JS7 JobScheduler

Scurtături spațiu

Arbore pagină

Versiunile în comparație

Versiune veche 10

changes.mady.by.user Andreas Püschel

Salvat pe

comparat(ă) cu

Versiune nouă Actual

changes.mady.by.user Andreas Püschel

Salvat pe

Cheie

  • Această linie a fost adăugată.
  • Acest rând a fost eliminat.
  • Formatarea a fost modificată.

...

  • The Secret Manager encrypts a secret using the target Agent's Certificate and stores the encrypted result to a Job Resource variable.
  • The Job Resource variable is assigned an environment variable that will be made available to jobs using the Job Resource.

  • Examples:

    • For details see JS7 - How to update a Job Resource using Unix Shell.

      Code Block
      languagebash
      titleExample for Encryption using Unix Shell
      collapsetrue
      ./js7_set_job_resource.sh \
    --url=http://joc-2-0-primary:7446 \
    --controller-id=controller \
    --user=root \
    --password=root \
    --job-resource=/ProductDemo/Variables/pdDatabaseSecret \
    --key=databasePassword \
    --value='12345678' \
    --env-var='DATABASE_PASSWORD' \
    --encrypt-cert=foobar.crt

    • For details see JS7 - How to update a Job Resource using PowerShell.

      Code Block
      languagebash
      titleExample for Encryption using PowerShell
      collapsetrue
      Set-JS7JobResource `
    -Path /ProductDemo/Variables/pdDatabaseSecret `
    -Key 'databasePassword' `
    -Value '12345678' `
    -EnvVar 'DATABASE_PASSWORD' `
    -EncryptCertificatePath foobar.crt `
    -JavaLib /js7/js7.encryption/lib

    • Example how to use Bitwarden® CLI to retrieve a password and to store the encrypted password to a Job Resource:

      Code Block
      languagebash
      titleExample for Encryption using Bitwarden CLI and Unix Shell
      linenumberstrue
      collapsetrue
      Get_Secret()
{
    item="$1"

    if [ -f $HOME/.bw.session.lock ]
    then
    	BW_SESSION="$(bw unlock --passwordenv $BW_PASSWORD)"
    else
 	    BW_LOGIN=$(bw login -apikey && touch $HOME/.bw.session.lock)
    fi

    response_json=$(bw list items --search "${item}")
    item_count=$(printf "%s" "${response_json}" | jq ". | length")

    if [ "${item_count}" -eq 1 ]
    then
        printf "%s" "${response_json}" | jq -r ".[].login.password // empty"
    else
        if [ "${item_count}" -eq 0 ]
        then
            >&2 echo "no matching item found in vault for: ${item}"
        else
            >&2 echo "more than one matching item found in vault for: ${item}"
        fi
    fi
}

./js7_set_job_resource.sh \
    --url=https://joc-2-0-primary:7443 \
    --controller-id=controller \
    --user=root \
    --password=root \
    --job-resource=/ProductDemo/Variables/pdDatabaseSecret \
    --key=databasePassword \
    --value=$(Get_Secret "database-login") \
    --env-var='DATABASE_PASSWORD' \
    --encrypt-cert=foobar.crt


      Explanation:

      • The script requires the jq utility to be available from the operating system.
        jq ships with the MIT license, see https://opensource.org/licenses/MIT.
      • Login to JOC Cockpit can be performed using username/password or using a Client Authentication Certificate, see JS7 - Certificate Identity Service.
      • Line 5-10: There are a number of ways how to login and to unlock the vault using Bitwarden CLI. Users should adjust this section.
      • Line 17: The JSON returned by Bitwarden CLI depends on the type of secret (1=login, 2=secure note etc.) and will require adjustments to select the desired property.

Decrypting Secrets from Jobs

...