mirror of
https://github.com/SAP/jenkins-library.git
synced 2025-01-18 05:18:24 +02:00
3eae0c5f68
* cloud-foundry & sonar from vault * add vault development hint * don't abort on vault errors * cloudfoundry make credentialsId only mandatory when vault is not configured * add vault ref to step ymls * rename vaultAddress to vaultServerUrl * rename PIPER_vaultRole* to PIPER_vaultAppRole* * add resourceRef for detect step * fix error when no namespace is set * added debug logs * added debug logs * fix vault resolving * add vaultCustomBasePath * rename vault_test.go to client_test.go * refactored vault logging * refactored config param lookup for vault * added tüddelchen * rename vaultCustomBasePath to vaultPath * fix tests * change lookup path for group secrets * fix interpolation tests * added vault resource ref to versioning * execute go generate * rename Approle to AppRole * change verbose back to false Co-authored-by: Leander Schulz <leander.schulz01@sap.com> Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com>
1.5 KiB
1.5 KiB
The Vault ResourceRef
Preconditions
Parameters that have a ResourceReference of type vaultSecret
will be looked up from vault when all of the following things are true...
- The environment variables
PIPER_vaultAppRoleID
andPIPER_vaultAppRoleSecretID
must both be set to the Vault AppRole role ID and to the Vault AppRole secret ID. See Vault AppRole docs vaultServerUrl
ist set in thegeneral
section of the configuration file.- The parameter must not be set by the configuration file, as a CLI Parameter or an environment variable. Any parameter that has already been set won't be resolved via vault.
Lookup
- name: token
type: string
description: "Token used to authenticate with the Sonar Server."
scope:
- PARAMETERS
secret: true
resourceRef:
- type: vaultSecret
paths:
- $(vaultBasePath)/$(vaultPipelineName)/sonar
- $(vaultBasePath)/__group/sonar
With the example above piper will check whether the the token
parameter has already been set when the config was resolved. If token
hasn't be resolved yet we will go through every item of the paths
array, interpolate every string by using the already resolved config and then check whether there is a secret stored at the given path.
In case we find a secret we check whether it has a field (secrets in vault are flat json documents) that matches the parameters name (or one of the alias names), in the example above this would be token
.