Skip to main content
Version: 0.25

Vault

Description​

This plugin enables the ability pull secrets from Vault into the secret mount within a Vela pipeline.

Source Code: https://github.com/go-vela/secret-vault

Registry: https://hub.docker.com/r/target/secret-vault

Usage​

Sample of retrieving a secret using token authentication:

secrets:
- origin:
name: vault
image: target/vela/secret-vault:latest
parameters:
addr: vault.company.com
token: superSecretVaultToken
auth_method: token
items:
# Written to path: "/vela/secrets/docker/<key>"
- source: secret/vela/username
path: docker

Sample of retrieving a secret using ldap authentication:

secrets:
- origin:
name: vault
image: target/vela/secret-vault:latest
parameters:
addr: vault.company.com
+ username: octocat
+ password: superSecretPassword
- token: superSecretVaultToken
+ auth_method: ldap
items:
# Written to path: "/vela/secrets/docker/<key>"
- source: secret/vela/username
path: docker

Sample of reading a secret using ldap authentication with verbose logging:

secrets:
- origin:
name: vault
image: target/vela/secret-vault:latest
parameters:
addr: vault.company.com
username: octocat
password: superSecretPassword
token: superSecretVaultToken
auth_method: ldap
+ log_level: trace
items:
# Written to path: "/vela/secrets/docker/<key>"
- source: secret/vela/username
path: docker

Sample of retrieving a secret and writing it to multiple paths with a new key:

secrets:
- origin:
name: vault
image: target/vela/secret-vault:latest
secrets:
- source: superSecretToken
target: vault_token
parameters:
addr: vault.company.com
auth_method: token
items:
# assume user_A has two keys: `id` and `token`, but we want it to be `username` and `password`
#
# this will write to `/vela/secrets/kaniko/username` and `/vela/secrets/kaniko/password`
# and also `/vela/secrets/artifactory/username` and `/vela/secrets/artifactory/password`
- source: secret/vela/user_A
path: [ kaniko, artifactory ]
keys:
id: username
token: password

Secrets​

NOTE: Users should refrain from configuring sensitive information in your pipeline in plain text.

NOTE: Secrets used within the secret plugin must exist as Vela secrets.

You can use Vela secrets to substitute sensitive values at runtime:

secrets:
# Repo secret created within Vela
- name: vault_token

# Example using token authentication method
- origin:
name: vault
image: target/vela/secret-vault:latest
secret: [ vault_token ]
parameters:
addr: vault.company.com
- token: superSecretVaultToken
auth_method: token
items:
# Written to path: "/vela/secrets/docker/<key>"
- source: secret/vela/username
path: docker

Parameters​

The following parameters are used to configure the image:

NameDescriptionRequiredDefault
addraddress to the instancetrueN/A
auth_methodauthentication method for interfacing (i.e. token, ldap)trueN/A
log_levelset the log level for the plugintrueinfo
passwordpassword for server authentication with ldapfalseN/A
tokentoken for server authenticationfalseN/A
usernameset the log level for the pluginfalseN/A
itemsset of secrets to retrieve and write to workspacetrueN/A

Items​

NameDescriptionRequiredDefault
sourcepath to secrettrueN/A
pathdesired file path under vela/secrets/ directorytrueN/A
keysoverride Vault keys (map type)falsevault key