vaultRotateSecretId¶
Rotate Vault AppRole Secret ID
Description¶
This step takes the given Vault secret ID and checks whether it needs to be renewed and if so it will update the secret ID in the configured secret store.
Usage¶
We recommend to define values of step parameters via .pipeline/config.yml file.
In this case, calling the step is essentially reduced to defining the step name.
Calling the step can be done either in an orchestrator specific way (e.g. via a Jenkins library step) or on the command line.
library('piper-lib-os')
vaultRotateSecretId script: this
piper vaultRotateSecretId
Prerequisites¶
Parameters¶
Overview - Step¶
| Name | Mandatory | Additional information |
|---|---|---|
| githubToken | (yes) |   pass via ENV, Vault or Jenkins credentialsmandatory in case of: - secretStore=github |
| script | (yes) |  reference to Jenkins main pipeline script |
| vaultAppRoleSecretTokenCredentialsId | yes | |
| vaultServerUrl | yes | |
| adoOrganization | no | |
| adoPersonalAccessToken | no | pass via ENV, Vault or Jenkins credentials |
| adoPipelineId | no | |
| adoProject | no | |
| daysBeforeExpiry | no | |
| githubApiUrl | no | |
| jenkinsCredentialDomain | no | |
| jenkinsToken | no | pass via ENV, Vault or Jenkins credentials |
| jenkinsUrl | no | pass via ENV, Vault or Jenkins credentials |
| jenkinsUsername | no | pass via ENV, Vault or Jenkins credentials |
| owner | no | |
| repository | no | |
| secretStore | no | |
| vaultNamespace | no | |
| verbose | no | activates debug output |
Overview - Execution Environment¶
Orchestrator-specific only
These parameters are relevant for orchestrator usage and not considered when using the command line option.
| Name | Mandatory | Additional information |
|---|---|---|
Details¶
adoOrganization¶
The Azure DevOps organization name
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_adoOrganization (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
adoPersonalAccessToken¶
The Azure DevOps personal access token
| Scope | Details |
|---|---|
| Aliases | token |
| Type | string |
| Mandatory | no |
| Default | $PIPER_adoPersonalAccessToken (if set) |
| Secret | yes |
| Configuration scope |
|
| Resource references | Vault resource: name: azureDevOpsVaultSecretNamedefault value: azure-dev-opsVault paths:
|
adoPipelineId¶
The Azure DevOps pipeline ID. Also called as definition ID
| Scope | Details |
|---|---|
| Aliases | - |
| Type | int |
| Mandatory | no |
| Default | 0 |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
adoProject¶
The Azure DevOps project ID. Project name also can be used
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_adoProject (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
daysBeforeExpiry¶
The amount of days before expiry until the secret ID gets rotated
| Scope | Details |
|---|---|
| Aliases | - |
| Type | int |
| Mandatory | no |
| Default | 15 |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
githubApiUrl¶
Set the GitHub API URL that corresponds to the pipeline repository
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | https://api.github.com |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
githubToken¶
GitHub personal access token as per https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line with the scope 'repo'
| Scope | Details |
|---|---|
| Aliases | - access_token- token |
| Type | string |
| Mandatory | mandatory in case of: - secretStore=github |
| Default | $PIPER_githubToken (if set) |
| Secret | yes |
| Configuration scope |
|
| Resource references | Vault resource: name: githubVaultSecretNamedefault value: githubVault paths:
|
jenkinsCredentialDomain¶
The jenkins credential domain which should be used
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | _ |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
jenkinsToken¶
The jenkins token
| Scope | Details |
|---|---|
| Aliases | token |
| Type | string |
| Mandatory | no |
| Default | $PIPER_jenkinsToken (if set) |
| Secret | yes |
| Configuration scope |
|
| Resource references | Vault resource: name: jenkinsVaultSecretNamedefault value: jenkinsVault paths:
|
jenkinsUrl¶
The jenkins url
| Scope | Details |
|---|---|
| Aliases | url |
| Type | string |
| Mandatory | no |
| Default | $PIPER_jenkinsUrl (if set) |
| Secret | yes |
| Configuration scope |
|
| Resource references | Vault resource: name: jenkinsVaultSecretNamedefault value: jenkinsVault paths:
|
jenkinsUsername¶
The jenkins username
| Scope | Details |
|---|---|
| Aliases | userId |
| Type | string |
| Mandatory | no |
| Default | $PIPER_jenkinsUsername (if set) |
| Secret | yes |
| Configuration scope |
|
| Resource references | Vault resource: name: jenkinsVaultSecretNamedefault value: jenkinsVault paths:
|
owner¶
Owner of the pipeline GitHub repository
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_owner (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | commonPipelineEnvironment: reference to: github/owner |
repository¶
Name of the pipeline GitHub repository
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_repository (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | commonPipelineEnvironment: reference to: github/repository |
script¶
The common script environment of the Jenkinsfile running. Typically the reference to the script calling the pipeline step is provided with the this parameter, as in script: this. This allows the function to access the commonPipelineEnvironment for retrieving, e.g. configuration parameters.
| Scope | Details |
|---|---|
| Aliases | - |
| Type | Jenkins Script |
| Mandatory | yes |
| Default | |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
secretStore¶
The store to which the secret should be written back to
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | jenkins |
| Possible values | - jenkins- ado- github |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
vaultAppRoleSecretTokenCredentialsId¶
The Jenkins credential ID, Azure DevOps variable name, or GitHub Actions secret name for the Vault AppRole Secret ID credential
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | yes |
| Default | $PIPER_vaultAppRoleSecretTokenCredentialsId (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
vaultNamespace¶
The Vault namespace that should be used (optional)
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | no |
| Default | $PIPER_vaultNamespace (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
vaultServerUrl¶
The URL for the Vault server to use
| Scope | Details |
|---|---|
| Aliases | - |
| Type | string |
| Mandatory | yes |
| Default | $PIPER_vaultServerUrl (if set) |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
verbose¶
verbose output
| Scope | Details |
|---|---|
| Aliases | - |
| Type | bool |
| Mandatory | no |
| Default | false |
| Possible values | - true- false |
| Secret | no |
| Configuration scope |
|
| Resource references | none |
Exceptions¶
none