxdb", }, }, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, diff --git a/cmd/kanikoExecute_generated.go b/cmd/kanikoExecute_generated.go index 506a7f25c..921c2860a 100644 --- a/cmd/kanikoExecute_generated.go +++ b/cmd/kanikoExecute_generated.go @@ -260,9 +260,9 @@ func kanikoExecuteMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/docker-config", "$(vaultBasePath)/$(vaultPipelineName)/docker-config", "$(vaultBasePath)/GROUP-SECRETS/docker-config"}, - Type: "vaultSecretFile", + Name: "dockerConfigFileVaultSecretName", + Type: "vaultSecretFile", + Default: "docker-config", }, }, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, diff --git a/cmd/kubernetesDeploy_generated.go b/cmd/kubernetesDeploy_generated.go index f6579a6ed..96e5d3560 100644 --- a/cmd/kubernetesDeploy_generated.go +++ b/cmd/kubernetesDeploy_generated.go @@ -370,9 +370,9 @@ func kubernetesDeployMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/kube-config", "$(vaultBasePath)/$(vaultPipelineName)/kube-config", "$(vaultBasePath)/GROUP-SECRETS/kube-config"}, - Type: "vaultSecretFile", + Name: "kubeConfigFileSecretName", + Type: "vaultSecretFile", + Default: "kube-config", }, }, Scope: []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"}, @@ -436,9 +436,8 @@ func kubernetesDeployMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/docker-config", "$(vaultBasePath)/$(vaultPipelineName)/docker-config", "$(vaultBasePath)/GROUP-SECRETS/docker-config"}, - Type: "vaultSecretFile", + Name: "dockerConfigFileVaultSecretName", + Type: "vaultSecretFile", }, }, Scope: []string{"PARAMETERS"}, diff --git a/cmd/mavenBuild_generated.go b/cmd/mavenBuild_generated.go index e6bbbc93a..89bd9f70f 100644 --- a/cmd/mavenBuild_generated.go +++ b/cmd/mavenBuild_generated.go @@ -244,9 +244,9 @@ func mavenBuildMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/alt-deployment-repository-passowrd", "$(vaultBasePath)/$(vaultPipelineName)/alt-deployment-repository-passowrd", "$(vaultBasePath)/GROUP-SECRETS/alt-deployment-repository-passowrd"}, - Type: "vaultSecretFile", + Name: "altDeploymentRepositoryPasswordFileVaultSecretName", + Type: "vaultSecretFile", + Default: "alt-deployment-repository-passowrd", }, }, Scope: []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"}, diff --git a/cmd/protecodeExecuteScan_generated.go b/cmd/protecodeExecuteScan_generated.go index dbc8582df..119011ec0 100644 --- a/cmd/protecodeExecuteScan_generated.go +++ b/cmd/protecodeExecuteScan_generated.go @@ -268,9 +268,9 @@ func protecodeExecuteScanMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/docker-config", "$(vaultBasePath)/$(vaultPipelineName)/docker-config", "$(vaultBasePath)/GROUP-SECRETS/docker-config"}, - Type: "vaultSecretFile", + Name: "dockerConfigFileVaultSecretName", + Type: "vaultSecretFile", + Default: "docker-config", }, }, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, @@ -379,9 +379,9 @@ func protecodeExecuteScanMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/protecode", "$(vaultBasePath)/$(vaultPipelineName)/protecode", "$(vaultBasePath)/GROUP-SECRETS/protecode"}, - Type: "vaultSecret", + Name: "protecodeVaultSecretName", + Type: "vaultSecret", + Default: "protecode", }, }, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, @@ -400,9 +400,9 @@ func protecodeExecuteScanMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/protecode", "$(vaultBasePath)/$(vaultPipelineName)/protecode", "$(vaultBasePath)/GROUP-SECRETS/protecode"}, - Type: "vaultSecret", + Name: "protecodeVaultSecretName", + Type: "vaultSecret", + Default: "protecode", }, }, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, diff --git a/cmd/sonarExecuteScan_generated.go b/cmd/sonarExecuteScan_generated.go index 45bc46253..530a3adb4 100644 --- a/cmd/sonarExecuteScan_generated.go +++ b/cmd/sonarExecuteScan_generated.go @@ -241,9 +241,9 @@ func sonarExecuteScanMetadata() config.StepData { Name: "token", ResourceRef: []config.ResourceReference{ { - Name: "", - Paths: []string{"$(vaultPath)/sonar", "$(vaultBasePath)/$(vaultPipelineName)/sonar", "$(vaultBasePath)/GROUP-SECRETS/sonar"}, - Type: "vaultSecret", + Name: "sonarSecretName", + Type: "vaultSecret", + Default: "sonar", }, { @@ -452,9 +452,9 @@ func sonarExecuteScanMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/github", "$(vaultBasePath)/$(vaultPipelineName)/github", "$(vaultBasePath)/GROUP-SECRETS/github"}, - Type: "vaultSecret", + Name: "githubVaultSecretName", + Type: "vaultSecret", + Default: "github", }, }, Scope: []string{"PARAMETERS"}, diff --git a/cmd/terraformExecute_generated.go b/cmd/terraformExecute_generated.go index 5ceec29cb..40746ef7c 100644 --- a/cmd/terraformExecute_generated.go +++ b/cmd/terraformExecute_generated.go @@ -125,9 +125,9 @@ func terraformExecuteMetadata() config.StepData { Name: "terraformSecrets", ResourceRef: []config.ResourceReference{ { - Name: "", - Paths: []string{"$(vaultPath)/terraformExecute", "$(vaultBasePath)/$(vaultPipelineName)/terraformExecute", "$(vaultBasePath)/GROUP-SECRETS/terraformExecute"}, - Type: "vaultSecretFile", + Name: "terraformExecuteFileVaultSecret", + Type: "vaultSecretFile", + Default: "terraformExecute", }, }, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, diff --git a/cmd/vaultRotateSecretId_generated.go b/cmd/vaultRotateSecretId_generated.go index 743d0d9be..89ad8ecdc 100644 --- a/cmd/vaultRotateSecretId_generated.go +++ b/cmd/vaultRotateSecretId_generated.go @@ -151,9 +151,9 @@ func vaultRotateSecretIdMetadata() config.StepData { Name: "jenkinsUrl", ResourceRef: []config.ResourceReference{ { - Name: "", - Paths: []string{"$(vaultPath)/jenkins", "$(vaultBasePath)/$(vaultPipelineName)/jenkins", "$(vaultBasePath)/GROUP-SECRETS/jenkins"}, - Type: "vaultSecret", + Name: "jenkinsVaultSecret", + Type: "vaultSecret", + Default: "jenkins", }, }, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, @@ -175,9 +175,9 @@ func vaultRotateSecretIdMetadata() config.StepData { Name: "jenkinsUsername", ResourceRef: []config.ResourceReference{ { - Name: "", - Paths: []string{"$(vaultPath)/jenkins", "$(vaultBasePath)/$(vaultPipelineName)/jenkins", "$(vaultBasePath)/GROUP-SECRETS/jenkins"}, - Type: "vaultSecret", + Name: "jenkinsVaultSecret", + Type: "vaultSecret", + Default: "jenkins", }, }, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, @@ -190,9 +190,9 @@ func vaultRotateSecretIdMetadata() config.StepData { Name: "jenkinsToken", ResourceRef: []config.ResourceReference{ { - Name: "", - Paths: []string{"$(vaultPath)/jenkins", "$(vaultBasePath)/$(vaultPipelineName)/jenkins", "$(vaultBasePath)/GROUP-SECRETS/jenkins"}, - Type: "vaultSecret", + Name: "jenkinsVaultSecret", + Type: "vaultSecret", + Default: "jenkins", }, }, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, @@ -250,9 +250,8 @@ func vaultRotateSecretIdMetadata() config.StepData { Name: "adoPersonalAccessToken", ResourceRef: []config.ResourceReference{ { - Name: "", - Paths: []string{"$(vaultPath)/jenkins", "$(vaultBasePath)/$(vaultPipelineName)/jenkins", "$(vaultBasePath)/GROUP-SECRETS/jenkins"}, - Type: "vaultSecret", + Name: "", + Type: "vaultSecret", }, }, Scope: []string{"PARAMETERS", "STAGES", "STEPS"}, diff --git a/cmd/whitesourceExecuteScan_generated.go b/cmd/whitesourceExecuteScan_generated.go index 430bb99ea..0ff80205d 100644 --- a/cmd/whitesourceExecuteScan_generated.go +++ b/cmd/whitesourceExecuteScan_generated.go @@ -614,9 +614,9 @@ func whitesourceExecuteScanMetadata() config.StepData { }, { - Name: "", - Paths: []string{"$(vaultPath)/whitesource", "$(vaultBasePath)/$(vaultPipelineName)/whitesource", "$(vaultBasePath)/GROUP-SECRETS/whitesource"}, - Type: "vaultSecret", + Name: "whitesourceVaultSecret", + Type: "vaultSecret", + Default: "whitesource", }, }, Scope: []string{"GENERAL", "PARAMETERS", "STAGES", "STEPS"}, diff --git a/pkg/config/config.go b/pkg/config/config.go index 67ae1f87d..f8b8602b8 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -191,7 +191,7 @@ func (c *Config) GetStepConfig(flagValues map[string]interface{}, paramJSON stri stepConfig.mixIn(def.General, filters.General) stepConfig.mixIn(def.Steps[stepName], filters.Steps) stepConfig.mixIn(def.Stages[stageName], filters.Steps) - stepConfig.mixinVaultConfig(def.General, def.Steps[stepName], def.Stages[stageName]) + stepConfig.mixinVaultConfig(parameters, def.General, def.Steps[stepName], def.Stages[stageName]) stepConfig.mixInHookConfig(def.Hooks) } @@ -233,7 +233,7 @@ func (c *Config) GetStepConfig(flagValues map[string]interface{}, paramJSON stri log.Entry().Warnf("invalid value for parameter verbose: '%v'", stepConfig.Config["verbose"]) } - stepConfig.mixinVaultConfig(c.General, c.Steps[stepName], c.Stages[stageName]) + stepConfig.mixinVaultConfig(parameters, c.General, c.Steps[stepName], c.Stages[stageName]) // check whether vault should be skipped if skip, ok := stepConfig.Config["skipVault"].(bool); !ok || !skip { // fetch secrets from vault diff --git a/pkg/config/stepmeta.go b/pkg/config/stepmeta.go index ea75fa353..fc30e6426 100644 --- a/pkg/config/stepmeta.go +++ b/pkg/config/stepmeta.go @@ -61,11 +61,11 @@ type StepParameters struct { // ResourceReference defines the parameters of a resource reference type ResourceReference struct { - Name string `json:"name"` - Type string `json:"type,omitempty"` - Param string `json:"param,omitempty"` - Paths []string `json:"paths,omitempty"` - Aliases []Alias `json:"aliases,omitempty"` + Name string `json:"name"` + Type string `json:"type,omitempty"` + Param string `json:"param,omitempty"` + Default string `json:"default,omitempty"` + Aliases []Alias `json:"aliases,omitempty"` } // Alias defines a step input parameter alias @@ -411,6 +411,23 @@ func (m *StepParameters) GetReference(refType string) *ResourceReference { return nil } +func getFilterForResourceReferences(params []StepParameters) []string { + var filter []string + for _, param := range params { + reference := param.GetReference("vaultSecret") + if reference == nil { + reference = param.GetReference("vaultSecretFile") + } + if reference == nil { + return filter + } + if reference.Name != "" { + filter = append(filter, reference.Name) + } + } + return filter +} + // HasReference checks whether StepData contains a parameter that has Reference with the given type func (m *StepData) HasReference(refType string) bool { for _, param := range m.Spec.Inputs.Parameters { diff --git a/pkg/config/vault.go b/pkg/config/vault.go index 55722bfc7..037362720 100644 --- a/pkg/config/vault.go +++ b/pkg/config/vault.go @@ -3,6 +3,7 @@ package config import ( "io/ioutil" "os" + "path" "regexp" "strings" @@ -13,27 +14,45 @@ import ( ) const ( - vaultTestCredentialPath = "vaultTestCredentialPath" - vaultTestCredentialKeys = "vaultTestCredentialKeys" - vaultTestCredentialEnvPrefix_Default = "PIPER_TESTCREDENTIAL_" + vaultRootPaths = "vaultRootPaths" + vaultTestCredentialPath = "vaultTestCredentialPath" + vaultTestCredentialKeys = "vaultTestCredentialKeys" + vaultAppRoleID = "vaultAppRoleID" + vaultAppRoleSecretID = "vaultAppRoleSecreId" + vaultServerUrl = "vaultServerUrl" + vaultNamespace = "vaultNamespace" + vaultBasePath = "vaultBasePath" + vaultPipelineName = "vaultPipelineName" + vaultPath = "vaultPath" + skipVault = "skipVault" + vaultDisableOverwrite = "vaultDisableOverwrite" + vaultTestCredentialEnvPrefixDefault = "PIPER_TESTCREDENTIAL_" ) var ( vaultFilter = []string{ - "vaultAppRoleID", - "vaultAppRoleSecreId", - "vaultServerUrl", - "vaultNamespace", - "vaultBasePath", - "vaultPipelineName", - "vaultPath", - "vaultTestCredentialEnvPrefix", - "skipVault", - "vaultDisableOverwrite", + vaultRootPaths, + vaultAppRoleID, + vaultAppRoleSecretID, + vaultServerUrl, + vaultNamespace, + vaultBasePath, + vaultPipelineName, + vaultPath, + skipVault, + vaultDisableOverwrite, vaultTestCredentialPath, vaultTestCredentialKeys, } + // VaultRootPaths are the lookup paths piper tries to use during the vault lookup. + // A path is only used if it's variables can be interpolated from the config + VaultRootPaths = []string{ + "$(vaultPath)", + "$(vaultBasePath)/$(vaultPipelineName)", + "$(vaultBasePath)/GROUP-SECRETS", + } + // VaultSecretFileDirectory holds the directory for the current step run to temporarily store secret files fetched from vault VaultSecretFileDirectory = "" ) @@ -51,9 +70,13 @@ type vaultClient interface { MustRevokeToken() } -func (s *StepConfig) mixinVaultConfig(configs ...map[string]interface{}) { +func (s *StepConfig) mixinVaultConfig(parameters []StepParameters, configs ...map[string]interface{}) { for _, config := range configs { s.mixIn(config, vaultFilter) + // when an empty filter is returned we skip the mixin call since an empty filter will allow everything + if referencesFilter := getFilterForResourceReferences(parameters); len(referencesFilter) > 0 { + s.mixIn(config, referencesFilter) + } } } @@ -109,7 +132,7 @@ func resolveVaultReference(ref *ResourceReference, config *StepConfig, client va } var secretValue *string - for _, vaultPath := range ref.Paths { + for _, vaultPath := range getSecretReferencePaths(ref, config.Config) { // it should be possible to configure the root path were the secret is stored vaultPath, ok := interpolation.ResolveString(vaultPath, config.Config) if !ok { @@ -179,7 +202,7 @@ func populateTestCredentialsAsEnvs(config *StepConfig, secret map[string]string, vaultTestCredentialEnvPrefix, ok := config.Config["vaultTestCredentialEnvPrefix"].(string) if !ok || len(vaultTestCredentialEnvPrefix) == 0 { - vaultTestCredentialEnvPrefix = vaultTestCredentialEnvPrefix_Default + vaultTestCredentialEnvPrefix = vaultTestCredentialEnvPrefixDefault } for secretKey, secretValue := range secret { for _, key := range keys { @@ -284,3 +307,28 @@ func lookupPath(client vaultClient, path string, param *StepParameters) *string } return nil } + +func getSecretReferencePaths(reference *ResourceReference, config map[string]interface{}) []string { + retPaths := make([]string, 0, len(VaultRootPaths)) + secretName := reference.Default + if providedName, ok := config[reference.Name].(string); ok && providedName != "" { + secretName = providedName + } + for _, rootPath := range VaultRootPaths { + fullPath := path.Join(rootPath, secretName) + retPaths = append(retPaths, fullPath) + } + return retPaths +} + +func toStringSlice(interfaceSlice []interface{}) []string { + retSlice := make([]string, 0, len(interfaceSlice)) + for _, vRaw := range interfaceSlice { + if v, ok := vRaw.(string); ok { + retSlice = append(retSlice, v) + continue + } + log.Entry().Warnf("'%s' needs to be of type string or an array of strings but got %T (%[2]v)", vaultPath, vRaw) + } + return retSlice +} diff --git a/pkg/config/vault_test.go b/pkg/config/vault_test.go index 90b578dbd..4f00ca2dc 100644 --- a/pkg/config/vault_test.go +++ b/pkg/config/vault_test.go @@ -2,28 +2,44 @@ package config import ( "fmt" + "github.com/stretchr/testify/mock" "io/ioutil" "os" + "path" "strings" "testing" "github.com/SAP/jenkins-library/pkg/config/mocks" "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/mock" ) func TestVaultConfigLoad(t *testing.T) { const secretName = "testSecret" + const secretNameOverrideKey = "mySecretVaultSecretName" t.Parallel() t.Run("Load secret from vault", func(t *testing.T) { vaultMock := &mocks.VaultMock{} stepConfig := StepConfig{Config: map[string]interface{}{ - "vaultBasePath": "team1", + "vaultPath": "team1", }} - stepParams := []StepParameters{stepParam(secretName, "vaultSecret", "$(vaultBasePath)/pipelineA")} + stepParams := []StepParameters{stepParam(secretName, "vaultSecret", secretNameOverrideKey, secretName)} vaultData := map[string]string{secretName: "value1"} - vaultMock.On("GetKvSecret", "team1/pipelineA").Return(vaultData, nil) + vaultMock.On("GetKvSecret", path.Join("team1", secretName)).Return(vaultData, nil) + resolveAllVaultReferences(&stepConfig, vaultMock, stepParams) + assert.Equal(t, "value1", stepConfig.Config[secretName]) + }) + + t.Run("Load secret from vault with path override", func(t *testing.T) { + vaultMock := &mocks.VaultMock{} + stepConfig := StepConfig{Config: map[string]interface{}{ + "vaultPath": "team1", + secretNameOverrideKey: "overrideSecretName", + }} + stepParams := []StepParameters{stepParam(secretName, "vaultSecret", secretNameOverrideKey, secretName)} + vaultData := map[string]string{secretName: "value1"} + + vaultMock.On("GetKvSecret", path.Join("team1", "overrideSecretName")).Return(vaultData, nil) resolveAllVaultReferences(&stepConfig, vaultMock, stepParams) assert.Equal(t, "value1", stepConfig.Config[secretName]) }) @@ -31,13 +47,13 @@ func TestVaultConfigLoad(t *testing.T) { t.Run("Secrets are not overwritten", func(t *testing.T) { vaultMock := &mocks.VaultMock{} stepConfig := StepConfig{Config: map[string]interface{}{ - "vaultBasePath": "team1", + "vaultPath": "team1", secretName: "preset value", "vaultDisableOverwrite": true, }} - stepParams := []StepParameters{stepParam(secretName, "vaultSecret", "$(vaultBasePath)/pipelineA")} + stepParams := []StepParameters{stepParam(secretName, "vaultSecret", secretNameOverrideKey, secretName)} vaultData := map[string]string{secretName: "value1"} - vaultMock.On("GetKvSecret", "team1/pipelineA").Return(vaultData, nil) + vaultMock.On("GetKvSecret", path.Join("team1", secretName)).Return(vaultData, nil) resolveAllVaultReferences(&stepConfig, vaultMock, stepParams) assert.Equal(t, "preset value", stepConfig.Config[secretName]) @@ -46,12 +62,12 @@ func TestVaultConfigLoad(t *testing.T) { t.Run("Secrets can be overwritten", func(t *testing.T) { vaultMock := &mocks.VaultMock{} stepConfig := StepConfig{Config: map[string]interface{}{ - "vaultBasePath": "team1", - secretName: "preset value", + "vaultPath": "team1", + secretName: "preset value", }} - stepParams := []StepParameters{stepParam(secretName, "vaultSecret", "$(vaultBasePath)/pipelineA")} + stepParams := []StepParameters{stepParam(secretName, "vaultSecret", secretNameOverrideKey, secretName)} vaultData := map[string]string{secretName: "value1"} - vaultMock.On("GetKvSecret", "team1/pipelineA").Return(vaultData, nil) + vaultMock.On("GetKvSecret", path.Join("team1", secretName)).Return(vaultData, nil) resolveAllVaultReferences(&stepConfig, vaultMock, stepParams) assert.Equal(t, "value1", stepConfig.Config[secretName]) @@ -60,10 +76,10 @@ func TestVaultConfigLoad(t *testing.T) { t.Run("Error is passed through", func(t *testing.T) { vaultMock := &mocks.VaultMock{} stepConfig := StepConfig{Config: map[string]interface{}{ - "vaultBasePath": "team1", + "vaultPath": "team1", }} - stepParams := []StepParameters{stepParam(secretName, "vaultSecret", "$(vaultBasePath)/pipelineA")} - vaultMock.On("GetKvSecret", "team1/pipelineA").Return(nil, fmt.Errorf("test")) + stepParams := []StepParameters{stepParam(secretName, "vaultSecret", secretNameOverrideKey, secretName)} + vaultMock.On("GetKvSecret", path.Join("team1", secretName)).Return(nil, fmt.Errorf("test")) resolveAllVaultReferences(&stepConfig, vaultMock, stepParams) assert.Len(t, stepConfig.Config, 1) }) @@ -71,10 +87,10 @@ func TestVaultConfigLoad(t *testing.T) { t.Run("Secret doesn't exist", func(t *testing.T) { vaultMock := &mocks.VaultMock{} stepConfig := StepConfig{Config: map[string]interface{}{ - "vaultBasePath": "team1", + "vaultPath": "team1", }} - stepParams := []StepParameters{stepParam(secretName, "vaultSecret", "$(vaultBasePath)/pipelineA")} - vaultMock.On("GetKvSecret", "team1/pipelineA").Return(nil, nil) + stepParams := []StepParameters{stepParam(secretName, "vaultSecret", secretNameOverrideKey, secretName)} + vaultMock.On("GetKvSecret", path.Join("team1", secretName)).Return(nil, nil) resolveAllVaultReferences(&stepConfig, vaultMock, stepParams) assert.Len(t, stepConfig.Config, 1) }) @@ -83,13 +99,13 @@ func TestVaultConfigLoad(t *testing.T) { aliasName := "alias" vaultMock := &mocks.VaultMock{} stepConfig := StepConfig{Config: map[string]interface{}{ - "vaultBasePath": "team1", + "vaultPath": "team1", }} - param := stepParam(secretName, "vaultSecret", "$(vaultBasePath)/pipelineA") + param := stepParam(secretName, "vaultSecret", secretNameOverrideKey, secretName) addAlias(¶m, aliasName) stepParams := []StepParameters{param} vaultData := map[string]string{aliasName: "value1"} - vaultMock.On("GetKvSecret", "team1/pipelineA").Return(vaultData, nil) + vaultMock.On("GetKvSecret", path.Join("team1", secretName)).Return(vaultData, nil) resolveAllVaultReferences(&stepConfig, vaultMock, stepParams) assert.Equal(t, "value1", stepConfig.Config[secretName]) }) @@ -97,37 +113,23 @@ func TestVaultConfigLoad(t *testing.T) { t.Run("Search over multiple paths", func(t *testing.T) { vaultMock := &mocks.VaultMock{} stepConfig := StepConfig{Config: map[string]interface{}{ - "vaultBasePath": "team1", + "vaultBasePath": "team2", + "vaultPath": "team1", }} stepParams := []StepParameters{ - stepParam(secretName, "vaultSecret", "$(vaultBasePath)/pipelineA", "$(vaultBasePath)/pipelineB"), + stepParam(secretName, "vaultSecret", secretNameOverrideKey, secretName), } vaultData := map[string]string{secretName: "value1"} - vaultMock.On("GetKvSecret", "team1/pipelineA").Return(nil, nil) - vaultMock.On("GetKvSecret", "team1/pipelineB").Return(vaultData, nil) + vaultMock.On("GetKvSecret", path.Join("team1", secretName)).Return(nil, nil) + vaultMock.On("GetKvSecret", path.Join("team2/GROUP-SECRETS", secretName)).Return(vaultData, nil) resolveAllVaultReferences(&stepConfig, vaultMock, stepParams) assert.Equal(t, "value1", stepConfig.Config[secretName]) }) - t.Run("Stop lookup when secret was found", func(t *testing.T) { - vaultMock := &mocks.VaultMock{} - stepConfig := StepConfig{Config: map[string]interface{}{ - "vaultBasePath": "team1", - }} - stepParams := []StepParameters{ - stepParam(secretName, "vaultSecret", "$(vaultBasePath)/pipelineA", "$(vaultBasePath)/pipelineB"), - } - vaultData := map[string]string{secretName: "value1"} - vaultMock.On("GetKvSecret", "team1/pipelineA").Return(vaultData, nil) - resolveAllVaultReferences(&stepConfig, vaultMock, stepParams) - assert.Equal(t, "value1", stepConfig.Config[secretName]) - vaultMock.AssertNotCalled(t, "GetKvSecret", "team1/pipelineB") - }) - t.Run("No BasePath is stepConfig.Configured", func(t *testing.T) { vaultMock := &mocks.VaultMock{} stepConfig := StepConfig{Config: map[string]interface{}{}} - stepParams := []StepParameters{stepParam(secretName, "vaultSecret", "$(vaultBasePath)/pipelineA")} + stepParams := []StepParameters{stepParam(secretName, "vaultSecret", secretNameOverrideKey, secretName)} resolveAllVaultReferences(&stepConfig, vaultMock, stepParams) assert.Equal(t, nil, stepConfig.Config[secretName]) vaultMock.AssertNotCalled(t, "GetKvSecret", mock.AnythingOfType("string")) @@ -136,14 +138,15 @@ func TestVaultConfigLoad(t *testing.T) { func TestVaultSecretFiles(t *testing.T) { const secretName = "testSecret" + const secretNameOverrideKey = "mySecretVaultSecretName" t.Run("Test Vault Secret File Reference", func(t *testing.T) { vaultMock := &mocks.VaultMock{} stepConfig := StepConfig{Config: map[string]interface{}{ "vaultPath": "team1", }} - stepParams := []StepParameters{stepParam(secretName, "vaultSecretFile", "$(vaultPath)/pipelineA")} + stepParams := []StepParameters{stepParam(secretName, "vaultSecretFile", secretNameOverrideKey, secretName)} vaultData := map[string]string{secretName: "value1"} - vaultMock.On("GetKvSecret", "team1/pipelineA").Return(vaultData, nil) + vaultMock.On("GetKvSecret", path.Join("team1", secretName)).Return(vaultData, nil) resolveAllVaultReferences(&stepConfig, vaultMock, stepParams) assert.NotNil(t, stepConfig.Config[secretName]) path := stepConfig.Config[secretName].(string) @@ -161,10 +164,10 @@ func TestVaultSecretFiles(t *testing.T) { stepConfig := StepConfig{Config: map[string]interface{}{ "vaultPath": "team1", }} - stepParams := []StepParameters{stepParam(secretName, "vaultSecretFile", "$(vaultPath)/pipelineA")} + stepParams := []StepParameters{stepParam(secretName, "vaultSecretFile", secretNameOverrideKey, secretName)} vaultData := map[string]string{secretName: "value1"} assert.NoDirExists(t, VaultSecretFileDirectory) - vaultMock.On("GetKvSecret", "team1/pipelineA").Return(vaultData, nil) + vaultMock.On("GetKvSecret", path.Join("team1", secretName)).Return(vaultData, nil) resolveAllVaultReferences(&stepConfig, vaultMock, stepParams) assert.NotNil(t, stepConfig.Config[secretName]) path := stepConfig.Config[secretName].(string) @@ -191,7 +194,7 @@ func TestMixinVault(t *testing.T) { "unknownConfig": "test", } - config.mixinVaultConfig(general, steps) + config.mixinVaultConfig(nil, general, steps) assert.Contains(t, config.Config, "vaultServerUrl") assert.Equal(t, vaultServerUrl, config.Config["vaultServerUrl"]) @@ -201,14 +204,15 @@ func TestMixinVault(t *testing.T) { } -func stepParam(name string, refType string, refPaths ...string) StepParameters { +func stepParam(name, refType, vaultSecretNameProperty, defaultSecretNameName string) StepParameters { return StepParameters{ Name: name, Aliases: []Alias{}, ResourceRef: []ResourceReference{ { - Type: refType, - Paths: refPaths, + Type: refType, + Name: vaultSecretNameProperty, + Default: defaultSecretNameName, }, }, } diff --git a/pkg/documentation/generator/parameters.go b/pkg/documentation/generator/parameters.go index af739d413..aa28497c2 100644 --- a/pkg/documentation/generator/parameters.go +++ b/pkg/documentation/generator/parameters.go @@ -2,6 +2,7 @@ package generator import ( "fmt" + "path" "sort" "strings" @@ -271,8 +272,8 @@ func addVaultResourceDetails(resource config.ResourceReference, resourceDetails if resource.Type == "vaultSecret" { resourceDetails += "
Vault paths:
" resourceDetails += "" } diff --git a/pkg/generator/helper/helper.go b/pkg/generator/helper/helper.go index fc2db58ab..771e1637d 100644 --- a/pkg/generator/helper/helper.go +++ b/pkg/generator/helper/helper.go @@ -172,11 +172,11 @@ func {{.FlagsFunc}}(cmd *cobra.Command, stepConfig *{{.StepName}}Options) { {{- if .Param }} Param: "{{ .Param }}", {{- end }} - {{- if gt (len .Paths) 0 }} - Paths: []string{{ "{" }}{{ range $_, $path := .Paths }}"{{$path}}",{{ end }}{{"}"}}, - {{- end }} {{- if .Type }} Type: "{{ .Type }}", + {{- if .Default }} + Default: "{{ .Default }}", + {{- end}} {{- end }} {{ "}" }}, {{- nindent 24 ""}} diff --git a/resources/metadata/abapEnvironmentCreateSystem.yaml b/resources/metadata/abapEnvironmentCreateSystem.yaml index af6f00d3d..ba7c39539 100644 --- a/resources/metadata/abapEnvironmentCreateSystem.yaml +++ b/resources/metadata/abapEnvironmentCreateSystem.yaml @@ -39,10 +39,8 @@ spec: type: secret param: username - type: vaultSecret - paths: - - $(vaultPath)/cloudfoundry-$(org)-$(space) - - $(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space) - - $(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space) + name: cloudfoundryVaultSecretName + default: cloudfoundry-$(org)-$(space) - name: password type: string description: Password for Cloud Foundry User @@ -57,10 +55,8 @@ spec: type: secret param: password - type: vaultSecret - paths: - - $(vaultPath)/cloudfoundry-$(org)-$(space) - - $(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space) - - $(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space) + name: cloudfoundryVaultSecretName + default: cloudfoundry-$(org)-$(space) - name: cfOrg type: string description: Cloud Foundry org diff --git a/resources/metadata/checkmarx.yaml b/resources/metadata/checkmarx.yaml index 0f86dd8a9..6fda24c4e 100644 --- a/resources/metadata/checkmarx.yaml +++ b/resources/metadata/checkmarx.yaml @@ -95,10 +95,8 @@ spec: type: secret param: password - type: vaultSecret - paths: - - $(vaultPath)/checkmarx - - $(vaultBasePath)/$(vaultPipelineName)/checkmarx - - $(vaultBasePath)/GROUP-SECRETS/checkmarx + name: checkmarxVaultSecretName + default: checkmarx - name: preset type: string description: The preset to use for scanning, if not set explicitly the step will attempt to look up the project's setting based on the availability of `checkmarxCredentialsId` @@ -177,10 +175,8 @@ spec: type: secret param: username - type: vaultSecret - paths: - - $(vaultPath)/checkmarx - - $(vaultBasePath)/$(vaultPipelineName)/checkmarx - - $(vaultBasePath)/GROUP-SECRETS/checkmarx + name: checkmarxVaultSecretName + default: checkmarx - name: verifyOnly type: bool description: Whether the step shall only apply verification checks or whether it does a full scan and check cycle diff --git a/resources/metadata/cloudFoundryCreateService.yaml b/resources/metadata/cloudFoundryCreateService.yaml index 17b2cbc2b..901247086 100644 --- a/resources/metadata/cloudFoundryCreateService.yaml +++ b/resources/metadata/cloudFoundryCreateService.yaml @@ -47,10 +47,8 @@ spec: type: secret param: username - type: vaultSecret - paths: - - $(vaultPath)/cloudfoundry-$(org)-$(space) - - $(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space) - - $(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space) + name: cloudfoundryVaultSecretName + default: cloudfoundry-$(org)-$(space) - name: password type: string description: Password for Cloud Foundry User @@ -65,10 +63,8 @@ spec: type: secret param: password - type: vaultSecret - paths: - - $(vaultPath)/cloudfoundry-$(org)-$(space) - - $(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space) - - $(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space) + default: cloudfoundry-$(org)-$(space) + name: cloudfoundryVaultSecretName - name: cfOrg type: string description: Cloud Foundry org diff --git a/resources/metadata/cloudFoundryCreateServiceKey.yaml b/resources/metadata/cloudFoundryCreateServiceKey.yaml index 3982768a6..47ee692a4 100644 --- a/resources/metadata/cloudFoundryCreateServiceKey.yaml +++ b/resources/metadata/cloudFoundryCreateServiceKey.yaml @@ -35,10 +35,8 @@ spec: type: secret param: username - type: vaultSecret - paths: - - $(vaultPath)/cloudfoundry-$(org)-$(space) - - $(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space) - - $(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space) + default: cloudfoundry-$(org)-$(space) + name: cloudfoundryVaultSecretName - name: password type: string description: User Password for CF User @@ -53,10 +51,8 @@ spec: type: secret param: password - type: vaultSecret - paths: - - $(vaultPath)/cloudfoundry-$(org)-$(space) - - $(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space) - - $(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space) + default: cloudfoundry-$(org)-$(space) + name: cloudfoundryVaultSecretName - name: cfOrg type: string description: CF org diff --git a/resources/metadata/cloudFoundryDeleteService.yaml b/resources/metadata/cloudFoundryDeleteService.yaml index dc70bdc4f..d4efee509 100644 --- a/resources/metadata/cloudFoundryDeleteService.yaml +++ b/resources/metadata/cloudFoundryDeleteService.yaml @@ -35,10 +35,8 @@ spec: type: secret param: username - type: vaultSecret - paths: - - $(vaultPath)/cloudfoundry-$(org)-$(space) - - $(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space) - - $(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space) + default: cloudfoundry-$(org)-$(space) + name: cloudfoundryVaultSecretName - name: password type: string description: User Password for CF User @@ -53,10 +51,8 @@ spec: type: secret param: password - type: vaultSecret - paths: - - $(vaultPath)/cloudfoundry-$(org)-$(space) - - $(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space) - - $(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space) + default: cloudfoundry-$(org)-$(space) + name: cloudfoundryVaultSecretName - name: cfOrg type: string description: CF org diff --git a/resources/metadata/cloudFoundryDeploy.yaml b/resources/metadata/cloudFoundryDeploy.yaml index 162cb8159..c6dfa65c6 100644 --- a/resources/metadata/cloudFoundryDeploy.yaml +++ b/resources/metadata/cloudFoundryDeploy.yaml @@ -321,10 +321,8 @@ spec: type: secret param: password - type: vaultSecret - paths: - - $(vaultPath)/cloudfoundry-$(org)-$(space) - - $(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space) - - $(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space) + default: cloudfoundry-$(org)-$(space) + name: cloudfoundryVaultSecretName - name: smokeTestScript type: string description: @@ -376,10 +374,8 @@ spec: type: secret param: username - type: vaultSecret - paths: - - $(vaultPath)/cloudfoundry-$(org)-$(space) - - $(vaultBasePath)/$(vaultPipelineName)/cloudfoundry-$(org)-$(space) - - $(vaultBasePath)/GROUP-SECRETS/cloudfoundry-$(org)-$(space) + default: cloudfoundry-$(org)-$(space) + name: cloudfoundryVaultSecretName containers: - name: cfDeploy image: ppiper/cf-cli:6 diff --git a/resources/metadata/detect.yaml b/resources/metadata/detect.yaml index dfae8db4f..a869137f0 100644 --- a/resources/metadata/detect.yaml +++ b/resources/metadata/detect.yaml @@ -35,10 +35,8 @@ spec: - name: detectTokenCredentialsId type: secret - type: vaultSecret - paths: - - $(vaultPath)/detect - - $(vaultBasePath)/$(vaultPipelineName)/detect - - $(vaultBasePath)/GROUP-SECRETS/detect + name: detectVaultSecretName + default: detect scope: - PARAMETERS - STAGES diff --git a/resources/metadata/fortify.yaml b/resources/metadata/fortify.yaml index c818423b7..e4a4fd416 100644 --- a/resources/metadata/fortify.yaml +++ b/resources/metadata/fortify.yaml @@ -57,10 +57,8 @@ spec: - name: fortifyCredentialsId type: secret - type: vaultSecret - paths: - - $(vaultPath)/fortify - - $(vaultBasePath)/$(vaultPipelineName)/fortify - - $(vaultBasePath)/GROUP-SECRETS/fortify + name: fortifyVaultSecretName + default: fortify - name: buildDescriptorExcludeList type: "[]string" description: "List of build descriptors and therefore modules to exclude from the scan and assessment activities." @@ -97,10 +95,8 @@ spec: - name: githubTokenCredentialsId type: secret - type: vaultSecret - paths: - - $(vaultPath)/github - - $(vaultBasePath)/$(vaultPipelineName)/github - - $(vaultBasePath)/GROUP-SECRETS/github + default: github + name: githubVaultSecretName - name: autoCreate type: bool description: diff --git a/resources/metadata/githubbranchprotection.yaml b/resources/metadata/githubbranchprotection.yaml index 2d6a485b8..7e22313e5 100644 --- a/resources/metadata/githubbranchprotection.yaml +++ b/resources/metadata/githubbranchprotection.yaml @@ -97,7 +97,5 @@ spec: - name: githubTokenCredentialsId type: secret - type: vaultSecret - paths: - - $(vaultPath)/github - - $(vaultBasePath)/$(vaultPipelineName)/github - - $(vaultBasePath)/GROUP-SECRETS/github + default: github + name: githubVaultSecretName diff --git a/resources/metadata/githubcommentissue.yaml b/resources/metadata/githubcommentissue.yaml index ea9b7993f..945542d2a 100644 --- a/resources/metadata/githubcommentissue.yaml +++ b/resources/metadata/githubcommentissue.yaml @@ -84,7 +84,5 @@ spec: - name: githubTokenCredentialsId type: secret - type: vaultSecret - paths: - - $(vaultPath)/github - - $(vaultBasePath)/$(vaultPipelineName)/github - - $(vaultBasePath)/GROUP-SECRETS/github + default: github + name: githubVaultSecretName diff --git a/resources/metadata/githubcreateissue.yaml b/resources/metadata/githubcreateissue.yaml index 635ff28ed..3a436ef67 100644 --- a/resources/metadata/githubcreateissue.yaml +++ b/resources/metadata/githubcreateissue.yaml @@ -89,7 +89,5 @@ spec: - name: githubTokenCredentialsId type: secret - type: vaultSecret - paths: - - $(vaultPath)/github - - $(vaultBasePath)/$(vaultPipelineName)/github - - $(vaultBasePath)/GROUP-SECRETS/github + default: github + name: githubVaultSecretName diff --git a/resources/metadata/githubcreatepr.yaml b/resources/metadata/githubcreatepr.yaml index e9b52c35f..5705bbcc6 100644 --- a/resources/metadata/githubcreatepr.yaml +++ b/resources/metadata/githubcreatepr.yaml @@ -118,10 +118,8 @@ spec: - name: githubTokenCredentialsId type: secret - type: vaultSecret - paths: - - $(vaultPath)/github - - $(vaultBasePath)/$(vaultPipelineName)/github - - $(vaultBasePath)/GROUP-SECRETS/github + default: github + name: githubVaultSecretName - name: labels description: Labels to be added to the pull request. scope: diff --git a/resources/metadata/githubrelease.yaml b/resources/metadata/githubrelease.yaml index fd04ac8b9..9deac20e5 100644 --- a/resources/metadata/githubrelease.yaml +++ b/resources/metadata/githubrelease.yaml @@ -146,10 +146,8 @@ spec: - name: githubTokenCredentialsId type: secret - type: vaultSecret - paths: - - $(vaultPath)/github - - $(vaultBasePath)/$(vaultPipelineName)/github - - $(vaultBasePath)/GROUP-SECRETS/github + default: github + name: githubVaultSecretName - name: uploadUrl aliases: - name: githubUploadUrl diff --git a/resources/metadata/githubstatus.yaml b/resources/metadata/githubstatus.yaml index c946b0699..f48f10212 100644 --- a/resources/metadata/githubstatus.yaml +++ b/resources/metadata/githubstatus.yaml @@ -119,7 +119,5 @@ spec: - name: githubTokenCredentialsId type: secret - type: vaultSecret - paths: - - $(vaultPath)/github - - $(vaultBasePath)/$(vaultPipelineName)/github - - $(vaultBasePath)/GROUP-SECRETS/github + default: github + name: githubVaultSecretName diff --git a/resources/metadata/influx.yaml b/resources/metadata/influx.yaml index 20fb04955..5e799f0ab 100644 --- a/resources/metadata/influx.yaml +++ b/resources/metadata/influx.yaml @@ -32,10 +32,8 @@ spec: - name: influxAuthTokenId type: secret - type: vaultSecret - paths: - - $(vaultPath)/influxdb - - $(vaultBasePath)/$(vaultPipelineName)/influxdb - - $(vaultBasePath)/GROUP-SECRETS/influxdb + name: influxVaultSecretName + default: influxdb - name: bucket type: string description: Name of database (1.8) or bucket (2.0) diff --git a/resources/metadata/kaniko.yaml b/resources/metadata/kaniko.yaml index 691ccc960..6d0e8b8e5 100644 --- a/resources/metadata/kaniko.yaml +++ b/resources/metadata/kaniko.yaml @@ -100,10 +100,8 @@ spec: - name: dockerConfigJsonCredentialsId type: secret - type: vaultSecretFile - paths: - - $(vaultPath)/docker-config - - $(vaultBasePath)/$(vaultPipelineName)/docker-config - - $(vaultBasePath)/GROUP-SECRETS/docker-config + name: dockerConfigFileVaultSecretName + default: docker-config - name: dockerfilePath aliases: - name: dockerfile diff --git a/resources/metadata/kubernetesdeploy.yaml b/resources/metadata/kubernetesdeploy.yaml index 48fc61789..b16d51f4c 100644 --- a/resources/metadata/kubernetesdeploy.yaml +++ b/resources/metadata/kubernetesdeploy.yaml @@ -245,10 +245,8 @@ spec: - name: kubeConfigFileCredentialsId type: secret - type: vaultSecretFile - paths: - - $(vaultPath)/kube-config - - $(vaultBasePath)/$(vaultPipelineName)/kube-config - - $(vaultBasePath)/GROUP-SECRETS/kube-config + name: kubeConfigFileSecretName + default: kube-config - name: kubeContext type: string description: Defines the context to use from the \"kubeconfig\" file. @@ -300,10 +298,7 @@ spec: - name: dockerConfigJsonCredentialsId type: secret - type: vaultSecretFile - paths: - - $(vaultPath)/docker-config - - $(vaultBasePath)/$(vaultPipelineName)/docker-config - - $(vaultBasePath)/GROUP-SECRETS/docker-config + name: dockerConfigFileVaultSecretName containers: - image: dtzar/helm-kubectl:3.4.1 workingDir: /config diff --git a/resources/metadata/mavenBuild.yaml b/resources/metadata/mavenBuild.yaml index 20e133b0c..02cba2e77 100644 --- a/resources/metadata/mavenBuild.yaml +++ b/resources/metadata/mavenBuild.yaml @@ -115,10 +115,8 @@ spec: - name: altDeploymentRepositoryPasswordId type: secret - type: vaultSecretFile - paths: - - $(vaultPath)/alt-deployment-repository-passowrd - - $(vaultBasePath)/$(vaultPipelineName)/alt-deployment-repository-passowrd - - $(vaultBasePath)/GROUP-SECRETS/alt-deployment-repository-passowrd + name: altDeploymentRepositoryPasswordFileVaultSecretName + default: alt-deployment-repository-passowrd - name: altDeploymentRepositoryUser type: string description: User for the alternative deployment repository to which the project artifacts should be deployed ( other than those specified in ). This user will be updated in settings.xml . When no settings.xml is provided a new one is created corresponding with tag diff --git a/resources/metadata/protecode.yaml b/resources/metadata/protecode.yaml index 5d8de6058..a244981ee 100644 --- a/resources/metadata/protecode.yaml +++ b/resources/metadata/protecode.yaml @@ -75,10 +75,8 @@ spec: - name: dockerConfigJsonCredentialsId type: secret - type: vaultSecretFile - paths: - - $(vaultPath)/docker-config - - $(vaultBasePath)/$(vaultPipelineName)/docker-config - - $(vaultBasePath)/GROUP-SECRETS/docker-config + name: dockerConfigFileVaultSecretName + default: docker-config - name: cleanupMode type: string description: Decides which parts are removed from the Protecode backend after the scan @@ -187,10 +185,8 @@ spec: type: secret param: username - type: vaultSecret - paths: - - $(vaultPath)/protecode - - $(vaultBasePath)/$(vaultPipelineName)/protecode - - $(vaultBasePath)/GROUP-SECRETS/protecode + name: protecodeVaultSecretName + default: protecode - name: password type: string description: Password which is used for the user @@ -205,10 +201,8 @@ spec: type: secret param: password - type: vaultSecret - paths: - - $(vaultPath)/protecode - - $(vaultBasePath)/$(vaultPipelineName)/protecode - - $(vaultBasePath)/GROUP-SECRETS/protecode + name: protecodeVaultSecretName + default: protecode - name: version aliases: - name: artifactVersion diff --git a/resources/metadata/sonar.yaml b/resources/metadata/sonar.yaml index 3b64834b4..280f4f30b 100644 --- a/resources/metadata/sonar.yaml +++ b/resources/metadata/sonar.yaml @@ -42,10 +42,8 @@ spec: secret: true resourceRef: - type: vaultSecret - paths: - - $(vaultPath)/sonar - - $(vaultBasePath)/$(vaultPipelineName)/sonar - - $(vaultBasePath)/GROUP-SECRETS/sonar + name: sonarSecretName + default: sonar - name: sonarTokenCredentialsId type: secret aliases: @@ -226,10 +224,8 @@ spec: - name: githubTokenCredentialsId type: secret - type: vaultSecret - paths: - - $(vaultPath)/github - - $(vaultBasePath)/$(vaultPipelineName)/github - - $(vaultBasePath)/GROUP-SECRETS/github + name: githubVaultSecretName + default: github - name: disableInlineComments type: bool description: "Pull-Request only: Disables the pull-request decoration with inline comments. diff --git a/resources/metadata/terraformExecute.yaml b/resources/metadata/terraformExecute.yaml index 17d280d8e..07a0a1a8a 100644 --- a/resources/metadata/terraformExecute.yaml +++ b/resources/metadata/terraformExecute.yaml @@ -21,10 +21,8 @@ spec: type: string resourceRef: - type: vaultSecretFile - paths: - - $(vaultPath)/terraformExecute - - $(vaultBasePath)/$(vaultPipelineName)/terraformExecute - - $(vaultBasePath)/GROUP-SECRETS/terraformExecute + name: terraformExecuteFileVaultSecret + default: terraformExecute - name: additionalArgs type: "[]string" scope: diff --git a/resources/metadata/vaultRotateSecretId.yaml b/resources/metadata/vaultRotateSecretId.yaml index b15345c5c..f0ee77eda 100644 --- a/resources/metadata/vaultRotateSecretId.yaml +++ b/resources/metadata/vaultRotateSecretId.yaml @@ -26,10 +26,8 @@ spec: secret: true resourceRef: - type: vaultSecret - paths: - - $(vaultPath)/jenkins - - $(vaultBasePath)/$(vaultPipelineName)/jenkins - - $(vaultBasePath)/GROUP-SECRETS/jenkins + name: jenkinsVaultSecret + default: jenkins aliases: - name: url - name: jenkinsCredentialDomain @@ -52,10 +50,8 @@ spec: - name: userId resourceRef: - type: vaultSecret - paths: - - $(vaultPath)/jenkins - - $(vaultBasePath)/$(vaultPipelineName)/jenkins - - $(vaultBasePath)/GROUP-SECRETS/jenkins + name: jenkinsVaultSecret + default: jenkins - name: jenkinsToken type: string description: "The jenkins token" @@ -68,10 +64,8 @@ spec: - name: token resourceRef: - type: vaultSecret - paths: - - $(vaultPath)/jenkins - - $(vaultBasePath)/$(vaultPipelineName)/jenkins - - $(vaultBasePath)/GROUP-SECRETS/jenkins + name: jenkinsVaultSecret + default: jenkins - name: vaultAppRoleSecretTokenCredentialsId type: string description: The Jenkins credential ID or Azure DevOps variable name for the Vault AppRole Secret ID credential diff --git a/resources/metadata/versioning.yaml b/resources/metadata/versioning.yaml index ba95a87b2..e8019f40c 100644 --- a/resources/metadata/versioning.yaml +++ b/resources/metadata/versioning.yaml @@ -198,10 +198,8 @@ spec: type: secret param: password - type: vaultSecret - paths: - - $(vaultPath)/gitHttpsCredential - - $(vaultBasePath)/$(vaultPipelineName)/gitHttpsCredential - - $(vaultBasePath)/GROUP-SECRETS/gitHttpsCredential + name: gitHttpsCredentialVaultSecretName + default: gitHttpsCredential - name: projectSettingsFile aliases: - name: maven/projectSettingsFile @@ -247,10 +245,8 @@ spec: type: secret param: username - type: vaultSecret - paths: - - $(vaultPath)/gitHttpsCredential - - $(vaultBasePath)/$(vaultPipelineName)/gitHttpsCredential - - $(vaultBasePath)/GROUP-SECRETS/gitHttpsCredential + name: gitHttpsCredentialVaultSecretName + default: gitHttpsCredential - name: versioningTemplate type: string description: "DEPRECATED: Defines the template for the automatic version which will be created" diff --git a/resources/metadata/whitesource.yaml b/resources/metadata/whitesource.yaml index eaef3bda9..aaad91f4f 100644 --- a/resources/metadata/whitesource.yaml +++ b/resources/metadata/whitesource.yaml @@ -360,10 +360,8 @@ spec: - name: userTokenCredentialsId type: secret - type: vaultSecret - paths: - - $(vaultPath)/whitesource - - $(vaultBasePath)/$(vaultPipelineName)/whitesource - - $(vaultBasePath)/GROUP-SECRETS/whitesource + name: whitesourceVaultSecret + default: whitesource - name: versioningModel type: string description: "The default project versioning model used in case `projectVersion` parameter is