Version: Release 24.1

Hashicorp Vault Plugin

This topic covers the HashiCorp Vault Plugin for Release, which integrates Vault for secure secret management within release pipelines.

The HashiCorp Vault plugin retrieves secrets from a Vault Server for use in your tasks and automation. These secrets include static and dynamic username and password fields from the Secrets Engine of your choice.

Requirements

Digital.ai Release: version 9.6+

Installation

This documentation assumes gradle version 6.0.1. See gradle/wrappter/gradle-wrapper.properties for the actual version.

Import the jar file into your %XLRELEASE_INSTALLATION%/plugins/xlr-official folder, or from the Digital.ai Release web UI as a new plugin. Adding the plugin requires a server restart.

Authentication

Vault permits several types of authentication as outlined in the Hashicorp Vault Authentication documentation.

Note: This plugin implements a subset of the authentication options, namely token. Other authentication options can be added as demanded. With 23.1 a new type of authentication called Basic is introduced for the HashiCorp Vault plugin.

Define the server configuration of URL, select from the dropdown menu Authentication Method.

The Hashicorp Vault plugin now includes support for LDAP authentication method.

Along with Token authentication, Basic authentication is now introduced for HashiCorp Vault plugin.

username-password

Various types of authentication are added to the HashiCorp Vault plugin.

authentication-list

If PAT is selected, The URL and Token are added as authentication fields in the HashiCorp Vault plugin.

token

Define the server configuration of URL plus token or Basic

If Basic is selected, The URL, Username and Password are added as authentication fields in the HashiCorp Vault plugin.

username-password

Read Secret task for KV Version2 mount type is added to the HashiCorp Vault plugin.

vault-kv-version2

Namespace field is added to the HashiCorp Vault plugin.

Note: Vault should run in Enterprise mode to have a namespace.

namespace

List Of Various Tasks in Vault plugin.

KV version1 Tasks

SecretsV1-ReadDynamicSecret
SecretsV1-CreateSecret
SecretsV1-ReadSecret
SecretsV1-DeleteSecret
SecretsV1-EnableEngine

KV version2 Tasks

SecretsV2-ReadSecret
SecretsV2-EnableEngine
SecretsV2-Configure
SecretsV2-ReadConfiguration
SecretsV2-ReadSecretVersions
SecretsV2-CreateSecret
SecretsV2-PatchExistingSecret
SecretsV2-DeleteVersion
SecretsV2-UndeleteVersion
SecretsV2-DestroyVersion
SecretsV2-ListSecrets
SecretsV2-ReadSecretMetadata
SecretsV2-UpdateMetadata

Read Secret KV version2

Read Secret task for KV Version2 need to specify the Mount_point, Path and Key. Based on the path and key we will get the data which can be stored as a output variable.

vault-kv-version2

Use the Secret as Part of Another Task

In this example, the Hashicrop Vault Get Secret V2 task is followed by a Jenkins Build Task. The Jenkins task makes use of the release variable 'jenkpassword' (previously populated by Vault) as the Jenkins password (overriding the password configured for the Jenkins server).

VaultGetSecretUseExample

Requirements​

Installation​

Authentication​

List Of Various Tasks in Vault plugin.​

KV version1 Tasks​

KV version2 Tasks​

Read Secret KV version2​

Use the Secret as Part of Another Task​