在工作中,有时候会遇到编写Jenkins pipeline的情况,在这种情况下,我们通常会在pipeline中去连接一些其他平台,比如连接Habor拉镜像, 连接github拉取代码等,那么此时就会存在一个安全的问题,就是怎样才不能将这些连接credential暴露给end-user,Vault此时就是一个很好的选择,在Vault中,我们可以使用approle的形式进行连接,具体操作如下:
1. 在你的shell中,生成对应的approle还有secret信息
export VAULT_ADDR=你的Vault地址
export VAULT_NAMESPACE=你secret存储的namespace
vault login -ns= -no-print -method=oidc #通过oidc的方式登陆vault,当然你也可以通过其他方式登陆
vault auth enable approle
vault write auth/approle/role/<role_name> secret_id_ttl=365d token_num_uses=10 token_ttl=20m token_max_ttl=30m policies=<policy_name>
# 获取role-id
vault read auth/approle/role/dataapp/role-id
# 获取secret-id
vault write -f auth/approle/role/dataapp/secret-id
这里获取到的role_id
和secret-id
后面会使用
2.Jenkins配置
切换到Jenkins的DashBoard点击Manage Jenkins
然后选择Credentials
点击任意的Credential,然后点击添加Credentials
输入对应的role_id
和secret-id
3. Pipeline集成Vault
stage('Run script') {
steps {
script{
// Define 'secrets' here
def secrets = [
[path: 'slo_reporting/dev', engineVersion: 2, secretValues: [
[envVar: 'CXDEVOPS_PG_DB', vaultKey: 'CXDEVOPS_PG_DB'],
[envVar: 'CXDEVOPS_PG_PASS', vaultKey: 'CXDEVOPS_PG_PASS'],
[envVar: 'CXDEVOPS_PG_HOST', vaultKey: 'CXDEVOPS_PG_HOST'],
[envVar: 'CXDEVOPS_PG_USER', vaultKey: 'CXDEVOPS_PG_USER'],
[envVar: 'SRE_KPI_DB_CONNSTR', vaultKey: 'SRE_KPI_DB_CONNSTR'],
[envVar: 'DYNATRACE_CLUSTERS', vaultKey: 'DYNATRACE_CLUSTERS']
]]
]
// Use 'secrets' here
withVault([configuration: [vaultUrl: env.VAULT_ADDR, vaultCredentialId: env.VAULT_CREDENTIAL_ID, vaultNamespace: env.VAULT_NAMESPACE, engineVersion: 2], vaultSecrets: secrets]) {
sh 'python3 main.py'
}
}
}
}