Skip to content

BTLzdravtech/hashicorp-vault-pipeline-plugin

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

40 Commits
docker
docker
 
 
src
src
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
Jenkinsfile
Jenkinsfile
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 
pom.xml
pom.xml
 
 

Repository files navigation

Hashicorp Vault Pipeline Plugin

Enables the use of vault from within a pipeline.

Development

All build and test commands run inside Docker — no local Maven/JDK required.

make build    # build the test image (Jenkins 2.555.1 + JDK 21)
make test     # run the JUnit 5 test suite inside the image
make plugin   # produce target/hashicorp-vault-pipeline.hpi
make clean    # remove target/

The image caches Maven dependencies in its layer; the test run mounts ~/.m2 so subsequent runs skip downloads. Override the image tag or Maven cache location via env:

make build IMAGE=my-vault-test:dev
make test  M2=/tmp/m2

Integration smoke test (Jenkins + real Vault)

After make plugin, bring up Jenkins + HashiCorp Vault:

docker compose up --build
  • Vault dev server: http://localhost:8200 (root token: root)
  • Jenkins: http://localhost:8080 (admin / admin)
  • Job vault-smoke-test is auto-created; it exercises vault() in environment{}, inline script{}, and withEnv macro expansion against a live Vault seeded with KV v1 and KV v2 secrets.

Dependencies

Examples

Using global vault configuration
pipeline {
    agent any
    environment {
        SECRET = vault path: 'secrets', key: 'username'
    }
    stages {
        stage("read vault key") {
            steps {
                echo "${SECRET}"
            }
        }
    }
}
Using pipeline specific configuration
pipeline {
    agent any
    environment {
        SECRET = vault path: 'secrets', key: 'username', vaultUrl: 'https://my-vault.com:8200', credentialsId: 'my-creds', engineVersion: "2"
    }
    stages {
        stage("read vault key") {
            steps {
                echo "${SECRET}"
            }
        }
    }
}
Masking secrets in console output

By default, the plugin does not hide any accidental printing of secret to console. This becomes an issue because set -x is set by default in pipeline, so each command with the secrets being passed in will be printed.

Masked Password Plugin is Required

pipeline {
    agent any
    environment {
        SECRET1    = vault path: 'secrets', key: 'password1', vaultUrl: 'https://my-vault.com:8200', credentialsId: 'my-creds', engineVersion: "2"
        SECRET2    = vault path: 'secrets', key: 'password2', vaultUrl: 'https://my-vault.com:8200', credentialsId: 'my-creds', engineVersion: "2"
        NOT_SECRET = vault path: 'secrets', key: 'username', vaultUrl: 'https://my-vault.com:8200', credentialsId: 'my-creds', engineVersion: "2"
    }
    stages {
        stage("read vault key") {
            steps {
              wrap([$class: 'MaskPasswordsBuildWrapper', varPasswordPairs: [[password: env['SECRET1'], var: 'SECRET'], [password: env['SECRET2'], var: 'SECRET']]]) {
                echo "These secrets will be masked: ${SECRET1} and ${SECRET2}"
                echo "This secret will be printed in clear text: ${NOT_SECRET}"
              }
            }
        }
    }
}

About

Jenkins plugin to allow for the use of Hashicorp's Vault from within a pipeline.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

4 tags

Packages

 
 
 

Contributors

Languages

  • Java 72.7%
  • Groovy 17.4%
  • Makefile 4.1%
  • Dockerfile 3.7%
  • Shell 2.1%