David LE PENVEN dlepenven

Example Jenkins integration for Vault

This snippet provides an example Jenkinsfile that performs an AppRole authentication using curl utility. The objective is to allow Jenkins to Authenticate to Vault, then use a temporary token to retrieve a secret. It does not rely on a plugin and therefore offers more flexibility.

AppRole authentication relies on a ROLE_ID and SECRET_ID to login and retrieve a Vault token. There are two ways to provide the SECRET_ID to Jenkins. Both of these are expanded upon below.

Pre-created SECRET_ID as a Jenkins secret. An out-of-band workflow will need to refresh the SECRET_ID periodically so Jenkins continues to perform AppRole logins successfully.
Alternative AppRole design: Give Jenkins the ability to refresh the SECRET_ID by itself.

	# 1. (Optional) Disable SSH and Key/Value secrets engine if they existed.
	# NOTE: THIS WILL ERASE PREVIOUSLY CONFIGURED ENGINES AT THIS PATH
	export VAULT_TOKEN=<Admin-or-Root-key>
	vault secrets disable ssh
	vault secrets disable kv

	# 2. Enable SSH secrets engine (Client signer role) and generate a CA
	vault secrets enable -path=ssh ssh
	vault write -format=json ssh/config/ca generate_signing_key=true \| jq -r '.data.public_key' > ./trusted-user-ca-keys.pem

	# Allow managing leases
	path "sys/leases/*"
	{
	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
	}

	# Manage auth methods broadly across Vault
	path "auth/*"
	{
	capabilities = ["create", "read", "update", "delete", "list", "sudo"]

David LE PENVEN dlepenven

Example Jenkins integration for Vault

1. Pre-created Secret ID