Jienkins Usage - hqzhang/cloudtestbed GitHub Wiki
0. brew tap hashicorp/tap
00. brew install hashicorp/tap/vault
1. brew services start vault
2. brew services list |grep vault
vault started hongqizhang ~/Library/LaunchAgents/homebrew.mxcl.vault.plist
3. cat /Users/hongqizhang/Library/LaunchAgents/homebrew.mxcl.vault.plist | grep log
<string>/usr/local/var/log/vault.log</string>
4. cat /usr/local/var/log/vault.log | grep Token
Unseal Key: U6jL92qtXwKH9WJ2JGAGuPISnunZkZxRu/bwi6TnzPw=
Root Token: s.2VuV8B0DENmRZpb6sSqkBhaJ
export VAULT_ADDR='http://127.0.0.1:8200'
5. vault login
6. vault auth enable approle
66. vault secrets enable -path=secrets kv
7. vault write auth/approle/role/jenkins-role token_num_uses=0 \. Good
secret_id_num_uses=0 policies="jenkins"
8. vault read auth/approle/role/jenkins-role/role-id
role_id 6e7cdf41-7995-1549-3cbd-d04065015c35
9. vault write -f auth/approle/role/jenkins-role/secret-id
secret_id 0ca1271b-bd4e-51cb-d5dc-c38f89b66a0a
secret_id_accessor 7458f23e-9f76-59ea-db5a-0f06245fb76e
secret_id_ttl 0s
10. vault kv put secrets/creds/vagrant username=vagrant password=vagrant
11. Vim jenkins-policy.hcl
path "secret/creds/* " {
capabilities = ["read"]
}
12. vault policy write jenkins jenkins-policy.hcl
13. vault kv put secrets/creds/my-secret-text secret=abc123
curl \
--header "X-Vault-Token: s.U54C7Sveh8NOCFDTk6bKCEnG" \
--request LIST \
http://127.0.0.1:8200/v1/auth/approle/role
curl \
--header "X-Vault-Token: s.U54C7Sveh8NOCFDTk6bKCEnG" \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/auth/approle/role/application1
curl \
--header "X-Vault-Token: s.U54C7Sveh8NOCFDTk6bKCEnG" \
http://127.0.0.1:8200/v1/auth/approle/role/application1
curl \
--header "X-Vault-Token: s.U54C7Sveh8NOCFDTk6bKCEnG" \
http://127.0.0.1:8200/v1/auth/approle/role/application1/role-id
curl \
--header "X-Vault-Token: s.U54C7Sveh8NOCFDTk6bKCEnG" \
--request LIST \
http://127.0.0.1:8200/v1/auth/approle/role
Unseal Key: oC5hC/U6UyOCJZkRtteo9VhcmHBJwCLcJbw0OaoRAyY=
Root Token: s.osMSqD0afS6JpRzxO52VaeNg
vault read auth/approle/role/application1
vault write -f auth/approle/role/application1/secret-id
Key Value
--- -----
secret_id 09b12828-b8fe-cb09-6f44-4add6e35764d. VVVVV
secret_id_accessor 3d16ec84-94ea-1516-d3aa-cc563fa018af
secret_id_ttl 0s
{"request_id":"c1f331b1-fb00-6394-ddb0-376f429a0f8b","lease_id":"","renewable":false,"lease_duration":0,"data":
{"role_id":"274fcf18-63df-9379-1189-cd0a2b0e3ce0"}, VVVVV
"wrap_info":null,"warnings":null,"auth":null}
Key Value
--- -----
role_id 9eef881c-dc9c-8fc9-6bae-11a52b6597a9
hongqizhang@hongqis-MacBook-Pro:~$ vault write -f auth/approle/role/jenkins-role/secret-id
Key Value
--- -----
secret_id 2854a852-de8e-90fe-0f76-e4e091e9e4c2
secret_id_accessor 8e40d7a3-43e2-7c34-efe8-d299972441b4
secret_id_ttl 0s
VERIFY secretID
{
"role_id": "9eef881c-dc9c-8fc9-6bae-11a52b6597a9"
"secret_id": "2854a852-de8e-90fe-0f76-e4e091e9e4c2"
}
curl \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/auth/approle/login
- install vault plugin in Jenkins
HashiCorp Vault Plugin
Hashicorp Vault Pipeline Plugin
- create Jenkins credential for vault server id/pass
kind: vault app role credential
role_id:
secret_id:
path:
id: varc
description: vault app role credential
-
create vault in Jenkins sysconf http://127.0.0.1:8200 with varc
-
create and run pipeline
def secrets = [ [path: 'secrets/creds/vagrant', engineVersion: 1, secretValues: [
[envVar: 'USERNAME', vaultKey: 'username'],
[envVar: 'PASSWORD', vaultKey: 'password']]],
]
def configuration = [vaultUrl: 'http://127.0.0.1:8200', vaultCredentialId: 'varc', engineVersion: 1]
pipeline {
agent any
options {
buildDiscarder(logRotator(numToKeepStr: '20'))
disableConcurrentBuilds()
}
stages{
stage('Vault') {
steps {
withVault([configuration: configuration, vaultSecrets: secrets]) {
sh "echo ${env.USERNAME}"
sh "echo ${env.PASSWORD}"
}
}
}
}
}