-
Task
-
Resolution: Unresolved
-
Major
Provide example how to use HashiCorp Vault Plugin with Jenkins Declarative Pipeline.
[JENKINS-45685] Declarative Pipeline Example
Nikolay Tsutsarin
created issue -
| Component/s | Original: pipeline [ 21692 ] | |
| Issue Type | Original: Improvement [ 4 ] | New: Task [ 3 ] |
| Labels | New: documentation pipeline |
Peter Tierno
made changes -
| Priority | Original: Minor [ 4 ] | New: Major [ 3 ] |
Peter Tierno
made changes -
| Status | Original: Open [ 1 ] | New: In Progress [ 3 ] |
Hi, was there any update on this issue in the end? Looking to use the Vault plugin with a declarative pipeline but some information I've read suggests declarative pipelines aren't currently supported with the Vault plugin?
Arturas R
added a comment - Hope it helps
pipeline {
agent none
stages {
stage('Vault') {
agent {
node {
label 'linux'
}
}
steps {
script {
node {
// define the secrets and the env variables
def secrets = [
[$class: 'VaultSecret', path: 'secret/testing', secretValues: [
[$class: 'VaultSecretValue', envVar: 'testing', vaultKey: 'value_one'],
[$class: 'VaultSecretValue', envVar: 'testing_again', vaultKey: 'value_two']]],
[$class: 'VaultSecret', path: 'secret/another_test', secretValues: [
[$class: 'VaultSecretValue', envVar: 'another_test', vaultKey: 'value']]]
]
// optional configuration, if you do not provide this the next higher configuration
// (e.g. folder or global) will be used
def configuration = [$class: 'VaultConfiguration',
vaultUrl: 'http://my-very-other-vault-url.com',
vaultCredentialId: 'my-vault-cred-id']
// inside this block your credentials will be available as env variables
wrap([$class: 'VaultBuildWrapper', configuration: configuration, vaultSecrets: secrets]) {
sh 'echo $testing'
sh 'echo $testing_again'
sh 'echo $another_test'
}
}
}
}
}
}
}
}
Arturas R
added a comment - Hope it helps
pipeline {
agent none
stages {
stage( 'Vault' ) {
agent {
node {
label 'linux'
}
}
steps {
script {
node {
// define the secrets and the env variables
def secrets = [
[$class: 'VaultSecret' , path: 'secret/testing' , secretValues: [
[$class: 'VaultSecretValue' , envVar: 'testing' , vaultKey: 'value_one' ],
[$class: 'VaultSecretValue' , envVar: 'testing_again' , vaultKey: 'value_two' ]]],
[$class: 'VaultSecret' , path: 'secret/another_test' , secretValues: [
[$class: 'VaultSecretValue' , envVar: 'another_test' , vaultKey: 'value' ]]]
]
// optional configuration, if you do not provide this the next higher configuration
// (e.g. folder or global) will be used
def configuration = [$class: 'VaultConfiguration' ,
vaultUrl: 'http: //my-very-other-vault-url.com' ,
vaultCredentialId: 'my-vault-cred-id' ]
// inside this block your credentials will be available as env variables
wrap([$class: 'VaultBuildWrapper' , configuration: configuration, vaultSecrets: secrets]) {
sh 'echo $testing'
sh 'echo $testing_again'
sh 'echo $another_test'
}
}
}
}
}
}
}
}
After version 2.3.0 and higher,
3.0.0 was latest, when this comment was made
// define vault configuration def configuration = [engineVersion: 1, skipSslVerification: true, timeout: 60, vaultUrl: "http://my-vault.com:8200", vaultCredentialId: "my-vault-cred-id"] // define vault secret path and env var def secret = [ [path: 'dev/kv1', secretValues: [ [envVar: 'PASSWORD', vaultKey: 'password'], [envVar: 'USER', vaultKey: 'user']]] ] pipeline { agent any options { buildDiscarder(logRotator(numToKeepStr: '20')) disableConcurrentBuilds() } stages{ stage('Vault') { steps { script { withVault([configuration: configuration, vaultSecrets: secret]) { sh 'echo $PASSWORD' sh 'echo $USER' } } } } } post { always { cleanWs() } } }
My initial testing failed when using this in a declarative pipeline. Will see what needs done to get it working and document.