stackoom
  简体   繁体   中英

Getting Jenkins git repo credentials from Vault

 原文  2022-06-15 08:54:25       git/ jenkins/ hashicorp-vault

Question

I would like to avoid storing any credentials in Jenkins and rely solely on Hashicorp Vault for storing and managing credentials.
It is pretty trivial to get it working once pipeline is working but I can't find any examples or guidance on how I can do the initial git clone from private repo in Jenkinsfile without storing PAT token in Jenkins secrets.
I would like to call Vault first, get PAT token from there , and then clone the repo with Jenkinfile.
Could anyone give me a hint please?

1 answers

solution1
 1 ACCPTED  2022-06-15 12:26:47

For checking out your project files from the SCM

You will need to store at least the approle/secret to access Vault within the Jenkins credentials store. However, once you have done that, you should be able to use the Vault plugin to access any information you need, and have it saved to an environment variable. From there, you can use that environment variable as needed.

See here for an example of how to use the Vault plugin inside your Jenkinsfile

For checking out your Jenkinsfile (original checkout/clone)

Note: The following depends on using SSH to access your SCM. I have confirmed this method works with Git/SSH.

You could add your SSH key to the Jenkins built-in node (formerly master) user's home directory, as well as the home directories of users for any build nodes you use. You would also need to add the correct configuration options to your SSH config file (.ssh/config) so SSH uses that key to access your SCM server.

Host myscm.mycompany.com
  User scmuser
  IdentityFile ~/.ssh/scm_id_rsa
  PreferredAuthentications publickey
  RequestTTY no

Once you have the above set, you can just specify your SCM URL within Jenkins, and it will use the defaults from your SSH folder.

If you are not using SSH, please post back with your SCM as well as access method (http? rsync?).

From comment:

You have two other options: (1) store your Jenkinsfile in a public repository that is different from your project repository or make your project repository public, or (2) define your pipeline directly in the job, so that you don't need a Jenkinsfile

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Jenkins - Git Submodule Credentials Different from Parent Repo Is it possible to get credentials from Vault in Jenkins file ? Remove Credentials from GIT in Jenkins Not able to access git repo from jenkins Adding git repo to Jenkins Build One Project from GIT Repo (Jenkins/GIT) cannot connect to git server repo from git plugin in jenkins Set existing git HTTPS repo to use credentials from osxkeychain Ignoring files from getting added to the repo in git Git submodule not getting removed from git repo and not getting pushed successfully
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM