|
| 1 | +--- |
| 2 | +title:"Vault Secrets in the Pipeline" |
| 3 | +description:"Accessing and Referring to Vault Secrets in the Pipeline" |
| 4 | +group:yaml-examples |
| 5 | +sub_group:examples |
| 6 | +redirect_from: |
| 7 | + -/docs/vault-secrets-in-the-pipeline/ |
| 8 | +toc:true |
| 9 | +--- |
| 10 | + |
| 11 | +Codefresh offers a Vault plugin you may use from the[Step Marketplace](https://codefresh.io/steps/step/vault). The plugin imports key-value pairs from the Vault server, and exports them into the pipeline. Since this is a custom typed-step, variables are written to`/meta/env_vars_to_export`, as opposed to`/codefresh/volume/env_vars_to_export`. |
| 12 | + |
| 13 | +##Prerequisites |
| 14 | + |
| 15 | +- A[free Codefresh account](https://codefresh.io/docs/docs/getting-started/create-a-codefresh-account/) |
| 16 | +- An existing Vault server[already setup](https://learn.hashicorp.com/vault/getting-started/install) |
| 17 | +- A secret stored in said Vault server with a key of "password" |
| 18 | +- A Vault[authorization token](https://learn.hashicorp.com/vault/getting-started/authentication#tokens) |
| 19 | + |
| 20 | +##The Example Java Application |
| 21 | + |
| 22 | +You can find the example project on[Github](https://github.com/codefresh-contrib/vault-sample-app). |
| 23 | + |
| 24 | +The example application retrieves the system variable "password," from the pipeline and uses it to authenticate to a Redis database, but you are free to use any type of database of your choosing. |
| 25 | + |
| 26 | +```java |
| 27 | +String password=System.getenv("password"); |
| 28 | +String host=System.getProperty("server.host"); |
| 29 | + |
| 30 | +RedisClient redisClient=newRedisClient( |
| 31 | +RedisURI.create("redis://"+ password+"@"+ host+":6379")); |
| 32 | +RedisConnection<String,String> connection= redisClient.connect(); |
| 33 | +``` |
| 34 | + |
| 35 | +Also in the example application is a simple unit test that ensures we are able to read and write data to the database. |
| 36 | + |
| 37 | +You cannot run the application locally, as it needs to run in the pipeline in order for the tests to pass. |
| 38 | + |
| 39 | +##Create the Pipeline |
| 40 | + |
| 41 | +You should be able to copy and paste this YAML in the in-line editor of the Codefresh UI. It will automatically clone the project for you. |
| 42 | + |
| 43 | +Note that you need to change the`VAULT_ADDR`,`VAULT_AUTH`, and`VAULT_AUTH_TOKEN` arguments under the first step to your respective values. |
| 44 | + |
| 45 | +`codefresh.yml` |
| 46 | +```yaml |
| 47 | +version:"1.0" |
| 48 | +stages: |
| 49 | + -"vault" |
| 50 | + -"clone" |
| 51 | + -"package" |
| 52 | +steps: |
| 53 | +vault: |
| 54 | +title:Importing vault values... |
| 55 | +stage:"vault" |
| 56 | +type:vault |
| 57 | +arguments: |
| 58 | +VAULT_ADDR:'http://<YOUR_VAULT_SERVER_IP>:<PORT>' |
| 59 | +VAULT_PATH:'path/to/secret' |
| 60 | +VAULT_AUTH_TOKEN:'<YOUR_VAULT_AUTH_TOKEN>' |
| 61 | +main_clone: |
| 62 | +title:Cloning main repository... |
| 63 | +type:git-clone |
| 64 | +repo:'codefresh-contrib/vault-sample-app' |
| 65 | +git:github |
| 66 | +stage:clone |
| 67 | +package_jar: |
| 68 | +title:Packaging jar and running unit tests... |
| 69 | +stage:package |
| 70 | +image:maven:3.5.2-jdk-8-alpine |
| 71 | +working_directory:./ |
| 72 | +commands: |
| 73 | + -mvn -Dmaven.repo.local=/codefresh/volume/m2_repository -Dserver.host=my-redis-db-host clean package |
| 74 | +services: |
| 75 | +composition: |
| 76 | +my-redis-db-host: |
| 77 | +image:'redis:4-alpine' |
| 78 | +command:'redis-server --requirepass $password' |
| 79 | +ports: |
| 80 | + -6379 |
| 81 | +``` |
| 82 | +
|
| 83 | +The above pipeline does the following: |
| 84 | +
|
| 85 | +1. Imports the key-value pairs from the Vault server and exports them into the pipeline under`/meta/env_vars_to_export`. |
| 86 | +2. Clones the main repository (note the special use of naming the step `main_clone`). This ensures that all subsequent commands are run [inside the project that was checked out]({{site.baseurl}}/docs/codefresh-yaml/steps/git-clone/#basic-clone-step-project-based-pipeline). |
| 87 | +3. The last step, `package_jar`, does a few special things to take note of: |
| 88 | + -Spins up a [Service Container]({{site.baseurl}}/docs/codefresh-yaml/service-containers/) running Redis on port 6379 , and sets the password to the database using our exported environment variable |
| 89 | + -Sets `maven.repo.local` to cache Maven dependencies into the local codefresh volume to [speed up builds]({{site.baseurl}}/docs/learn-by-example/java/spring-boot-2/#caching-the-maven-dependencies) |
| 90 | + -Runs unit tests and packages the jar. Note how you can directly refer to the service container's name (`my-redis-db-host`) when we set `server.host` |
| 91 | + |