64 lines
2.7 KiB
Markdown
64 lines
2.7 KiB
Markdown
# Using Vault to keep tabs on environment variables
|
|
|
|
## Prerequisites
|
|
|
|
- An instance of [Hashicorps Vault](https://www.vaultproject.io/) running
|
|
- Using a docker-based approach is described [here](vault/setup-vault-using-docker.md)
|
|
- A token (or username and password) as credentials for accessing Vault
|
|
- [HashiCorp Vault plugin](https://github.com/jenkinsci/hashicorp-vault-plugin) v2.4.0+
|
|
|
|
## Put stuff into Vault
|
|
|
|
Creating content in Vault can be done either using curl (not recommended) or using Vault as a client.
|
|
A simple curl example can be found [here](vault/setup-vault-using-docker.md). Use a native vault application whenever possible. They are available for download [here](https://www.vaultproject.io/downloads.html). Using vault via docker requires you to be inside a running vault docker container. Otherwise the steps are the same.
|
|
|
|
The below example assumes that you have the following environment variables:
|
|
|
|
- `$VAULT_TOKEN` containing the token to use as access credentials
|
|
- `$VAULT_SERVER_URL` containing the URL to your vault server, i.e. `http://vault.domain.local:8200`
|
|
|
|
If needed, enter the docker container: `docker exec -it library/vault /bin/sh`
|
|
|
|
Execute the following to put data in vault.
|
|
|
|
```sh
|
|
vault write -address=$VAULT_SERVER_URL secret/jenkins/master \
|
|
AWS_ACCESS_KEY_ID="[Your AWS ACCESS KEY]" \
|
|
AWS_SECRET_ACCESS_KEY="[YOUR AWS SECRET ACCESS KEY]" \
|
|
SSH_PRIVATE_KEY=@/vault/file/secrets/jenkins_ssh_key
|
|
```
|
|
|
|
Essentially, anything can go into a vault, as long as it's KEY=VALUE formatted. If you work inside a docker container, the above example requires you to have the file `/vault/file/secrets/jenkins_ssh_key` exist inside the docker container.
|
|
|
|
## Usage
|
|
|
|
```bash
|
|
$ vault kv get kv/jenkins/master
|
|
============= Data =============
|
|
Key Value
|
|
--- -----
|
|
operator_pass doggo
|
|
operator_userid catto
|
|
```
|
|
|
|
and use them in configuration:
|
|
|
|
```yaml
|
|
# config truncated
|
|
credentials:
|
|
system:
|
|
domainCredentials:
|
|
- credentials:
|
|
- usernamePassword:
|
|
scope: "GLOBAL"
|
|
id: "${operator_userid}"
|
|
username: "${operator_userid}"
|
|
password: "${operator_pass}"
|
|
description: "i am catto with doggo pass"
|
|
```
|
|
|
|
## Current limitations
|
|
|
|
Due to the dependency on BetterCloud's [vault-java-driver](https://github.com/BetterCloud/vault-java-driver), Vault's change default KV backend from v1 to v2 and HTTP endpoints change it's currently unable to use Vault's KV v2 secret store. ([see issue on BetterCloud project](https://github.com/BetterCloud/vault-java-driver/issues/114))
|
|
Be aware which version you use as default dev Vault server, starting from 0.10, it uses KV v2. [See docs](https://www.vaultproject.io/docs/secrets/kv/kv-v2.html)
|