#23 Add support for Azure Key Vault

Signed-off-by: Matthew DeVenny <matt@boxboat.com>

Author: matthewdevenny

resources/com/boxboat/jenkins/config.example.yaml

@@ -3,6 +3,12 @@ awsProfileMap:
     region: us-east-1
     accessKeyIdCredential: aws-access-key-id
     secretAccessKeyCredential: aws-secret-access-key
+azureProfileMap:
+  default:
+    keyVaultName: your-keyvault-name
+    tenantIdCredential: azure-tenant-id
+    clientIdCredential: azure-client-id
+    clientSecretKeyCredential: azure-client-secret-key
 deployTargetMap:
   dev01: !!com.boxboat.jenkins.library.deployTarget.KubernetesDeployTarget
     contextName: boxboat
@@ -61,6 +67,7 @@ vaultMap:
     secretIdCredential: vault-secret-id
     tokenCredential: vault-token
     url: http://localhost:8200
+
 repo:
   common:
     defaultBranch: master

src/com/boxboat/jenkins/library/azure/AzureProfile.groovy

@@ -0,0 +1,31 @@
+package com.boxboat.jenkins.library.azure
+
+import com.boxboat.jenkins.library.config.BaseConfig
+import com.boxboat.jenkins.library.config.Config
+
+class AzureProfile  extends BaseConfig<AzureProfile> implements Serializable{
+
+    String keyVaultName
+
+    String tenantIdCredential
+
+    String clientIdCredential
+
+    String clientSecretKeyCredential
+
+    def withCredentials(Closure closure) {
+        List<Object> credentials = []
+        if (tenantIdCredential) {
+            credentials.add(Config.pipeline.string(credentialsId: tenantIdCredential, variable: 'AZURE_TENANT_ID',))
+        }
+        if (clientIdCredential) {
+            credentials.add(Config.pipeline.string(credentialsId: clientIdCredential, variable: 'AZURE_CLIENT_ID',))
+        }
+        if (clientSecretKeyCredential) {
+            credentials.add(Config.pipeline.string(credentialsId: clientSecretKeyCredential, variable: 'AZURE_CLIENT_SECRET',))
+        }
+        Config.pipeline.withCredentials(credentials) {
+            closure()
+        }
+    }
+}

src/com/boxboat/jenkins/library/config/GlobalConfig.groovy

@@ -1,6 +1,7 @@
 package com.boxboat.jenkins.library.config
 
 import com.boxboat.jenkins.library.aws.AwsProfile
+import com.boxboat.jenkins.library.azure.AzureProfile
 import com.boxboat.jenkins.library.deployTarget.IDeployTarget
 import com.boxboat.jenkins.library.docker.Registry
 import com.boxboat.jenkins.library.environment.Environment
@@ -37,6 +38,17 @@ class GlobalConfig extends BaseConfig<GlobalConfig> implements Serializable {
         return awsProfile
     }
 
+    AzureProfile getAzureProfile(String key) {
+        def azureProfile = azureProfileMap.get(key)
+        if (!azureProfile) {
+            throw new Exception("azureProfile entry '${key}' does not exist in config file")
+        }
+        return azureProfile
+
+    }
+
+    Map<String, AzureProfile> azureProfileMap
+
     IDeployTarget getDeployTarget(String key) {
         def deployTarget = deployTargetMap.get(key)
         if (!deployTarget) {
@@ -75,6 +87,4 @@ class GlobalConfig extends BaseConfig<GlobalConfig> implements Serializable {
             throw new Exception("vaultKey entry '${key}' does not exist in config file")
         }
         return vault
-    }
-
-}
+    }

src/com/boxboat/jenkins/pipeline/common/dockcmd/DockcmdGetSecrets.groovy

@@ -1,5 +1,6 @@
 package com.boxboat.jenkins.pipeline.common.dockcmd
 
+import com.boxboat.jenkins.library.azure.AzureProfile
 import com.boxboat.jenkins.library.config.Config
 import com.boxboat.jenkins.library.aws.AwsProfile
 import com.boxboat.jenkins.library.vault.Vault
@@ -10,6 +11,8 @@ class DockcmdGetSecrets implements Serializable {
 
     public String vaultKey
 
+    public String azureProfileKey
+
     public String directory = "."
 
     public String[] files = []
@@ -37,6 +40,27 @@ class DockcmdGetSecrets implements Serializable {
 
     }
 
+    public parseAzureSecrets(Map<String, Object> additionalOptions = [:]) {
+        if (!azureProfileKey) {
+            Config.pipeline.error "'azureProfileKey' is required"
+        }
+        AzureProfile azure = Config.global.getAzureProfile(azureProfileKey)
+        azure.withCredentials {
+            Config.pipeline.sh parseAzureSecretsScript(azure.keyVaultName, additionalOptions)
+        }
+    }
+
+    public parseAzureSecretsScript(String keyVaultName, Map<String, Object> additionalOptions = [:]) {
+        def combinedOptions = combineOptions(options, additionalOptions)
+        return """
+            dockcmd_current_dir=\$(pwd)
+            cd "${directory}"
+            dockcmd azure get-secrets --key-vault "${keyVaultName}" ${optionsString(combinedOptions)} ${files.join('" "')}
+            cd "\$dockcmd_current_dir"
+        """
+
+    }
+
     public parseVaultSecrets(Map<String, Object> additionalOptions = [:]) {
         if (!vaultKey) {
             Config.pipeline.error "'vaultKey' is required"

test-resources/com/boxboat/jenkins/test/library/config/globalConfig/test.yaml

@@ -3,6 +3,12 @@ awsProfileMap:
     region: us-east-1
     accessKeyIdCredential: aws-access-key-id
     secretAccessKeyCredential: aws-secret-access-key
+azureProfileMap:
+  default:
+    keyVaultName: vault-name
+    tenantIdCredential: azure-tenant-id
+    clientIdCredential: azure-client-id
+    clientSecretKeyCredential: azure-client-secret-key
 deployTargetMap:
   dev01: !!com.boxboat.jenkins.library.deployTarget.KubernetesDeployTarget
     contextName: boxboat

test-resources/com/boxboat/jenkins/test/pipeline/deployment.jenkins

@@ -61,6 +61,23 @@ def execute() {
 
                 dockcmdAws.parseAwsSecrets()
 
+                def dockcmdAzure = new DockcmdGetSecrets(
+                    azureProfileKey: "default",
+                    files: [
+                        "secret-values-*.yaml",
+                    ],
+                    options: [
+                        "edit-in-place": true,
+                        "set": [
+                            "Deployment=dev",
+                            "Foo=bar",
+                        ]
+                    ],
+                )
+
+                dockcmdAzure.parseAzureSecrets()
+
+
                 deploy.withCredentials() {
                     sh "helm upgrade --install test ."
                 }

test/com/boxboat/jenkins/test/library/config/GlobalConfigTest.groovy

@@ -1,6 +1,12 @@
 package com.boxboat.jenkins.test.library.config
 
 import com.boxboat.jenkins.library.aws.AwsProfile
+<<<<<<< HEAD
+=======
+import com.boxboat.jenkins.library.azure.AzureProfile
+import com.boxboat.jenkins.library.notify.SlackJenkinsAppNotifyTarget
+import com.boxboat.jenkins.library.vault.Vault
+>>>>>>> #23 Add support for Azure Key Vault
 import com.boxboat.jenkins.library.config.CommonConfig
 import com.boxboat.jenkins.library.config.DeployConfig
 import com.boxboat.jenkins.library.config.GlobalConfig
@@ -68,6 +74,14 @@ class GlobalConfigTest {
                                                 secretAccessKeyCredential: "aws-secret-access-key",
                                         ),
                                 ],
+                                azureProfileMap: [
+                                        "default": new AzureProfile(
+                                                keyVaultName: "vault-name",
+                                                tenantIdCredential: "tenant-id",
+                                                clientIdCredential: "azure-client-id",
+                                                clientSecretKeyCredential: "azure-client-secret-key",
+                                        ),
+                                ],
                                 deployTargetMap: [
                                         "dev01" : new KubernetesDeployTarget(
                                                 contextName: "boxboat",