Open timwebster9 opened 6 years ago
We currently have the ability to pull files and secrets from Hashicorp Vault like so
credentials {
vault=['description': 'vault credentials', 'key':'super/secret', 'usernameKey': "username", 'passwordKey': "password", 'type': 'HashicorpVault']
}
files {
id_rsa_vault=[
path:'${jenkinsHome}/.ssh/id_rsa_vault',
mode:'600',
source: 'HashicorpVault',
key: 'secret/id_rsa',
url:'http://localhost:51235',
token: 'f119a093-c4b1-4422-1c8c-47688d14fe9e',
contentKey: "contents", // defaults to 'contents'
base64Encoded: true // defaults to false
]
}
One of the downsides has been the necessity to renew keys.
A more generic way of doing thins sounds like a good idea.
It looks like this may solve your issue though - with the added advantage of pulling secrets at pipeline runtime rather than just master startup.
We already use that - look who submitted the latest PR :-)
It's good for stuff that doesn't need to be in the config, but there is always something that needs to be there...
An as alternative to the native encryption mechanism (
ENC(...)
) it would be nice to have integration with cloud-based vaults (e.g. Azure Keyvault).The startup scripts would pull the secrets directly from the vault. I might look something like this in the config:
username: jenkins, password: AZKEYVAULT('vaultUrl', 'secretName')
Ideally the implementation would be generic and could support other cloud vendors.