search

square / keywhiz

A system for distributing and managing secrets
https://square.github.io/keywhiz/
Apache License 2.0
2.62k stars 218 forks source link

Create Jenkins plugin for keywhiz - feedback #300

Open 452 opened 7 years ago

452 commented 7 years ago

I am now at a crossroads between choice Keywhiz and vaultproject

vaultproject have Jenkins plugin https://wiki.jenkins-ci.org/display/JENKINS/HashiCorp+Vault+Plugin

but I love Java =), and think about a choice Keywhiz, but hesitate which choose

please provide Jenkins plugin for Jenkins Pipeline (https://wiki.jenkins-ci.org/display/JENKINS/Pipeline+Plugin) and Jenkins UI

we have the next infrastructure, AWS EC2, ECR, ECS, RDS, (Docker) (JBoss Fuse, Tomcat) (dev, qa, staging, prod)

be better to see some examples how to integrate Jenkins, AWS, Docker with Keywhiz Docker can read credentials on run container step https://github.com/452/docker/blob/master/java-swing/run.sh#L2

#!/bin/bash
APPLICATION=${APPLICATION:-ZONE51}
TIMEOUT=${TIMEOUT:-25000}
BACKEND_AUTH_ENDPOINT=${BACKEND_AUTH_ENDPOINT:-https://my.com/am-auth}
BACKEND_ENDPOINT=${BACKEND_ENDPOINT:-https://my.com/hello}
JMS_BROKER_URL=${JMS_BROKER_URL:-tcp://my.com:61616}
JMS_BROKER_USER=${JMS_BROKER_USER:-myprod}
JMS_BROKER_PASSWORD=${JMS_BROKER_PASSWORD:-999}
GOOGLE_ANALYTICS_ACCOUNT=${GOOGLE_ANALYTICS_ACCOUNT:-UA-999}

cat << EOF > $CATALINA_BASE/conf/zone51.properties
rest.client.application = $APPLICATION
rest.client.timeout = $TIMEOUT
backend.auth.endpoint = $BACKEND_AUTH_ENDPOINT
backend.endpoint = $BACKEND_ENDPOINT
jms.broker.url = $JMS_BROKER_URL
jms.broker.user = $JMS_BROKER_USER
jms.broker.password = $JMS_BROKER_PASSWORD
google.analytics.account = $GOOGLE_ANALYTICS_ACCOUNT
EOF

exec /usr/local/bin/run

and also if you can please provide in documentation some info about how to integrate or use with centralized configuration management/Consul/etcd/ https://github.com/cfg4j/cfg4j http://cloud.spring.io/spring-cloud-config/spring-cloud-config.html

Also need support for infrastructure as code IaC https://github.com/jhaals/ansible-vault https://www.terraform.io/docs/providers/index.html

this message just feedback - for Improve Keywhiz for production ready

mcpherrinm commented 7 years ago

While that seems useful, it's unlikely that I or anyone on my team is going to have the time or expertise to write a Jenkins plugin, as we don't use Jenkins much.

I'll keep this issue open for now, and look into what this entails at some point.