How to Use Multiline File-Based Secret in Harness Shell Script
Let’s say you have a file-based secret in Harness NextGen/FirsGen. Then how to use that in Harness shell script?
You can follow using config files for NG, you would need to use this:
#Get the Secret file as a String
echo "cf_secret" <+configFile.getAsString("cf_secret")>
#Get the Secret file as Base 64 encoded String
echo "cf_secret 64" <+configFile.getAsBase64("cf_secret")>
With the base64 version, you can do:
echo <+configFile.getAsBase64("cf_secret")> | base64 -d > myfile.key
We have a similar approach in FG:
echo ${configFile.getAsBase64("fileName")} | base64 -d > myfile.key
You need to have your services configured with Config Files and those pointing to the secret files.
CG/FG:
cat <<EOF > filename.pub${secrets.getValue("cosign-pub-file")}EOF
NG:
cat <<EOF > filename.pub<+secrets.getValue("cosign-pub-file")>EOF
Sample pipeline :
pipeline:
name: cd_shell
identifier: cd_shell
projectIdentifier: newTestProject
orgIdentifier: abhishekOrg
tags: {}
stages:
- stage:
name: shell
identifier: shell
description: ""
type: Deployment
spec:
deploymentType: Kubernetes
environment:
environmentRef: dev
deployToAll: false
infrastructureDefinitions:
- identifier: dev
execution:
steps:
- step:
type: ShellScript
name: Shell Script_1
identifier: ShellScript_1
spec:
shell: Bash
onDelegate: true
source:
type: Inline
spec:
script: |
echo <+secrets.getValue("account.hashicorpvault://QAVault/hashi-ref-secret#hashi-ref-secret")>
environmentVariables:
- name: artifactoryRepo
type: String
value: cicd
- name: imageName
type: String
value: busybox
outputVariables: []
timeout: 10m
failureStrategies: []
- step:
type: Container
name: Container Step_1
identifier: ContainerStep_1
spec:
connectorRef: account.harnessImage
image: busybox
command: |-
# echo <+secrets.getValue("account.hashicorpvault://QAVault/hashi-ref-secret#hashi-ref-secret")>
echo "Container Step"
shell: Bash
infrastructure:
type: KubernetesDirect
spec:
connectorRef: account.asainik8sgke
namespace: harness-test
resources:
limits:
cpu: "0.5"
memory: 500Mi
outputVariables: []
envVariables: {}
timeout: 10m
rollbackSteps: []
services:
values:
- serviceRef: k8s_dply_svc
metadata:
parallel: true
tags: {}
failureStrategies:
- onFailure:
errors:
- AllErrors
action:
type: StageRollback
variables: []
- stage:
name: testFileSecret
identifier: testFileSecret
description: ""
type: Deployment
spec:
deploymentType: Kubernetes
service:
serviceRef: k8s_dply_svc
environment:
environmentRef: dev
deployToAll: false
infrastructureDefinitions:
- identifier: dev
execution:
steps:
- step:
type: ShellScript
name: ShellScript_1
identifier: ShellScript_1
spec:
shell: Bash
onDelegate: true
source:
type: Inline
spec:
script: |-
cat <<EOF > slack.webhook
<+secrets.getValue("testMultilineFileSecret")>
EOF
cat slack.webhook
echo "printing key file"
cat <<EOF > keyfile.pub
<+secrets.getValue("account.keyfiletest")>
EOF
cat keyfile.pub
environmentVariables: []
outputVariables: []
timeout: 10m
- step:
type: Container
name: Container_1
identifier: Container_1
spec:
connectorRef: account.harnessImage
image: busybox
command: |
echo "container"
cat <<EOF > slack.webhook
<+secrets.getValue("testMultilineFileSecret")>
EOF
cat slack.webhook
echo "printing key file"
cat <<EOF > keyfile.pub
<+secrets.getValue("account.keyfiletest")>
EOF
cat keyfile.pub
shell: Sh
infrastructure:
type: KubernetesDirect
spec:
connectorRef: account.asainik8sgke
namespace: harness-test
resources:
limits:
cpu: "0.5"
memory: 500Mi
outputVariables: []
envVariables: {}
timeout: 10m
rollbackSteps: []
tags: {}
failureStrategies:
- onFailure:
errors:
- AllErrors
action:
type: StageRollback
- stage:
name: fileSecret
identifier: fileSecret
description: ""
type: CI
spec:
cloneCodebase: false
infrastructure:
type: KubernetesDirect
spec:
connectorRef: account.asainik8sgke
namespace: harness-test
automountServiceAccountToken: true
nodeSelector: {}
os: Linux
execution:
steps:
- step:
type: Run
name: Run_1
identifier: Run_1
spec:
connectorRef: account.harnessImage
image: busybox
shell: Sh
command: |
echo "container"
cat <<EOF > slack.webhook
<+secrets.getValue("testMultilineFileSecret")>
EOF
cat slack.webhook
echo "printing key file"
cat <<EOF > keyfile.pub
<+secrets.getValue("account.keyfiletest")>
EOF
cat keyfile.pub
allowStageExecutions: true
This is how you can use Multiline File-Based Secret in Harness Shell Script in FirstGen and NextGen