1

I am deploying Helm charts through Jenkins. We store all our credentials in Vault. When we were running the helm command manually, we were first running this command to pull our values from vault and store them in a yaml file on our local:

dockcmd vault get-secrets --vault-addr https://vault --set TargetEnv=prod --input-file secret-values.yaml

The command comes from: https://github.com/boxboat/dockcmd

For obvious reason, this is not secure. When I do this in Jenkins, it stores the file in the workspace. What would be the best way to pull values from Vault and deploy them in a Helm Chart? I am looking at using a different command that doesn't generate the file but inject values in kubenertes

Oplop98
  • 220
  • 1
  • 2
  • 8
  • 1
    The best way to do this would be to use the Jenkins Credentials binding plugin for Vault, retrieve the values inside an environment directive in Jenkins Pipeline, and then assign the values to environment variables and pass them as Helm chart values. There would then be no secrets leaks. – Matthew Schuchard Aug 16 '21 at 20:35
  • In addition to Matt's comment [see how to use Credentials Binding Plugin/`withCredentials` there](https://stackoverflow.com/a/68765193/1744774). – Gerold Broser Aug 16 '21 at 21:29

0 Answers0