From 465e860684b77149a7d96df16730001d9c2ba06e Mon Sep 17 00:00:00 2001 From: Roman Iuvshyn Date: Sat, 23 Jun 2018 23:50:31 +0300 Subject: [PATCH] Adds wrapper for vault plugin Change-Id: I85ab23670a1d89b04eba01ddd4cc024da1d879a9 Signed-off-by: Roman Iuvshyn --- jenkins_jobs/modules/wrappers.py | 72 ++++++++++++++++++++++ tests/wrappers/fixtures/vault-full.xml | 41 ++++++++++++ tests/wrappers/fixtures/vault-full.yaml | 17 +++++ tests/wrappers/fixtures/vault-minimal.xml | 24 ++++++++ tests/wrappers/fixtures/vault-minimal.yaml | 9 +++ 5 files changed, 163 insertions(+) create mode 100644 tests/wrappers/fixtures/vault-full.xml create mode 100644 tests/wrappers/fixtures/vault-full.yaml create mode 100644 tests/wrappers/fixtures/vault-minimal.xml create mode 100644 tests/wrappers/fixtures/vault-minimal.yaml diff --git a/jenkins_jobs/modules/wrappers.py b/jenkins_jobs/modules/wrappers.py index d2b261eac..f0d4df7fc 100644 --- a/jenkins_jobs/modules/wrappers.py +++ b/jenkins_jobs/modules/wrappers.py @@ -1022,6 +1022,78 @@ def inject_passwords(registry, xml_parent, data): mapping, fail_required=True) +def vault_secrets(registry, xml_parent, data): + """yaml: vault-secrets + Inject environment variables from a HashiCorp Vault secret. + + Secrets are generally masked in the build log. + + Requires the Jenkins + :jenkins-wiki:`HashiCorp Vault Plugin `. + + :arg str vault-url: Vault URL + :arg str credentials-id: Vault Credential + :arg list secrets: List of secrets + + :secrets: + * **secret-path** (`str`) -- + The path of the secret in the vault server + + :secret-values: + * **secret-values** (`list`) -- List of key / value pairs + + * **env-var** (`str`) -- + The environment variable to set with the value of the + vault key + * **vault-key** (`str`) -- The vault key whose value with + populate the environment variable + + Minimal Example: + + .. literalinclude:: /../../tests/wrappers/fixtures/vault-minimal.yaml + :language: yaml + + Full Example: + + .. literalinclude:: /../../tests/wrappers/fixtures/vault-full.yaml + :language: yaml + + """ + vault = XML.SubElement(xml_parent, + 'com.datapipe.jenkins.vault.VaultBuildWrapper') + vault.set('plugin', 'hashicorp-vault-plugin') + configuration = XML.SubElement(vault, 'configuration') + conf_mapping = [ + ('vault-url', 'vaultUrl', ''), + ('credentials-id', 'vaultCredentialId', ''), + ] + convert_mapping_to_xml( + configuration, data, conf_mapping, fail_required=True) + + secretsobj = XML.SubElement(vault, 'vaultSecrets') + secrets = data.get('secrets', []) + for secret in secrets: + secretobj = XML.SubElement( + secretsobj, 'com.datapipe.jenkins.vault.model.VaultSecret') + XML.SubElement( + secretobj, 'path').text = secret.get('secret-path', '') + secretvaluesobj = XML.SubElement(secretobj, 'secretValues') + for secretvalue in secret['secret-values']: + secretvalueobj = XML.SubElement( + secretvaluesobj, + 'com.datapipe.jenkins.vault.model.VaultSecretValue') + XML.SubElement( + secretvalueobj, + 'envVar').text = \ + secretvalue.get('env-var', '') + XML.SubElement( + secretvalueobj, + 'vaultKey').text = \ + secretvalue.get('vault-key', '') + XML.SubElement(vault, 'valuesToMask') + XML.SubElement(vault, 'vaultAccessor') + + def env_file(registry, xml_parent, data): """yaml: env-file Add or override environment variables to the whole build process diff --git a/tests/wrappers/fixtures/vault-full.xml b/tests/wrappers/fixtures/vault-full.xml new file mode 100644 index 000000000..cc17b80d7 --- /dev/null +++ b/tests/wrappers/fixtures/vault-full.xml @@ -0,0 +1,41 @@ + + + + + + http://127.0.0.1:8200 + myCredentials + + + + secret/my-secret + + + USERNAME + username + + + PASSWORD + password + + + + + secret/my-secret2 + + + USERNAME2 + username2 + + + PASSWORD2 + password2 + + + + + + + + + diff --git a/tests/wrappers/fixtures/vault-full.yaml b/tests/wrappers/fixtures/vault-full.yaml new file mode 100644 index 000000000..74d6960de --- /dev/null +++ b/tests/wrappers/fixtures/vault-full.yaml @@ -0,0 +1,17 @@ +wrappers: + - vault-secrets: + vault-url: 'http://127.0.0.1:8200' + credentials-id: 'myCredentials' + secrets: + - secret-path: 'secret/my-secret' + secret-values: + - env-var: 'USERNAME' + vault-key: 'username' + - env-var: 'PASSWORD' + vault-key: 'password' + - secret-path: 'secret/my-secret2' + secret-values: + - env-var: 'USERNAME2' + vault-key: 'username2' + - env-var: 'PASSWORD2' + vault-key: 'password2' diff --git a/tests/wrappers/fixtures/vault-minimal.xml b/tests/wrappers/fixtures/vault-minimal.xml new file mode 100644 index 000000000..2b69a861f --- /dev/null +++ b/tests/wrappers/fixtures/vault-minimal.xml @@ -0,0 +1,24 @@ + + + + + + http://127.0.0.1:8200 + myCredentials + + + + secret/my-token + + + TOKEN + token + + + + + + + + + diff --git a/tests/wrappers/fixtures/vault-minimal.yaml b/tests/wrappers/fixtures/vault-minimal.yaml new file mode 100644 index 000000000..a489ea009 --- /dev/null +++ b/tests/wrappers/fixtures/vault-minimal.yaml @@ -0,0 +1,9 @@ +wrappers: + - vault-secrets: + vault-url: 'http://127.0.0.1:8200' + credentials-id: 'myCredentials' + secrets: + - secret-path: 'secret/my-token' + secret-values: + - env-var: 'TOKEN' + vault-key: 'token'