save vault secret to file

[danielraq]

Hello,

configuration-as-code:1.44
hashicorp-vault:3.6.1

I've a 'special' case. Gerrit plugins looks for a ssh key in a file system. Is there a way to extract it from the vault and save to file when jenkins starts in jcasc mode?

[jetersen]

Can you link to gerrit plugin cause there many.

Gerrit plugins should be using credentials plugin? Than yes JCasC can create a credential ssh key.

[danielraq]

https://plugins.jenkins.io/gerrit-trigger/

at the moment i don't see an option to use credentials plugin with gerrit trigger :(

[jetersen]

Sounds like a lack on their part not JCasC or this plugin.

[danielraq]

Agree in 100%. I'm looking for a work around for this problem.

[jetersen]

This is the file your talking about: https://github.com/jenkinsci/gerrit-trigger-plugin/blob/fc6dd658d3affe9aa8ebfeb224116adf24804523/src/main/java/com/sonyericsson/hudson/plugins/gerrit/trigger/config/Config.java#L558-L561

You could use JCasC, Vault and https://github.com/jenkinsci/configuration-as-code-groovy-plugin to write the file to file systems.

[jetersen]

Ah your missing: jenkinsci/configuration-as-code-groovy-plugin#3 😓

[danielraq]

i know about that plugin ;) just wanted to know if there is something more sophisticated. unfortunately i've ended with groovy initial script:

import jenkins.*
import jenkins.model.* 
import hudson.*
import hudson.model.*
import  java.lang.System;

key_path=System.getenv("JENKINS_HOME" + "./ssh")
new File(key_path).mkdir() 
File file = new File(key_path+ '/id_rsa')


def jenkinsCredentials = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(
        com.cloudbees.plugins.credentials.Credentials.class,
        Jenkins.instance,
        null,
        null
);


for (creds in jenkinsCredentials) {
  if(creds.id == System.getenv('GERRIT_USER')+"-ssh_key"){
    key = creds.privateKey
    }
}

file.write(key)

[jetersen]

Ah yes, you can just use groovy to extract the credential, good point 👍