HiveBrain v1.2.0
Get Started
← Back to all entries
patternMinor

Use Vault SSH OTP backend with Jenkins

Submitted by: @import:stackexchange-devops··
0
Viewed 0 times
backendwithvaultjenkinsusesshotp

Problem

I'm setting up Vault to store secrets. SSH backend with OTP auth looks like a good way to stop managing SSH keys for access.

I have SSH backend working, and am looking at hooking up Jenkins with the SSH-OTP auth so that I can remove the deployment keys too.

I looked at Jenkins plugins for vault, but they only work for fetching secrets from Vault.

Are there plugins or any Jenkins hacks for this purpose, or if not, is it possible to write one of my own?

Note: Right now, Jenkins uses SSH keys. I want to eliminate the use of keys, and configure Jenkins to get an SSH OTP from Vault every time it needs to SSH into some host for a deploy.

Solution

I looked at Jenkins plugins for vault, but they only work for fetching secrets from Vault.

It depends how the current configuration looks like that is used to deploy apps.

https://github.com/jenkinsci/hashicorp-vault-plugin

If one uses Jenkins pipelines, then one could replace the keyId with the one that is defined in Hashicorp vault.

node {
  // define the secrets and the env variables
  def secrets = [
      [$class: 'VaultSecret', path: 'secret/testing', secretValues: [
          [$class: 'VaultSecretValue', envVar: 'testing', vaultKey: 'value_one'],
          [$class: 'VaultSecretValue', envVar: 'testing_again', vaultKey: 'value_two']]],
      [$class: 'VaultSecret', path: 'secret/another_test', secretValues: [
          [$class: 'VaultSecretValue', envVar: 'another_test', vaultKey: 'value']]]
  ]

  // optional configuration, if you do not provide this the next higher configuration
  // (e.g. folder or global) will be used
  def configuration = [$class: 'VaultConfiguration',
                       vaultUrl: 'http://my-very-other-vault-url.com',
                       vaultCredentialId: 'my-vault-cred-id']

  // inside this block your credentials will be available as env variables
  wrap([$class: 'VaultBuildWrapper', configuration: configuration, vaultSecrets: secrets]) {
      sh 'echo $testing'
      sh 'echo $testing_again'
      sh 'echo $another_test'
  }
}

Code Snippets

node {
  // define the secrets and the env variables
  def secrets = [
      [$class: 'VaultSecret', path: 'secret/testing', secretValues: [
          [$class: 'VaultSecretValue', envVar: 'testing', vaultKey: 'value_one'],
          [$class: 'VaultSecretValue', envVar: 'testing_again', vaultKey: 'value_two']]],
      [$class: 'VaultSecret', path: 'secret/another_test', secretValues: [
          [$class: 'VaultSecretValue', envVar: 'another_test', vaultKey: 'value']]]
  ]

  // optional configuration, if you do not provide this the next higher configuration
  // (e.g. folder or global) will be used
  def configuration = [$class: 'VaultConfiguration',
                       vaultUrl: 'http://my-very-other-vault-url.com',
                       vaultCredentialId: 'my-vault-cred-id']

  // inside this block your credentials will be available as env variables
  wrap([$class: 'VaultBuildWrapper', configuration: configuration, vaultSecrets: secrets]) {
      sh 'echo $testing'
      sh 'echo $testing_again'
      sh 'echo $another_test'
  }
}

Context

StackExchange DevOps Q#1088, answer score: 1

Revisions (0)

No revisions yet.