Skip to content
Snippets Groups Projects
Normal view Permalink
gitlab-ci-docker-gcp.yml 2.64 KiB
Newer Older
Marco GILLES's avatar
feat(gcp): add OIDC authentication support for GCP Artifact Registry
Marco GILLES committed
1 2 3 
# =====================================================================================================================
# === GCP Auth template variant
# =====================================================================================================================
Pierre Smeyers's avatar
feat: migrate to GitLab CI/CD component  
Pierre Smeyers committed
4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 
spec:
  inputs:
    gcp-oidc-aud:
      description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_
      default: $CI_SERVER_URL
    gcp-oidc-account:
      description: Default Service Account to which impersonate with OpenID Connect
        authentication
      default: ''
    gcp-oidc-provider:
      description: Default Workload Identity Provider associated with GitLab to [authenticate
        with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)
      default: ''
    gcp-snapshot-oidc-account:
      description: Service Account to use to push the snapshot image _(only define if
        different from default)_
      default: ''
    gcp-snapshot-oidc-provider:
      description: Workload Identity Provider to push the snapshot image _(only define
        if different from default)_
      default: ''
    gcp-release-oidc-account:
      description: Service Account to use to push the release image _(only define if
        different from default)_
      default: ''
    gcp-release-oidc-provider:
      description: Workload Identity Provider to push the release image _(only define
        if different from default)_
      default: ''
---
Marco GILLES's avatar
feat(gcp): add OIDC authentication support for GCP Artifact Registry
Marco GILLES committed
34 
variables:
Pierre Smeyers's avatar
feat: migrate to GitLab CI/CD component  
Pierre Smeyers committed
35 36 37 38 39 40 41 42 43 
  TBC_GCP_PROVIDER_IMAGE: registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:main
  GCP_OIDC_AUD: $[[ inputs.gcp-oidc-aud ]]
  GCP_OIDC_ACCOUNT: $[[ inputs.gcp-oidc-account ]]
  GCP_OIDC_PROVIDER: $[[ inputs.gcp-oidc-provider ]]
  GCP_SNAPSHOT_OIDC_ACCOUNT: $[[ inputs.gcp-snapshot-oidc-account ]]
  GCP_SNAPSHOT_OIDC_PROVIDER: $[[ inputs.gcp-snapshot-oidc-provider ]]
  GCP_RELEASE_OIDC_ACCOUNT: $[[ inputs.gcp-release-oidc-account ]]
  GCP_RELEASE_OIDC_PROVIDER: $[[ inputs.gcp-release-oidc-provider ]]
Marco GILLES's avatar
feat(gcp): add OIDC authentication support for GCP Artifact Registry
Marco GILLES committed
44 45 46 
.docker-base:
  services:
    - name: "$TBC_TRACKING_IMAGE"
semantic-release-bot's avatar
chore(release): 5.8.0 [skip ci]  
semantic-release-bot committed
47 
      command: ["--service", "docker", "5.8.0"]
Pierre Smeyers's avatar
fix: ECR and GCP provider image variables  
Pierre Smeyers committed
48 
    - name: "$TBC_GCP_PROVIDER_IMAGE"
Marco GILLES's avatar
feat(gcp): add OIDC authentication support for GCP Artifact Registry
Marco GILLES committed
49 
      alias: "gcp-auth-provider"
Pierre Smeyers's avatar
feat(oidc): OIDC authentication support now requires explicit configuration(see doc)  
Pierre Smeyers committed
50 51 52 53 54 55 56 57 58 59 
  variables:
    #  have to be explicitly declared in the YAML to be exported to the service
    GCP_JWT: $GCP_JWT
    DOCKER_REGISTRY_SNAPSHOT_USER: oauth2accesstoken
    DOCKER_REGISTRY_RELEASE_USER: oauth2accesstoken
    DOCKER_REGISTRY_SNAPSHOT_PASSWORD: '@url@http://gcp-auth-provider/token?envType=snapshot'
    DOCKER_REGISTRY_RELEASE_PASSWORD: '@url@http://gcp-auth-provider/token?envType=release'
  id_tokens:
    GCP_JWT:
      aud: "$GCP_OIDC_AUD"