Feature Request: Support environment+credentials syntax

marshallford commented 4 years ago

As the community moves away from scripted pipelines to purely declarative solutions, I'm wondering if it would be possible to implement a method/step similar to credentials that could be used in an environment block. As I migrate pipelines referencing Jenkins credentials to use Vault secrets instead I've bumped into a few script quirks (like variable scoping) that could avoided all together with a one to one replacement of the environment+credentials experience.

Thank you!

Jenkins credentials example:

environment {
    AWS_ACCESS_KEY_ID = credentials('jenkins-aws-secret-key-id')
    AWS_SECRET_ACCESS_KEY = credentials('jenkins-aws-secret-access-key')
}

Proposal (Perhaps support global and folder defaults for VaultAddr, etc):

environment {
    SOME_ENV_VAR = vaultCredentials('secret/foo/bar/secretName/key', 'vaultCredentialId', 'https://vault.com:8200')
}

jetersen commented 4 years ago

This would be possible if we re-implemented the plugin as a credential provider. Which is no small feat but definitely I would love to.

jetersen commented 4 years ago

One concern is conflicting symbol name I am sure it should be hashicorpVaultCredentials 😅

marshallford commented 4 years ago

Fair enough on both counts. Your comment on the symbol name got me thinking: How might you cut down the line length/number of mandatory args?

SOME_ENV_VAR = hashicorpVaultCredentials('secret/foo/bar/secretName/key', 'vaultCredentialId', 'https://vault.com:8200', 2) becomes a mouthful.

marshallford commented 4 years ago

Looks like this PR might add this functionality: https://github.com/jenkinsci/hashicorp-vault-plugin/issues/71

mew1033 commented 2 years ago

Was there a PR that added this functionality? I'd love to use vault secrets in the environment block.

jenkinsci / hashicorp-vault-plugin

Feature Request: Support environment+credentials syntax #71