1
0
mirror of https://github.com/SAP/jenkins-library.git synced 2025-01-18 05:18:24 +02:00
Kevin Stiehl 3eae0c5f68
feat(vault): fetch secrets from vault (#2032)
* cloud-foundry & sonar from vault

* add vault development hint

* don't abort on vault errors

* cloudfoundry make credentialsId only mandatory when vault is not configured

* add vault ref to step ymls

* rename vaultAddress to vaultServerUrl

* rename PIPER_vaultRole* to PIPER_vaultAppRole*

* add resourceRef for detect step

* fix error when no namespace is set

* added debug logs

* added debug logs

* fix vault resolving

* add vaultCustomBasePath

* rename vault_test.go to client_test.go

* refactored vault logging

* refactored config param lookup for vault

* added tüddelchen

* rename vaultCustomBasePath to vaultPath

* fix tests

* change lookup path for group secrets

* fix interpolation tests

* added vault resource ref to versioning

* execute go generate

* rename Approle to AppRole

* change verbose back to false

Co-authored-by: Leander Schulz <leander.schulz01@sap.com>
Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com>
2020-10-13 14:14:47 +02:00

1.5 KiB

The Vault ResourceRef

Preconditions

Parameters that have a ResourceReference of type vaultSecret will be looked up from vault when all of the following things are true...

  • The environment variables PIPER_vaultAppRoleID and PIPER_vaultAppRoleSecretID must both be set to the Vault AppRole role ID and to the Vault AppRole secret ID. See Vault AppRole docs
  • vaultServerUrl ist set in the general section of the configuration file.
  • The parameter must not be set by the configuration file, as a CLI Parameter or an environment variable. Any parameter that has already been set won't be resolved via vault.

Lookup

- name: token
        type: string
        description: "Token used to authenticate with the Sonar Server."
        scope:
          - PARAMETERS
        secret: true
        resourceRef:
          - type: vaultSecret
            paths:
            - $(vaultBasePath)/$(vaultPipelineName)/sonar
            - $(vaultBasePath)/__group/sonar

With the example above piper will check whether the the token parameter has already been set when the config was resolved. If token hasn't be resolved yet we will go through every item of the paths array, interpolate every string by using the already resolved config and then check whether there is a secret stored at the given path.

In case we find a secret we check whether it has a field (secrets in vault are flat json documents) that matches the parameters name (or one of the alias names), in the example above this would be token.