Adds wrapper for vault plugin
Change-Id: I85ab23670a1d89b04eba01ddd4cc024da1d879a9 Signed-off-by: Roman Iuvshyn <riuvshyn@redhat.com>
This commit is contained in:
parent
0deb58146a
commit
465e860684
@ -1022,6 +1022,78 @@ def inject_passwords(registry, xml_parent, data):
|
||||
mapping, fail_required=True)
|
||||
|
||||
|
||||
def vault_secrets(registry, xml_parent, data):
|
||||
"""yaml: vault-secrets
|
||||
Inject environment variables from a HashiCorp Vault secret.
|
||||
|
||||
Secrets are generally masked in the build log.
|
||||
|
||||
Requires the Jenkins
|
||||
:jenkins-wiki:`HashiCorp Vault Plugin <HashiCorp+Vault+Plugin>`.
|
||||
|
||||
:arg str vault-url: Vault URL
|
||||
:arg str credentials-id: Vault Credential
|
||||
:arg list secrets: List of secrets
|
||||
|
||||
:secrets:
|
||||
* **secret-path** (`str`) --
|
||||
The path of the secret in the vault server
|
||||
|
||||
:secret-values:
|
||||
* **secret-values** (`list`) -- List of key / value pairs
|
||||
|
||||
* **env-var** (`str`) --
|
||||
The environment variable to set with the value of the
|
||||
vault key
|
||||
* **vault-key** (`str`) -- The vault key whose value with
|
||||
populate the environment variable
|
||||
|
||||
Minimal Example:
|
||||
|
||||
.. literalinclude:: /../../tests/wrappers/fixtures/vault-minimal.yaml
|
||||
:language: yaml
|
||||
|
||||
Full Example:
|
||||
|
||||
.. literalinclude:: /../../tests/wrappers/fixtures/vault-full.yaml
|
||||
:language: yaml
|
||||
|
||||
"""
|
||||
vault = XML.SubElement(xml_parent,
|
||||
'com.datapipe.jenkins.vault.VaultBuildWrapper')
|
||||
vault.set('plugin', 'hashicorp-vault-plugin')
|
||||
configuration = XML.SubElement(vault, 'configuration')
|
||||
conf_mapping = [
|
||||
('vault-url', 'vaultUrl', ''),
|
||||
('credentials-id', 'vaultCredentialId', ''),
|
||||
]
|
||||
convert_mapping_to_xml(
|
||||
configuration, data, conf_mapping, fail_required=True)
|
||||
|
||||
secretsobj = XML.SubElement(vault, 'vaultSecrets')
|
||||
secrets = data.get('secrets', [])
|
||||
for secret in secrets:
|
||||
secretobj = XML.SubElement(
|
||||
secretsobj, 'com.datapipe.jenkins.vault.model.VaultSecret')
|
||||
XML.SubElement(
|
||||
secretobj, 'path').text = secret.get('secret-path', '')
|
||||
secretvaluesobj = XML.SubElement(secretobj, 'secretValues')
|
||||
for secretvalue in secret['secret-values']:
|
||||
secretvalueobj = XML.SubElement(
|
||||
secretvaluesobj,
|
||||
'com.datapipe.jenkins.vault.model.VaultSecretValue')
|
||||
XML.SubElement(
|
||||
secretvalueobj,
|
||||
'envVar').text = \
|
||||
secretvalue.get('env-var', '')
|
||||
XML.SubElement(
|
||||
secretvalueobj,
|
||||
'vaultKey').text = \
|
||||
secretvalue.get('vault-key', '')
|
||||
XML.SubElement(vault, 'valuesToMask')
|
||||
XML.SubElement(vault, 'vaultAccessor')
|
||||
|
||||
|
||||
def env_file(registry, xml_parent, data):
|
||||
"""yaml: env-file
|
||||
Add or override environment variables to the whole build process
|
||||
|
41
tests/wrappers/fixtures/vault-full.xml
Normal file
41
tests/wrappers/fixtures/vault-full.xml
Normal file
@ -0,0 +1,41 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<project>
|
||||
<buildWrappers>
|
||||
<com.datapipe.jenkins.vault.VaultBuildWrapper plugin="hashicorp-vault-plugin">
|
||||
<configuration>
|
||||
<vaultUrl>http://127.0.0.1:8200</vaultUrl>
|
||||
<vaultCredentialId>myCredentials</vaultCredentialId>
|
||||
</configuration>
|
||||
<vaultSecrets>
|
||||
<com.datapipe.jenkins.vault.model.VaultSecret>
|
||||
<path>secret/my-secret</path>
|
||||
<secretValues>
|
||||
<com.datapipe.jenkins.vault.model.VaultSecretValue>
|
||||
<envVar>USERNAME</envVar>
|
||||
<vaultKey>username</vaultKey>
|
||||
</com.datapipe.jenkins.vault.model.VaultSecretValue>
|
||||
<com.datapipe.jenkins.vault.model.VaultSecretValue>
|
||||
<envVar>PASSWORD</envVar>
|
||||
<vaultKey>password</vaultKey>
|
||||
</com.datapipe.jenkins.vault.model.VaultSecretValue>
|
||||
</secretValues>
|
||||
</com.datapipe.jenkins.vault.model.VaultSecret>
|
||||
<com.datapipe.jenkins.vault.model.VaultSecret>
|
||||
<path>secret/my-secret2</path>
|
||||
<secretValues>
|
||||
<com.datapipe.jenkins.vault.model.VaultSecretValue>
|
||||
<envVar>USERNAME2</envVar>
|
||||
<vaultKey>username2</vaultKey>
|
||||
</com.datapipe.jenkins.vault.model.VaultSecretValue>
|
||||
<com.datapipe.jenkins.vault.model.VaultSecretValue>
|
||||
<envVar>PASSWORD2</envVar>
|
||||
<vaultKey>password2</vaultKey>
|
||||
</com.datapipe.jenkins.vault.model.VaultSecretValue>
|
||||
</secretValues>
|
||||
</com.datapipe.jenkins.vault.model.VaultSecret>
|
||||
</vaultSecrets>
|
||||
<valuesToMask/>
|
||||
<vaultAccessor/>
|
||||
</com.datapipe.jenkins.vault.VaultBuildWrapper>
|
||||
</buildWrappers>
|
||||
</project>
|
17
tests/wrappers/fixtures/vault-full.yaml
Normal file
17
tests/wrappers/fixtures/vault-full.yaml
Normal file
@ -0,0 +1,17 @@
|
||||
wrappers:
|
||||
- vault-secrets:
|
||||
vault-url: 'http://127.0.0.1:8200'
|
||||
credentials-id: 'myCredentials'
|
||||
secrets:
|
||||
- secret-path: 'secret/my-secret'
|
||||
secret-values:
|
||||
- env-var: 'USERNAME'
|
||||
vault-key: 'username'
|
||||
- env-var: 'PASSWORD'
|
||||
vault-key: 'password'
|
||||
- secret-path: 'secret/my-secret2'
|
||||
secret-values:
|
||||
- env-var: 'USERNAME2'
|
||||
vault-key: 'username2'
|
||||
- env-var: 'PASSWORD2'
|
||||
vault-key: 'password2'
|
24
tests/wrappers/fixtures/vault-minimal.xml
Normal file
24
tests/wrappers/fixtures/vault-minimal.xml
Normal file
@ -0,0 +1,24 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<project>
|
||||
<buildWrappers>
|
||||
<com.datapipe.jenkins.vault.VaultBuildWrapper plugin="hashicorp-vault-plugin">
|
||||
<configuration>
|
||||
<vaultUrl>http://127.0.0.1:8200</vaultUrl>
|
||||
<vaultCredentialId>myCredentials</vaultCredentialId>
|
||||
</configuration>
|
||||
<vaultSecrets>
|
||||
<com.datapipe.jenkins.vault.model.VaultSecret>
|
||||
<path>secret/my-token</path>
|
||||
<secretValues>
|
||||
<com.datapipe.jenkins.vault.model.VaultSecretValue>
|
||||
<envVar>TOKEN</envVar>
|
||||
<vaultKey>token</vaultKey>
|
||||
</com.datapipe.jenkins.vault.model.VaultSecretValue>
|
||||
</secretValues>
|
||||
</com.datapipe.jenkins.vault.model.VaultSecret>
|
||||
</vaultSecrets>
|
||||
<valuesToMask/>
|
||||
<vaultAccessor/>
|
||||
</com.datapipe.jenkins.vault.VaultBuildWrapper>
|
||||
</buildWrappers>
|
||||
</project>
|
9
tests/wrappers/fixtures/vault-minimal.yaml
Normal file
9
tests/wrappers/fixtures/vault-minimal.yaml
Normal file
@ -0,0 +1,9 @@
|
||||
wrappers:
|
||||
- vault-secrets:
|
||||
vault-url: 'http://127.0.0.1:8200'
|
||||
credentials-id: 'myCredentials'
|
||||
secrets:
|
||||
- secret-path: 'secret/my-token'
|
||||
secret-values:
|
||||
- env-var: 'TOKEN'
|
||||
vault-key: 'token'
|
Loading…
x
Reference in New Issue
Block a user