2017-08-10 01:51:39 +00:00
|
|
|
= Inline Pipeline Secrets
|
|
|
|
|
|
|
|
This is a link:https://jenkins.io/doc/book/pipeline/shared-libraries[Pipeline
|
|
|
|
Shared Library] which helps support the use of user-defined inline secrets from
|
|
|
|
within a `Jenkinsfile`.
|
|
|
|
|
2017-08-10 17:05:24 +00:00
|
|
|
[WARNING]
|
|
|
|
====
|
2017-09-06 15:52:53 +00:00
|
|
|
This repository hasn't had a rigorous security evaluation, use at your own risk.
|
2017-08-10 17:05:24 +00:00
|
|
|
====
|
|
|
|
|
2017-08-10 01:51:39 +00:00
|
|
|
== Prerequisites
|
|
|
|
|
|
|
|
This Shared Library requires that the
|
|
|
|
link:https://plugins.jenkins.io/workflow-aggregator[Pipeline plugin] and
|
|
|
|
link:https://plugins.jenkins.io/mask-passwords[Mask Passwords plugin]
|
|
|
|
installed.
|
|
|
|
|
|
|
|
|
|
|
|
== Using
|
|
|
|
|
|
|
|
=== Decrypting Secrets
|
|
|
|
|
|
|
|
A Pipeline can use secrets similar to environment variables:
|
|
|
|
|
|
|
|
.Jenkinsfile
|
|
|
|
[source,groovy]
|
|
|
|
----
|
|
|
|
node {
|
|
|
|
stage('Deploy') {
|
|
|
|
withSecrets(
|
|
|
|
AWS_SECRET_ID: '{AQAAABAAAAAQWsBycxCz0x8ouOKJLU9OTvHdsN7kt7+6RAcV2zZJTm4=}'
|
|
|
|
) {
|
|
|
|
echo "I should be deploying something with: ${env.AWS_SECRET_ID}"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
----
|
|
|
|
|
2017-08-10 01:53:16 +00:00
|
|
|
image::https://raw.githubusercontent.com/CodeValet/inline-pipeline-secrets/master/assets/with-screenshot.png[Usage in Blue Ocean]
|
|
|
|
|
2017-08-10 01:51:39 +00:00
|
|
|
=== Encrypting Secrets
|
|
|
|
|
|
|
|
A Pipeline can be used to offer a user interface for encrypting.
|
|
|
|
|
|
|
|
.Jenkinsfile
|
|
|
|
[source,groovy]
|
|
|
|
----
|
|
|
|
promptUserForEncryption()
|
|
|
|
----
|
|
|
|
|
|
|
|
== API
|
|
|
|
|
2017-09-06 15:52:53 +00:00
|
|
|
|
|
|
|
[NOTE]
|
|
|
|
====
|
|
|
|
This approach relies on Jenkins instance-specific private key which
|
|
|
|
means the encrypted ciphertexts are not portable across Jenkins instances.
|
|
|
|
====
|
|
|
|
|
2017-08-10 01:51:39 +00:00
|
|
|
`promptUserForEncryption()`
|
|
|
|
|
|
|
|
`createSecretText()`
|
|
|
|
|
|
|
|
`unsafeSecretAccess()`
|
|
|
|
|
|
|
|
`withSecrets()`
|