buildit / jenkins-startup-scripts

48 stars 19 forks source link

Integration with vault service providers #36

Open timwebster9 opened 6 years ago

timwebster9 commented 6 years ago

An as alternative to the native encryption mechanism (ENC(...)) it would be nice to have integration with cloud-based vaults (e.g. Azure Keyvault).

The startup scripts would pull the secrets directly from the vault. I might look something like this in the config:

username: jenkins, password: AZKEYVAULT('vaultUrl', 'secretName')

Ideally the implementation would be generic and could support other cloud vendors.

dermotmburke commented 6 years ago

We currently have the ability to pull files and secrets from Hashicorp Vault like so

credentials {
    vault=['description': 'vault credentials', 'key':'super/secret', 'usernameKey': "username", 'passwordKey': "password", 'type': 'HashicorpVault']
}
files {
    id_rsa_vault=[
            path:'${jenkinsHome}/.ssh/id_rsa_vault',
            mode:'600',
            source: 'HashicorpVault',
            key: 'secret/id_rsa',
            url:'http://localhost:51235',
            token: 'f119a093-c4b1-4422-1c8c-47688d14fe9e',
            contentKey: "contents", // defaults to 'contents'
            base64Encoded: true // defaults to false
    ]
}

One of the downsides has been the necessity to renew keys.

A more generic way of doing thins sounds like a good idea.

dermotmburke commented 6 years ago

It looks like this may solve your issue though - with the added advantage of pulling secrets at pipeline runtime rather than just master startup.

https://github.com/mbearup/azure-keyvault-plugin

timwebster9 commented 6 years ago

We already use that - look who submitted the latest PR :-)

It's good for stuff that doesn't need to be in the config, but there is always something that needs to be there...