I would like to avoid storing any credentials in Jenkins and rely solely on Hashicorp Vault for storing and managing credentials.
It is pretty trivial to get it working once pipeline is working but I can't find any examples or guidance on how I can do the initial git clone from private repo in Jenkinsfile without storing PAT token in Jenkins secrets.
I would like to call Vault first, get PAT token from there , and then clone the repo with Jenkinfile.
Could anyone give me a hint please?

CodePudding user response：

For checking out your project files from the SCM

You will need to store at least the approle/secret to access Vault within the Jenkins credentials store. However, once you have done that, you should be able to use the Vault plugin to access any information you need, and have it saved to an environment variable. From there, you can use that environment variable as needed.

See here for an example of how to use the Vault plugin inside your Jenkinsfile

For checking out your Jenkinsfile (original checkout/clone)

Note: The following depends on using SSH to access your SCM. I have confirmed this method works with Git/SSH.

You could add your SSH key to the Jenkins built-in node (formerly master) user's home directory, as well as the home directories of users for any build nodes you use. You would also need to add the correct configuration options to your SSH config file (.ssh/config) so SSH uses that key to access your SCM server.

Host myscm.mycompany.com
  User scmuser
  IdentityFile ~/.ssh/scm_id_rsa
  PreferredAuthentications publickey
  RequestTTY no

Once you have the above set, you can just specify your SCM URL within Jenkins, and it will use the defaults from your SSH folder.

If you are not using SSH, please post back with your SCM as well as access method (http? rsync?).