patternMinor
Use Vault SSH OTP backend with Jenkins
Viewed 0 times
backendwithvaultjenkinsusesshotp
Problem
I'm setting up Vault to store secrets. SSH backend with OTP auth looks like a good way to stop managing SSH keys for access.
I have SSH backend working, and am looking at hooking up Jenkins with the SSH-OTP auth so that I can remove the deployment keys too.
I looked at Jenkins plugins for vault, but they only work for fetching secrets from Vault.
Are there plugins or any Jenkins hacks for this purpose, or if not, is it possible to write one of my own?
Note: Right now, Jenkins uses SSH keys. I want to eliminate the use of keys, and configure Jenkins to get an SSH OTP from Vault every time it needs to SSH into some host for a deploy.
I have SSH backend working, and am looking at hooking up Jenkins with the SSH-OTP auth so that I can remove the deployment keys too.
I looked at Jenkins plugins for vault, but they only work for fetching secrets from Vault.
Are there plugins or any Jenkins hacks for this purpose, or if not, is it possible to write one of my own?
Note: Right now, Jenkins uses SSH keys. I want to eliminate the use of keys, and configure Jenkins to get an SSH OTP from Vault every time it needs to SSH into some host for a deploy.
Solution
I looked at Jenkins plugins for vault, but they only work for fetching secrets from Vault.
It depends how the current configuration looks like that is used to deploy apps.
https://github.com/jenkinsci/hashicorp-vault-plugin
If one uses Jenkins pipelines, then one could replace the keyId with the one that is defined in Hashicorp vault.
It depends how the current configuration looks like that is used to deploy apps.
https://github.com/jenkinsci/hashicorp-vault-plugin
If one uses Jenkins pipelines, then one could replace the keyId with the one that is defined in Hashicorp vault.
node {
// define the secrets and the env variables
def secrets = [
[$class: 'VaultSecret', path: 'secret/testing', secretValues: [
[$class: 'VaultSecretValue', envVar: 'testing', vaultKey: 'value_one'],
[$class: 'VaultSecretValue', envVar: 'testing_again', vaultKey: 'value_two']]],
[$class: 'VaultSecret', path: 'secret/another_test', secretValues: [
[$class: 'VaultSecretValue', envVar: 'another_test', vaultKey: 'value']]]
]
// optional configuration, if you do not provide this the next higher configuration
// (e.g. folder or global) will be used
def configuration = [$class: 'VaultConfiguration',
vaultUrl: 'http://my-very-other-vault-url.com',
vaultCredentialId: 'my-vault-cred-id']
// inside this block your credentials will be available as env variables
wrap([$class: 'VaultBuildWrapper', configuration: configuration, vaultSecrets: secrets]) {
sh 'echo $testing'
sh 'echo $testing_again'
sh 'echo $another_test'
}
}Code Snippets
node {
// define the secrets and the env variables
def secrets = [
[$class: 'VaultSecret', path: 'secret/testing', secretValues: [
[$class: 'VaultSecretValue', envVar: 'testing', vaultKey: 'value_one'],
[$class: 'VaultSecretValue', envVar: 'testing_again', vaultKey: 'value_two']]],
[$class: 'VaultSecret', path: 'secret/another_test', secretValues: [
[$class: 'VaultSecretValue', envVar: 'another_test', vaultKey: 'value']]]
]
// optional configuration, if you do not provide this the next higher configuration
// (e.g. folder or global) will be used
def configuration = [$class: 'VaultConfiguration',
vaultUrl: 'http://my-very-other-vault-url.com',
vaultCredentialId: 'my-vault-cred-id']
// inside this block your credentials will be available as env variables
wrap([$class: 'VaultBuildWrapper', configuration: configuration, vaultSecrets: secrets]) {
sh 'echo $testing'
sh 'echo $testing_again'
sh 'echo $another_test'
}
}Context
StackExchange DevOps Q#1088, answer score: 1
Revisions (0)
No revisions yet.