|
| 1 | +--- |
| 2 | +title:"Vault Secrets in the Pipeline" |
| 3 | +description:"Accessing and Referring to Vault Secrets in the Pipeline" |
| 4 | +group:yaml-examples |
| 5 | +sub_group:examples |
| 6 | +redirect_from: |
| 7 | + -/docs/vault-secrets-in-the-pipeline/ |
| 8 | +toc:true |
| 9 | +--- |
| 10 | + |
| 11 | +Codefresh offers a Vault plugin you may use from the[Step Marketplace](https://codefresh.io/steps/step/vault). The plugin imports key-value pairs from the Vault server, and exports them into the pipeline. |
| 12 | +##Prerequisites |
| 13 | + |
| 14 | +- A[free Codefresh account](https://codefresh.io/docs/docs/getting-started/create-a-codefresh-account/) |
| 15 | +- An existing Vault server[already setup](https://learn.hashicorp.com/vault/getting-started/install) |
| 16 | +- A secret stored in said Vault server with a key of "password" |
| 17 | +- A Vault[authorization token](https://learn.hashicorp.com/vault/getting-started/authentication#tokens) |
| 18 | + |
| 19 | +##The Example Java Application |
| 20 | + |
| 21 | +You can find the example project on[Github](https://github.com/codefresh-contrib/vault-sample-app). |
| 22 | + |
| 23 | +The example application retrieves the system variable "password," from the pipeline and uses it to authenticate to a Redis database, but you are free to use any type of database of your choosing. |
| 24 | + |
| 25 | +```java |
| 26 | +String password=System.getenv("password"); |
| 27 | +String host=System.getProperty("server.host"); |
| 28 | + |
| 29 | +RedisClient redisClient=newRedisClient( |
| 30 | +RedisURI.create("redis://"+ password+"@"+ host+":6379")); |
| 31 | +RedisConnection<String,String> connection= redisClient.connect(); |
| 32 | +``` |
| 33 | + |
| 34 | +Also in the example application is a simple unit test that ensures we are able to read and write data to the database. |
| 35 | + |
| 36 | +You cannot run the application locally, as it needs to run in the pipeline in order to use our environment variables to connect. |
| 37 | + |
| 38 | +##Create the Pipeline |
| 39 | + |
| 40 | +We will be running the following pipeline that contains three step types: a vault step, a[git-clone]({{site.baseurl}}/docs/codefresh-yaml/steps/git-clone/) step, and a[freestyle step]({{site.baseurl}}/docs/codefresh-yaml/steps/freestyle/). |
| 41 | + |
| 42 | +{% include image.html |
| 43 | +lightbox="true" |
| 44 | +file="/images/examples/secrets/vault-pipeline.png" |
| 45 | +url="/images/examples/secrets/vault-pipeline.png" |
| 46 | +alt="Vault pipeline" |
| 47 | +caption="Vault Pipeline" |
| 48 | +max-width="100%" |
| 49 | +%} |
| 50 | + |
| 51 | +You should be able to copy and paste this YAML in the in-line editor of the Codefresh UI. It will automatically clone the project for you. |
| 52 | + |
| 53 | +Note that you need to change the`VAULT_ADDR`,`VAULT_AUTH`, and`VAULT_AUTH_TOKEN` arguments under the first step to your respective values. |
| 54 | + |
| 55 | +`codefresh.yml` |
| 56 | +```yaml |
| 57 | +version:"1.0" |
| 58 | +stages: |
| 59 | + -"vault" |
| 60 | + -"clone" |
| 61 | + -"package" |
| 62 | +steps: |
| 63 | +vault: |
| 64 | +title:Importing vault values... |
| 65 | +stage:"vault" |
| 66 | +type:vault |
| 67 | +arguments: |
| 68 | +VAULT_ADDR:'http://<YOUR_VAULT_SERVER_IP>:<PORT>' |
| 69 | +VAULT_PATH:'path/to/secret' |
| 70 | +VAULT_AUTH_TOKEN:'<YOUR_VAULT_AUTH_TOKEN>' |
| 71 | +main_clone: |
| 72 | +title:Cloning main repository... |
| 73 | +type:git-clone |
| 74 | +repo:'codefresh-contrib/vault-sample-app' |
| 75 | +git:github |
| 76 | +stage:clone |
| 77 | +package_jar: |
| 78 | +title:Packaging jar and running unit tests... |
| 79 | +stage:package |
| 80 | +image:maven:3.5.2-jdk-8-alpine |
| 81 | +working_directory:./ |
| 82 | +commands: |
| 83 | + -mvn -Dmaven.repo.local=/codefresh/volume/m2_repository -Dserver.host=my-redis-db-host clean package |
| 84 | +services: |
| 85 | +composition: |
| 86 | +my-redis-db-host: |
| 87 | +image:'redis:4-alpine' |
| 88 | +command:'redis-server --requirepass $password' |
| 89 | +ports: |
| 90 | + -6379 |
| 91 | +``` |
| 92 | +
|
| 93 | +The above pipeline does the following: |
| 94 | +
|
| 95 | +1. Imports the key-value pairs from the Vault server and exports them into the pipeline under`/meta/env_vars_to_export`. |
| 96 | +2. Clones the main repository (note the special use of naming the step `main_clone`). This ensures that all subsequent commands are run [inside the project that was checked out]({{site.baseurl}}/docs/codefresh-yaml/steps/git-clone/#basic-clone-step-project-based-pipeline). |
| 97 | +3. The last step, `package_jar`, does a few special things to take note of: |
| 98 | + -Spins up a [Service Container]({{site.baseurl}}/docs/codefresh-yaml/service-containers/) running Redis on port 6379 , and sets the password to the database using our exported environment variable |
| 99 | + -Sets `maven.repo.local` to cache Maven dependencies into the local codefresh volume to [speed up builds]({{site.baseurl}}/docs/learn-by-example/java/spring-boot-2/#caching-the-maven-dependencies) |
| 100 | + -Runs unit tests and packages the jar. Note how you can directly refer to the service container's name (`my-redis-db-host`) when we set `server.host` |
| 101 | + |
| 102 | +You will see that the variable was correctly exported to the pipeline by running a simple `echo` command: |
| 103 | +{% include image.html |
| 104 | +lightbox="true" |
| 105 | +file="/images/examples/secrets/vault-pipeline2.png" |
| 106 | +url="/images/examples/secrets/vault-pipeline2.png" |
| 107 | +alt="Vault pipeline Variable" |
| 108 | +caption="Vault Pipeline Variable" |
| 109 | +max-width="100%" |
| 110 | +%} |
| 111 | + |
| 112 | +## What to Read Next |
| 113 | + |
| 114 | +-[Git-clone Step]({{site.baseurl}}/docs/codefresh-yaml/steps/git-clone/) |
| 115 | +-[Freestyle Step]({{site.baseurl}}/docs/codefresh-yaml/steps/freestyle/) |
| 116 | +-[Service Containers]({{site.baseurl}}//docs/codefresh-yaml/service-containers/) |