如何使用 helm 将秘密从金库获取到我的詹金斯配置作为代码安装?
我想使用与JCASC一起部署Jenkins来获得保险库的秘密。我正在使用本地minikube来创建Mi K8群集和我的计算机中的本地Vault实例(不在k8 群集)。
即便如此,我正在尝试使用initcontainerenv和containerenv我无法达到保险库值。对于casc_vault_token值我正在使用Vault root令牌。 这是helm命令我在本地运行:
helm upgrade --install -f values.yml mijenkins jenkins/jenkins
这是我的values.yml文件代码:
controller:
installPlugins:
# need to add this configuration-as-code due to a known jenkins issue: https://github.com/jenkinsci/helm-charts/issues/595
- "configuration-as-code:1414.v878271fc496f"
- "hashicorp-vault-plugin:latest"
# passing initial environments values to docker basic container
initContainerEnv:
- name: CASC_VAULT_TOKEN
value: "my-vault-root-token"
- name: CASC_VAULT_URL
value: "http://localhost:8200"
- name: CASC_VAULT_PATHS
value: "cubbyhole/jenkins"
- name: CASC_VAULT_ENGINE_VERSION
value: "2"
ContainerEnv:
- name: CASC_VAULT_TOKEN
value: "my-vault-root-token"
- name: CASC_VAULT_URL
value: "http://localhost:8200"
- name: CASC_VAULT_PATHS
value: "cubbyhole/jenkins"
- name: CASC_VAULT_ENGINE_VERSION
value: "2"
JCasC:
configScripts:
here-is-the-user-security: |
jenkins:
securityRealm:
local:
allowsSignup: false
enableCaptcha: false
users:
- id: "${JENKINS_ADMIN_ID}"
password: "${JENKINS_ADMIN_PASSWORD}"
在我的本地vault中,我可以看到/达到值值:
>vault kv get cubbyhole/jenkins
============= Data =============
Key Value
--- -----
JENKINS_ADMIN_ID alan
JENKINS_ADMIN_PASSWORD acosta
你们中有人知道我会做错什么吗?
I am triying to deploy a Jenkins using helm with JCASC to get vault secrets. I am using a local minikube to create mi k8 cluster and a local vault instance in my machine (not in k8 cluster).
Even that I am trying using initContainerEnv and ContainerEnv I am not able to reach the vault values. For CASC_VAULT_TOKEN value I am using vault root token.
This is helm command i run locally:
helm upgrade --install -f values.yml mijenkins jenkins/jenkins
And here is my values.yml file code:
controller:
installPlugins:
# need to add this configuration-as-code due to a known jenkins issue: https://github.com/jenkinsci/helm-charts/issues/595
- "configuration-as-code:1414.v878271fc496f"
- "hashicorp-vault-plugin:latest"
# passing initial environments values to docker basic container
initContainerEnv:
- name: CASC_VAULT_TOKEN
value: "my-vault-root-token"
- name: CASC_VAULT_URL
value: "http://localhost:8200"
- name: CASC_VAULT_PATHS
value: "cubbyhole/jenkins"
- name: CASC_VAULT_ENGINE_VERSION
value: "2"
ContainerEnv:
- name: CASC_VAULT_TOKEN
value: "my-vault-root-token"
- name: CASC_VAULT_URL
value: "http://localhost:8200"
- name: CASC_VAULT_PATHS
value: "cubbyhole/jenkins"
- name: CASC_VAULT_ENGINE_VERSION
value: "2"
JCasC:
configScripts:
here-is-the-user-security: |
jenkins:
securityRealm:
local:
allowsSignup: false
enableCaptcha: false
users:
- id: "${JENKINS_ADMIN_ID}"
password: "${JENKINS_ADMIN_PASSWORD}"
And in my local vault I can see/reach values:
>vault kv get cubbyhole/jenkins
============= Data =============
Key Value
--- -----
JENKINS_ADMIN_ID alan
JENKINS_ADMIN_PASSWORD acosta
Any of you have an idea what I could be doing wrong?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我没有将 Vault 与 jenkins 一起使用,所以我不太确定您的具体情况,但我非常熟悉 Jenkins helm 图表的挑剔程度,并且我能够通过创建一个来配置我的 securityRealm (使用 Google Login 插件) k8s 秘密首先包含所需的值:
然后通过以下方式将这些值传递到 Helm Chart Values.yml:
然后将它们读入 JCasC,如下所示:
为了使其正常工作,Values.yml 还需要包含以下设置:
请注意,我我正在将 jenkins 作为命名空间
jenkins中名为jenkins的 k8s 服务帐户运行I haven't used Vault with jenkins so I'm not exactly sure about your particular situation but I am very familiar with how finicky the Jenkins helm chart is and I was able to configure my securityRealm (with the Google Login plugin) by creating a k8s secret with the values needed first:
then passing those values into helm chart values.yml via:
then reading them into JCasC like so:
In order for that to work the values.yml also needs to include the following settings:
Note that I am running jenkins as a k8s serviceAccount called
jenkinsin the namespacejenkins调试我的詹金斯安装后,我发现主要问题不是我的
values.yml我的jcasc集成都不是我能够看到containerenv值,如果我进入我的内部Jenkins Pod with:所以我需要曝光我的保险库服务器,以便我的詹金斯能够到达它,我使用了此 Vault教程实现它。简而言之,而不是使用普通:
Vault Server -DEV
我们需要使用的
:然后,我们需要导出一个环境变量,以使保险库CLI解决Vault Server。
之后,我们需要确定要重定向詹金斯ping的保险库地址,以便我们需要启动一个Minukube SSH会话:
在此SSH会话中,检索Minikube主机的值。
检索值后,我们将检索保管服务器的状态以验证网络连接。
现在,我们可以将詹金斯吊舱与金库连接起来,我们只需要更改
casc_vault_url在我们的主中使用这样的文件:http://192.168.65.2:8200。 ymlAfter debugging my jenkins installation I figured out that the main issue was not my
values.ymlneither my JCASC integration as I was able to see theContainerEnvvalues if I go inside my jenkins pod with:So I needed to expose my vault server so my jenkins is able to reach it, I used this Vault tutorial to achieve it. Which in, brief, instead of using normal:
vault server -dev
We need to use:
Then we need to export an environment variable for the vault CLI to address the Vault server.
After that, we need to determine the vault address which we are going to redirect our jenkins ping, to do that we need start a minukube ssh session:
Within this SSH session, retrieve the value of the Minikube host.
After retrieving the value, we are going to retrieve the status of the Vault server to verify network connectivity.
And now we can connect our jenkins pod with our vault, we just need to change
CASC_VAULT_URLto usehttp://192.168.65.2:8200in our main.ymlfile like this: