Question

我们在管道中使用Vault插件从Vault读取凭据。现在，我们还希望使用Vault的PKI引擎生成TLS证书。为此，我在管道文件中需要Jenkins的appRole秘密ID。机密在Jenkins中配置为“ Vault App Role Credential”，我不知道如何访问它。

我想做的是这样的：

withCredentials([VaultAppRoleCredential(credentialsId: 'vault_credentials'), roleIdVariable: 'roleId', secretIdVariable: 'secretId']) {
stage('generate certificate') {
    // authenticate with credentials against Vault
    // ...
}

}

目前，我的解决方法是复制凭据，并将roleId和secretId另外存储在Jenkins中的用户名和密码凭据中。

Answer 1

这是我的工作示例，如何使用 Vault Credentials Token 并使用它来访问 Vault 机密：

// Specify how to access secrets in Vault
def configuration = [
vaultUrl: 'https://hcvault.global.nibr.novartis.net',
vaultCredentialId: 'poc-vault-token',
engineVersion: 2
]

def secrets = [
[path: 'secret/projects/intd/common/accounts', engineVersion: 2, secretValues: 
    [
        [vaultKey: 'TEST_SYS_USER'],
        [vaultKey: 'TEST_SYS_PWD']
    ]
  ]
]

... [omitted pipeline]

stage ('Get Vault Secrets') {
  steps  {
    script {
      withCredentials([[$class: 'VaultTokenCredentialBinding', credentialsId: 'poc-vault-token', vaultAddr: 'https://hcvault.global.nibr.novartis.net'], usernamePassword(credentialsId: 'artifactory-jenkins-user-password', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD')]) {
        withVault([configuration: configuration, vaultSecrets: secrets]) {  
          sh """
            echo $env.VAULT_ADDR > hcvault-address.txt
            echo $env.VAULT_TOKEN > hcvault-token.txt
            echo $env.TEST_SYS_USER > sys-user-account.txt
          """.stripIndent()
        }
      }
    }
  }
}

如何在管道中访问保险柜凭证

1 个答案: