From f377953b9fe487bcbdd7490cb2e47be211553c82 Mon Sep 17 00:00:00 2001 From: Pierre Smeyers <pierre.smeyers@gmail.com> Date: Sat, 8 Jan 2022 15:38:42 +0000 Subject: [PATCH] Add Vault secrets provider support --- README.md | 56 ++++++++++++++++++++++++++++ kicker.json | 27 ++++++++++++++ templates/gitlab-ci-docker-vault.yml | 14 +++++++ 3 files changed, 97 insertions(+) create mode 100644 templates/gitlab-ci-docker-vault.yml diff --git a/README.md b/README.md index fd93081..3418586 100644 --- a/README.md +++ b/README.md @@ -365,6 +365,62 @@ variables: DOCKER_RELEASE_IMAGE: "$CI_REGISTRY/$CI_PROJECT_PATH/back:$CI_COMMIT_REF_NAME" ``` +## Variants + +The Docker template can be used in conjunction with template variants to cover specific cases. + +### Vault variant + +This variant allows delegating your secrets management to a [Vault](https://www.vaultproject.io/) server. + +#### Configuration + +In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters: + +| Name | description | default value | +| ----------------- | -------------------------------------- | ----------------- | +| `VAULT_BASE_URL` | The Vault server base API url | _none_ | +| :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** | +| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** | + +#### Usage + +Then you may retrieve any of your secret(s) from Vault using the following syntax: + +```text +@url@http://vault-secrets-provider/api/secrets/{secret_path}?field={field} +``` + +With: + +| Name | description | +| -------------------------------- | -------------------------------------- | +| `secret_path` (_path parameter_) | this is your secret location in the Vault server | +| `field` (_query parameter_) | parameter to access a single basic field from the secret JSON payload | + +#### Example + +```yaml +include: + # main template + - project: 'to-be-continuous/docker' + ref: '2.2.0' + file: '/templates/gitlab-ci-docker.yml' + # Vault variant + - project: 'to-be-continuous/docker' + ref: '2.2.0' + file: '/templates/gitlab-ci-docker-vault.yml' + +variables: + # Secrets managed by Vault + DOCKER_REGISTRY_SNAPSHOT_USER: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/snapshot/credentials?field=user" + DOCKER_REGISTRY_SNAPSHOT_PASSWORD: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/snapshot/credentials?field=token" + DOCKER_REGISTRY_RELEASE_USER: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/release/credentials?field=user" + DOCKER_REGISTRY_RELEASE_PASSWORD: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/release/credentials?field=token" + VAULT_BASE_URL: "https://vault.acme.host/v1" + # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable +``` + ## Gitlab compatibility :information_source: This template is actually tested and validated on GitLab Community Edition instance version 13.12.11 diff --git a/kicker.json b/kicker.json index df1803c..5c16d5a 100644 --- a/kicker.json +++ b/kicker.json @@ -170,5 +170,32 @@ } ] } + ], + "variants": [ + { + "id": "vault", + "name": "Vault", + "description": "Retrieve secrets from a [Vault](https://www.vaultproject.io/) server", + "template_path": "templates/gitlab-ci-docker-vault.yml", + "variables": [ + { + "name": "VAULT_BASE_URL", + "description": "The Vault server base API url", + "mandatory": true + }, + { + "name": "VAULT_ROLE_ID", + "description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID", + "mandatory": true, + "secret": true + }, + { + "name": "VAULT_SECRET_ID", + "description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID", + "mandatory": true, + "secret": true + } + ] + } ] } diff --git a/templates/gitlab-ci-docker-vault.yml b/templates/gitlab-ci-docker-vault.yml new file mode 100644 index 0000000..f7e9b90 --- /dev/null +++ b/templates/gitlab-ci-docker-vault.yml @@ -0,0 +1,14 @@ +# ===================================================================================================================== +# === Vault template variant +# ===================================================================================================================== +variables: + # variables have to be explicitly declared in the YAML to be exported to the service + VAULT_ROLE_ID: "$VAULT_ROLE_ID" + VAULT_SECRET_ID: "$VAULT_SECRET_ID" + +.docker-base: + services: + - name: "$CI_REGISTRY/to-be-continuous/tools/tracking:master" + command: ["--service", "docker", "2.2.0"] + - name: "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master" + alias: "vault-secrets-provider" -- GitLab