square/keywhiz

Create Jenkins plugin for keywhiz - feedback

452 opened this issue · 1 comments

452 commented

I am now at a crossroads between choice Keywhiz and vaultproject

vaultproject have Jenkins plugin https://wiki.jenkins-ci.org/display/JENKINS/HashiCorp+Vault+Plugin

but I love Java =), and think about a choice Keywhiz, but hesitate which choose

please provide Jenkins plugin for Jenkins Pipeline (https://wiki.jenkins-ci.org/display/JENKINS/Pipeline+Plugin) and Jenkins UI

we have the next infrastructure, AWS EC2, ECR, ECS, RDS, (Docker) (JBoss Fuse, Tomcat) (dev, qa, staging, prod)

be better to see some examples how to integrate Jenkins, AWS, Docker with Keywhiz
Docker can read credentials on run container step https://github.com/452/docker/blob/master/java-swing/run.sh#L2

#!/bin/bash
APPLICATION=${APPLICATION:-ZONE51}
TIMEOUT=${TIMEOUT:-25000}
BACKEND_AUTH_ENDPOINT=${BACKEND_AUTH_ENDPOINT:-https://my.com/am-auth}
BACKEND_ENDPOINT=${BACKEND_ENDPOINT:-https://my.com/hello}
JMS_BROKER_URL=${JMS_BROKER_URL:-tcp://my.com:61616}
JMS_BROKER_USER=${JMS_BROKER_USER:-myprod}
JMS_BROKER_PASSWORD=${JMS_BROKER_PASSWORD:-999}
GOOGLE_ANALYTICS_ACCOUNT=${GOOGLE_ANALYTICS_ACCOUNT:-UA-999}

cat << EOF > $CATALINA_BASE/conf/zone51.properties
rest.client.application = $APPLICATION
rest.client.timeout = $TIMEOUT
backend.auth.endpoint = $BACKEND_AUTH_ENDPOINT
backend.endpoint = $BACKEND_ENDPOINT
jms.broker.url = $JMS_BROKER_URL
jms.broker.user = $JMS_BROKER_USER
jms.broker.password = $JMS_BROKER_PASSWORD
google.analytics.account = $GOOGLE_ANALYTICS_ACCOUNT
EOF

exec /usr/local/bin/run

and also if you can please provide in documentation some info about how to integrate or use with centralized configuration management/Consul/etcd/
https://github.com/cfg4j/cfg4j
http://cloud.spring.io/spring-cloud-config/spring-cloud-config.html

Also need support for infrastructure as code IaC
https://github.com/jhaals/ansible-vault
https://www.terraform.io/docs/providers/index.html

this message just feedback - for Improve Keywhiz for production ready

mcpherrinm commented

While that seems useful, it's unlikely that I or anyone on my team is going to have the time or expertise to write a Jenkins plugin, as we don't use Jenkins much.

I'll keep this issue open for now, and look into what this entails at some point.