Jenkins hashicorp-vault-plugin空结果

时间:2019-04-17 08:58:27

标签: jenkins hashicorp-vault

我尝试了此处提到的Jenkins管道示例:https://plugins.jenkins.io/hashicorp-vault-plugin 

node {
    // define the secrets and the env variables
    def secrets = [
        [$class: 'VaultSecret', path: 'secret/testing', secretValues: [
            [$class: 'VaultSecretValue', envVar: 'testing', vaultKey: 'value_one'],
            [$class: 'VaultSecretValue', envVar: 'testing_again', vaultKey: 'value_two']]],
        [$class: 'VaultSecret', path: 'secret/another_test', secretValues: [
        [$class: 'VaultSecretValue', envVar: 'another_test', vaultKey: 'value']]]
    ]

    // optional configuration, if you do not provide this the next higher configuration
    // (e.g. folder or global) will be used
    def configuration = [$class: 'VaultConfiguration',
                         vaultUrl: 'http://my-very-other-vault-url.com',
                         vaultCredentialId: 'my-vault-cred-id']
    // inside this block your credentials will be available as env variables
    wrap([$class: 'VaultBuildWrapper', configuration: configuration, vaultSecrets: secrets]) {
        sh 'echo $testing'
        sh 'echo $testing_again'
        sh 'echo $another_test'
    }
}

因此,我在Jenkins 2.173中安装了hashicorp-vault-plugin 2.2.0,并使用

启动了Vault(v1.1.1)Docker容器。 
docker run -d --name vaulttest -p 80:8200 --cap-add=IPC_LOCK -e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' vault

接下来,我在Jenkins中使用令牌“ myroot”配置了令牌凭证

我使用WebUI在保险柜中创建了机密

testing
   value_one
   value_two
another_test
   value

首先,示例中出现错误:使用路径“ secret / testing”和“ secret / another_test”时,插件失败并显示错误404:

Invalid path for a versioned K/V secrets engine. See the API docs for the appropriate API endpoints to use. If using the Vault CLI, use 'vault kv get' for this operation."

使用路径“秘密/数据/测试”和“秘密/数据/另一测试”(请参见https://issues.jenkins-ci.org/browse/JENKINS-44900)时可以解决此问题

然后调用Job时,变量似乎为空:

[Pipeline] sh
+ echo

[Pipeline] sh
+ echo

[Pipeline] sh
+ echo

连接肯定有效,因为在提供无效的凭据或无效的路径时,我会收到错误消息。

还检索秘密直接返回有效的响应:

/ # vault kv get secret/testing
====== Metadata ======
Key              Value
---              -----
created_time     2019-04-17T05:31:23.581020191Z
deletion_time    n/a
destroyed        false
version          3

====== Data ======
Key          Value
---          -----
value_one    HUGO
value_two    BETTY

我在这里想念什么?

1 个答案:

答案 0 :(得分:0)

如此处https://issues.jenkins-ci.org/browse/JENKINS-52646所示,Vault KV V2返回了另一个Json Resonse。

所以您必须使用

def secrets = [
    [$class: 'VaultSecret', path: 'secret/data/testing', secretValues: [
        [$class: 'VaultSecretValue', envVar: 'testing', vaultKey: 'data']]]
]

检索正确的json响应。

然后可以将生成的Json-Response传递给“ readJSON” 

def result = readJSON text: testing
echo result.value_one
echo result.value_two
相关问题
最新问题