tbeyer567

{
  "keys": [
    {
      "kty": "RSA",
      "kid": "kewiQq9jiC84CvSsJYOB-N6A8WFLSV20Mb-y7IlWDSQ",
      "e": "AQAB",
      "n": "5RyvCSgBoOGNE03CMcJ9Bzo1JDvsU8XgddvRuJtdJAIq5zJ8fiUEGCnMfAZI4of36YXBuBalIycqkgxrRkSOENRUCWN45bf8xsQCcQ8zZxozu0St4w5S-aC7N7UTTarPZTp4BZH8ttUm-VnK4aEdMx9L3Izo0hxaJ135undTuA6gQpK-0nVsm6tRVq4akDe3OhC-7b2h6z7GWJX1SD4sAD3iaq4LZa8y1mvBBz6AIM9co8R-vU1_CduxKQc3KxCnqKALbEKXm0mTGsXha9aNv3pLNRNs_J-cCjBpb1EXAe_7qOURTiIHdv8_sdjcFTJ0OTeLWywuSf7mD0Wpx2LKcD6ImENbyq5IBuR1e2ghnh5Y9H33cuQ0FRni8ikq5W3xP3HSMfwlayhIAJN_WnmbhENRU-m2_hDPiD9JYF2CrQneLkE3kcazSdtarPbg9ZDiydHbKWCV-X7HxxIKEr9N7P1V5HKatF4ZUrG60e3eBnRyccPwmT66i9NYyrcy1_ZNN8D1DY8xh9kflUDy4dSYu4R7AEWxNJWQQov525v0MjD5FNAS03rpk4SuW3Mt7IP73m-_BpmIhW3LZsnmfd8xHRjf0M9veyJD0--ETGmh8t3_CXh3I3R9IbcSEntUl_2lCvc_6B-m8W-t2nZr4wvOq9-iaTQXAn1Au6EaOYWvDRE",
      "use": "sig",
      "alg": "RS256"
    },

tbeyer567

def secrets = [
  [path: 'secret/jenkins/github', engineVersion: 2, secretValues: [
    [envVar: 'PRIVATE_TOKEN', vaultKey: 'private-token'],
    [envVar: 'PUBLIC_TOKEN', vaultKey: 'public-token'],
    [envVar: 'API_KEY', vaultKey: 'api-key']]],
]
def configuration = [vaultUrl: 'http://my-vault.com:8200',  vaultCredentialId: 'vault-approle', engineVersion: 2]
                      
pipeline {
    agent any

tbeyer567

[ca]
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir               = .
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt

tbeyer567

path "auth/approle/role/agent/role-id" {
  capabilities=["read"]
}

path "auth/approle/role/agent/secret-id" {
  capabilities=["read","update"]
}

path "kv/data/application/db01" {
  capabilities=["read"]

tbeyer567

/var/log/vault/audit.json {
    rotate 7
    daily
    compress
    delaycompress
    missingok
    notifempty
    extension json
    dateext
    dateformat %Y-%m-%d.

tbeyer567

path "*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

tbeyer567

#!/usr/bin/env bash

set -euxo pipefail

export VAULT_NODE_ID="GIEGTIVLP18994C"
export VAULT_NODE_IP_ADDR="10.27.84.13"

echo "Installing Vault Enterpise"
sudo cp /tmp/vault /usr/bin/

tbeyer567

listener "tcp" {
  address       = "[::]:8200"
  tls_cert_file = "/etc/vault.d/tls/cert.pem"
  tls_key_file  = "/etc/vault.d/tls/key.pem"

  tls_require_and_verify_client_cert = false
  tls_disable_client_certs           = true
}

storage "raft" {

tbeyer567

[Unit]
Description="HashiCorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty={{ vault_config_file }}
StartLimitIntervalSec=60
StartLimitBurst=3

[Service]

tbeyer567

/var/log/vault/vault-audit.log {
  rotate 30
  daily
  # Do not execute rotate if the log file is empty.
  notifempty
  missingok
  compress
  # Set compress on next rotate cycl to prevent entry loss when performing compression.
  delaycompress
  postrotate