본문으로 건너뛰기

jenkins with vault

약 4 분vaultjenkinsscrectkv

jenkins with vault

jenkins와 vault를 연동하여 pipe line에서 kv 사용하기
이 예제는 진짜 kv까지만 테스트함

# approle 엔진 생성
$ vault auth enable approle
# kv2 enable
$ vault secrets enable kv-v2
# kv enable
$ vault secrets enable -path=kv kv

# jenkins 정책으로 될 파일 생성 v1, v2
$ tee jenkins-policy.hcl <<EOF
path "kv/secret/data/jenkins/*" {
  capabilities = [ "read" ]
}
path "kv-v2/data/jenkins/*" {
  capabilities = [ "read" ]
}
EOF

#jenkins 정책 생성
vault policy write jenkins jenkins-policy.hcl

#approle 생성 및 정책 jenkins에 연결
vault write auth/approle/role/jenkins token_policies="jenkins" \
token_ttl=1h token_max_ttl=4h
 
#Role id, secret id 가져오기

vault read auth/approle/role/jenkins/role-id
vault write -f auth/approle/role/jenkins/secret-id


vault secrets enable -path=kv kv
$ tee gitlab.json <<EOF
{
  "gitlabIP": "172.21.2.52",
  "api-key": "RjLAbbWsSAzXoyBvo2qL"
}
EOF

tee gitlab-v2.json <<EOF
{
  "gitlabIP": "172.21.2.52",
  "api-key": "RjLAbbWsSAzXoyBvo2qL",
  "version": "v2"
}
EOF

vault kv put kv/secret/data/jenkins/gitlab @gitlab.json
vault kv put kv-v2/jenkins/gitlab @gitlab-v2.json

v1 pipe line

# jenkins pipe line v1
def secrets = [
  [path: 'kv%2Fsecret/data/jenkins/gitlab', engineVersion:1, secretValues: [
    [envVar: 'gitlabIP', vaultKey: 'gitlabIP'],
    [envVar: 'API_KEY', vaultKey: 'api-key']]],
]
def configuration = [vaultUrl: 'http://172.21.2.50:8200',  vaultCredentialId: 'vault-approle', engineVersion: 1]

pipeline {
    agent any
    options {
        buildDiscarder(logRotator(numToKeepStr: '20'))
        disableConcurrentBuilds()
    }
    stages{   
      stage('Vault') {
        steps {
          withVault([configuration: configuration, vaultSecrets: secrets]) {
            sh "echo $gitlabIP"
            sh "echo ${env.API_KEY}"
            sh "curl -v $gitlabIP"
          }
        }  
      }
    }
}

v2 pipe line

# jenkins pipe line v2
def secrets = [
  [path: 'kv-v2/jenkins/gitlab', engineVersion:2, secretValues: [
    [envVar: 'gitlabIP', vaultKey: 'gitlabIP'],
    [envVar: 'API_KEY', vaultKey: 'api-key'],
    [envVar: 'version2', vaultKey: 'version']]]
]

def configuration = [vaultUrl: 'http://172.21.2.50:8200',  vaultCredentialId: 'vault-approle', engineVersion: 2]
                      
pipeline {
    agent any
    options {
        buildDiscarder(logRotator(numToKeepStr: '20'))
        disableConcurrentBuilds()
    }
    stages{   
      stage('Vault') {
        steps {
          withVault([configuration: configuration, vaultSecrets: secrets]) {
            sh "echo ${env.API_KEY}"
            sh "echo ${env.version2}"
            sh "curl -v ${env.gitlabIP}"
          }
        }  
      }
    }
}
CC BY-NC-ND 4.0 Licensed | ⓒ 2021-present docmoa™ contributers all rights reserved.