HPE's Jenkins uses HashiCorp Vault as a secrets store, where team members can store secrets and have a Jenkins pipeline retrieving and using them.
- Install HashiCorp Vault in your system. This will add the Vault CLI that we will use to access the secrets store.
- Create a GitHub token using your HPE GitHub user. Save it in a safe place.
- Set your
VAULT_ADDRpointing to HPE's Vault server:
export VAULT_ADDR=https://vault.docker.hpecorp.net:443Please note that from now on, you must be connected to the HPE VPN to have access to the Vault server.
- Login to the Vault server using your newly created GitHub token:
vault login -method=github token=<YOUR GITHUB TOKEN HERE>- Check that you have access to your organization's secrets path:
vault read secret/hpe4it-jenkins-ci/repo/sec-eng/istio-spireThat should output a list of the secrets stored in the Jenkins path (if any), or a permission denied error if you don't have access to it.
If you don't have permissions, make sure to add yourself or have someone else add you to the sec-eng org team. Read step #2 here for more information.
-
Now you can store as many secrets as you want in the Jenkins' path, but be aware that writing to a specific path will overwrite all the existing secrets in the same path. If you don't want to lose the existing secrets, you can create your custom sub-path (something like
secret/hpe4it-jenkins-ci/repo/sec-eng/istio-spire/mysubpath) or make sure you re-write the existing secrets along with the new ones you need. -
Set up the secret(s) you need (run this only if you want to reset all the secrets in the root path):
vault write secret/hpe4it-jenkins-ci/repo/sec-eng/istio-spire \
mySuperSecret=myt0k3n \
mySecondSecret=2ndt0k3nHPE's Jenkins has a convenience helper function for reading Vault secrets.
pipeline {
# ...
script {
def secrets = vaultGetSecrets()
print secrets.mySuperSecret
print secrets.mySecondSecret
}
}Please refer to the HPE Vault wiki for more information.