Adds wrapper for vault plugin

Change-Id: I85ab23670a1d89b04eba01ddd4cc024da1d879a9
Signed-off-by: Roman Iuvshyn <riuvshyn@redhat.com>

jenkins_jobs/modules/wrappers.py

@@ -1022,6 +1022,78 @@ def inject_passwords(registry, xml_parent, data):
                 mapping, fail_required=True)
 
 
+def vault_secrets(registry, xml_parent, data):
+    """yaml: vault-secrets
+    Inject environment variables from a HashiCorp Vault secret.
+
+    Secrets are generally masked in the build log.
+
+    Requires the Jenkins
+        :jenkins-wiki:`HashiCorp Vault Plugin <HashiCorp+Vault+Plugin>`.
+
+    :arg str vault-url: Vault URL
+    :arg str credentials-id: Vault Credential
+    :arg list secrets: List of secrets
+
+      :secrets:
+        * **secret-path** (`str`) --
+          The path of the secret in the vault server
+
+        :secret-values:
+          * **secret-values** (`list`) -- List of key / value pairs
+
+            * **env-var** (`str`) --
+              The environment variable to set with the value of the
+              vault key
+            * **vault-key** (`str`) -- The vault key whose value with
+              populate the environment variable
+
+    Minimal Example:
+
+    .. literalinclude:: /../../tests/wrappers/fixtures/vault-minimal.yaml
+       :language: yaml
+
+    Full Example:
+
+    .. literalinclude:: /../../tests/wrappers/fixtures/vault-full.yaml
+       :language: yaml
+
+    """
+    vault = XML.SubElement(xml_parent,
+                           'com.datapipe.jenkins.vault.VaultBuildWrapper')
+    vault.set('plugin', 'hashicorp-vault-plugin')
+    configuration = XML.SubElement(vault, 'configuration')
+    conf_mapping = [
+        ('vault-url', 'vaultUrl', ''),
+        ('credentials-id', 'vaultCredentialId', ''),
+    ]
+    convert_mapping_to_xml(
+        configuration, data, conf_mapping, fail_required=True)
+
+    secretsobj = XML.SubElement(vault, 'vaultSecrets')
+    secrets = data.get('secrets', [])
+    for secret in secrets:
+        secretobj = XML.SubElement(
+            secretsobj, 'com.datapipe.jenkins.vault.model.VaultSecret')
+        XML.SubElement(
+            secretobj, 'path').text = secret.get('secret-path', '')
+        secretvaluesobj = XML.SubElement(secretobj, 'secretValues')
+        for secretvalue in secret['secret-values']:
+            secretvalueobj = XML.SubElement(
+                secretvaluesobj,
+                'com.datapipe.jenkins.vault.model.VaultSecretValue')
+            XML.SubElement(
+                secretvalueobj,
+                'envVar').text = \
+                secretvalue.get('env-var', '')
+            XML.SubElement(
+                secretvalueobj,
+                'vaultKey').text = \
+                secretvalue.get('vault-key', '')
+    XML.SubElement(vault, 'valuesToMask')
+    XML.SubElement(vault, 'vaultAccessor')
+
+
 def env_file(registry, xml_parent, data):
     """yaml: env-file
     Add or override environment variables to the whole build process

tests/wrappers/fixtures/vault-full.xml

@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="utf-8"?>
+<project>
+  <buildWrappers>
+    <com.datapipe.jenkins.vault.VaultBuildWrapper plugin="hashicorp-vault-plugin">
+      <configuration>
+        <vaultUrl>http://127.0.0.1:8200</vaultUrl>
+        <vaultCredentialId>myCredentials</vaultCredentialId>
+      </configuration>
+      <vaultSecrets>
+        <com.datapipe.jenkins.vault.model.VaultSecret>
+          <path>secret/my-secret</path>
+          <secretValues>
+            <com.datapipe.jenkins.vault.model.VaultSecretValue>
+              <envVar>USERNAME</envVar>
+              <vaultKey>username</vaultKey>
+            </com.datapipe.jenkins.vault.model.VaultSecretValue>
+            <com.datapipe.jenkins.vault.model.VaultSecretValue>
+              <envVar>PASSWORD</envVar>
+              <vaultKey>password</vaultKey>
+            </com.datapipe.jenkins.vault.model.VaultSecretValue>
+          </secretValues>
+        </com.datapipe.jenkins.vault.model.VaultSecret>
+        <com.datapipe.jenkins.vault.model.VaultSecret>
+          <path>secret/my-secret2</path>
+          <secretValues>
+            <com.datapipe.jenkins.vault.model.VaultSecretValue>
+              <envVar>USERNAME2</envVar>
+              <vaultKey>username2</vaultKey>
+            </com.datapipe.jenkins.vault.model.VaultSecretValue>
+            <com.datapipe.jenkins.vault.model.VaultSecretValue>
+              <envVar>PASSWORD2</envVar>
+              <vaultKey>password2</vaultKey>
+            </com.datapipe.jenkins.vault.model.VaultSecretValue>
+          </secretValues>
+        </com.datapipe.jenkins.vault.model.VaultSecret>
+      </vaultSecrets>
+      <valuesToMask/>
+      <vaultAccessor/>
+    </com.datapipe.jenkins.vault.VaultBuildWrapper>
+  </buildWrappers>
+</project>

tests/wrappers/fixtures/vault-full.yaml

@@ -0,0 +1,17 @@
+wrappers:
+  - vault-secrets:
+      vault-url: 'http://127.0.0.1:8200'
+      credentials-id: 'myCredentials'
+      secrets:
+        - secret-path: 'secret/my-secret'
+          secret-values:
+            - env-var: 'USERNAME'
+              vault-key: 'username'
+            - env-var: 'PASSWORD'
+              vault-key: 'password'
+        - secret-path: 'secret/my-secret2'
+          secret-values:
+            - env-var: 'USERNAME2'
+              vault-key: 'username2'
+            - env-var: 'PASSWORD2'
+              vault-key: 'password2'

tests/wrappers/fixtures/vault-minimal.xml

@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="utf-8"?>
+<project>
+  <buildWrappers>
+    <com.datapipe.jenkins.vault.VaultBuildWrapper plugin="hashicorp-vault-plugin">
+      <configuration>
+        <vaultUrl>http://127.0.0.1:8200</vaultUrl>
+        <vaultCredentialId>myCredentials</vaultCredentialId>
+      </configuration>
+      <vaultSecrets>
+        <com.datapipe.jenkins.vault.model.VaultSecret>
+          <path>secret/my-token</path>
+          <secretValues>
+            <com.datapipe.jenkins.vault.model.VaultSecretValue>
+              <envVar>TOKEN</envVar>
+              <vaultKey>token</vaultKey>
+            </com.datapipe.jenkins.vault.model.VaultSecretValue>
+          </secretValues>
+        </com.datapipe.jenkins.vault.model.VaultSecret>
+      </vaultSecrets>
+      <valuesToMask/>
+      <vaultAccessor/>
+    </com.datapipe.jenkins.vault.VaultBuildWrapper>
+  </buildWrappers>
+</project>

tests/wrappers/fixtures/vault-minimal.yaml

@@ -0,0 +1,9 @@
+wrappers:
+  - vault-secrets:
+      vault-url: 'http://127.0.0.1:8200'
+      credentials-id: 'myCredentials'
+      secrets:
+        - secret-path: 'secret/my-token'
+          secret-values:
+            - env-var: 'TOKEN'
+              vault-key: 'token'