I would like to avoid storing any credentials in Jenkins and rely solely on Hashicorp Vault for storing and managing credentials.
It is pretty trivial to get it working once pipeline is working but I can't find any examples or guidance on how I can do the initial git clone from private repo in Jenkinsfile without storing PAT token in Jenkins secrets.
I would like to call Vault first, get PAT token from there , and then clone the repo with Jenkinfile.
Could anyone give me a hint please?
You will need to store at least the approle/secret to access Vault within the Jenkins credentials store. However, once you have done that, you should be able to use the Vault plugin to access any information you need, and have it saved to an environment variable. From there, you can use that environment variable as needed.
See here for an example of how to use the Vault plugin inside your Jenkinsfile
You could add your SSH key to the Jenkins built-in node (formerly master) user's home directory, as well as the home directories of users for any build nodes you use. You would also need to add the correct configuration options to your SSH config file (.ssh/config) so SSH uses that key to access your SCM server.
Host myscm.mycompany.com
User scmuser
IdentityFile ~/.ssh/scm_id_rsa
PreferredAuthentications publickey
RequestTTY no
Once you have the above set, you can just specify your SCM URL within Jenkins, and it will use the defaults from your SSH folder.
If you are not using SSH, please post back with your SCM as well as access method (http? rsync?).
You have two other options: (1) store your Jenkinsfile in a public repository that is different from your project repository or make your project repository public, or (2) define your pipeline directly in the job, so that you don't need a Jenkinsfile