mirror of
https://github.com/SAP/jenkins-library.git
synced 2024-12-12 10:55:20 +02:00
e3935ca088
* rotate Vault secret on GH Actions * test alternative sodium package * try doing it without libsodium * disable validity check for testing purposes * basic unit test * re-enable secret validity check * tidy * tidy parameters * forgot to update param names in code * apply review feedback * improve error logging * update step metadata * apply metadata suggestion from review Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> * align githubToken param * Fix secretStore * Add alias for githubToken * Move logic to separate file --------- Co-authored-by: I557621 <jordi.van.liempt@sap.com> Co-authored-by: Christopher Fenner <26137398+CCFenner@users.noreply.github.com> Co-authored-by: Vyacheslav Starostin <vyacheslav.starostin@sap.com>
195 lines
5.3 KiB
YAML
195 lines
5.3 KiB
YAML
metadata:
|
|
name: vaultRotateSecretId
|
|
description: Rotate Vault AppRole Secret ID
|
|
longDescription: This step takes the given Vault secret ID and checks whether it needs to be renewed and if so it will update the secret ID in the configured secret store.
|
|
spec:
|
|
inputs:
|
|
params:
|
|
- name: secretStore
|
|
type: string
|
|
description: "The store to which the secret should be written back to"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: "jenkins"
|
|
possibleValues:
|
|
- jenkins
|
|
- ado
|
|
- github
|
|
- name: jenkinsUrl
|
|
type: string
|
|
description: "The jenkins url"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
secret: true
|
|
resourceRef:
|
|
- type: vaultSecret
|
|
name: jenkinsVaultSecretName
|
|
default: jenkins
|
|
aliases:
|
|
- name: url
|
|
- name: jenkinsCredentialDomain
|
|
type: string
|
|
description: The jenkins credential domain which should be used
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: "_"
|
|
- name: jenkinsUsername
|
|
type: string
|
|
description: "The jenkins username"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
secret: true
|
|
aliases:
|
|
- name: userId
|
|
resourceRef:
|
|
- type: vaultSecret
|
|
name: jenkinsVaultSecretName
|
|
default: jenkins
|
|
- name: jenkinsToken
|
|
type: string
|
|
description: "The jenkins token"
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
secret: true
|
|
aliases:
|
|
- name: token
|
|
resourceRef:
|
|
- type: vaultSecret
|
|
name: jenkinsVaultSecretName
|
|
default: jenkins
|
|
- name: vaultAppRoleSecretTokenCredentialsId
|
|
type: string
|
|
description: The Jenkins credential ID, Azure DevOps variable name, or GitHub Actions secret name for the Vault AppRole Secret ID credential
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
mandatory: true
|
|
- name: vaultServerUrl
|
|
type: string
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
description: The URL for the Vault server to use
|
|
mandatory: true
|
|
- name: vaultNamespace
|
|
type: string
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
description: The Vault namespace that should be used (optional)
|
|
- name: daysBeforeExpiry
|
|
type: int
|
|
description: The amount of days before expiry until the secret ID gets rotated
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
default: 15
|
|
- name: adoOrganization
|
|
type: string
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
description: The Azure DevOps organization name
|
|
- name: adoPersonalAccessToken
|
|
aliases:
|
|
- name: token
|
|
type: string
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
description: The Azure DevOps personal access token
|
|
secret: true
|
|
mandatoryIf:
|
|
- name: secretStore
|
|
value: ado
|
|
resourceRef:
|
|
- type: vaultSecret
|
|
name: azureDevOpsVaultSecretName
|
|
default: azure-dev-ops
|
|
- name: adoProject
|
|
type: string
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
description: The Azure DevOps project ID. Project name also can be used
|
|
- name: adoPipelineId
|
|
type: int
|
|
scope:
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
description: The Azure DevOps pipeline ID. Also called as definition ID
|
|
- name: githubToken
|
|
aliases:
|
|
- name: access_token
|
|
- name: token
|
|
type: string
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
description: "GitHub personal access token as per
|
|
https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
|
|
with the scope 'repo'"
|
|
secret: true
|
|
mandatoryIf:
|
|
- name: secretStore
|
|
value: github
|
|
resourceRef:
|
|
- type: vaultSecret
|
|
default: github
|
|
name: githubVaultSecretName
|
|
- name: githubApiUrl
|
|
description: Set the GitHub API URL that corresponds to the pipeline repository
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
type: string
|
|
default: "https://api.github.com"
|
|
- name: owner
|
|
description: Owner of the pipeline GitHub repository
|
|
resourceRef:
|
|
- name: commonPipelineEnvironment
|
|
param: github/owner
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
type: string
|
|
- name: repository
|
|
description: Name of the pipeline GitHub repository
|
|
resourceRef:
|
|
- name: commonPipelineEnvironment
|
|
param: github/repository
|
|
scope:
|
|
- GENERAL
|
|
- PARAMETERS
|
|
- STAGES
|
|
- STEPS
|
|
type: string
|