From f377953b9fe487bcbdd7490cb2e47be211553c82 Mon Sep 17 00:00:00 2001
From: Pierre Smeyers <pierre.smeyers@gmail.com>
Date: Sat, 8 Jan 2022 15:38:42 +0000
Subject: [PATCH] Add Vault secrets provider support

---
 README.md                            | 56 ++++++++++++++++++++++++++++
 kicker.json                          | 27 ++++++++++++++
 templates/gitlab-ci-docker-vault.yml | 14 +++++++
 3 files changed, 97 insertions(+)
 create mode 100644 templates/gitlab-ci-docker-vault.yml

diff --git a/README.md b/README.md
index fd93081..3418586 100644
--- a/README.md
+++ b/README.md
@@ -365,6 +365,62 @@ variables:
       DOCKER_RELEASE_IMAGE: "$CI_REGISTRY/$CI_PROJECT_PATH/back:$CI_COMMIT_REF_NAME"
 ```
 
+## Variants
+
+The Docker template can be used in conjunction with template variants to cover specific cases.
+
+### Vault variant
+
+This variant allows delegating your secrets management to a [Vault](https://www.vaultproject.io/) server.
+
+#### Configuration
+
+In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters:
+
+| Name              | description                            | default value     |
+| ----------------- | -------------------------------------- | ----------------- |
+| `VAULT_BASE_URL`  | The Vault server base API url          | _none_ |
+| :lock: `VAULT_ROLE_ID`   | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** |
+| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** |
+
+#### Usage
+
+Then you may retrieve any of your secret(s) from Vault using the following syntax:
+
+```text
+@url@http://vault-secrets-provider/api/secrets/{secret_path}?field={field}
+```
+
+With:
+
+| Name                             | description                            |
+| -------------------------------- | -------------------------------------- |
+| `secret_path` (_path parameter_) | this is your secret location in the Vault server |
+| `field` (_query parameter_)      | parameter to access a single basic field from the secret JSON payload |
+
+#### Example
+
+```yaml
+include:
+  # main template
+  - project: 'to-be-continuous/docker'
+    ref: '2.2.0'
+    file: '/templates/gitlab-ci-docker.yml'
+  # Vault variant
+  - project: 'to-be-continuous/docker'
+    ref: '2.2.0'
+    file: '/templates/gitlab-ci-docker-vault.yml'
+
+variables:
+    # Secrets managed by Vault
+    DOCKER_REGISTRY_SNAPSHOT_USER: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/snapshot/credentials?field=user"
+    DOCKER_REGISTRY_SNAPSHOT_PASSWORD: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/snapshot/credentials?field=token"
+    DOCKER_REGISTRY_RELEASE_USER: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/release/credentials?field=user"
+    DOCKER_REGISTRY_RELEASE_PASSWORD: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/release/credentials?field=token"
+    VAULT_BASE_URL: "https://vault.acme.host/v1"
+    # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable
+```
+
 ## Gitlab compatibility
 
 :information_source: This template is actually tested and validated on GitLab Community Edition instance version 13.12.11
diff --git a/kicker.json b/kicker.json
index df1803c..5c16d5a 100644
--- a/kicker.json
+++ b/kicker.json
@@ -170,5 +170,32 @@
         }
       ]
     }
+  ],
+  "variants": [
+    {
+      "id": "vault",
+      "name": "Vault",
+      "description": "Retrieve secrets from a [Vault](https://www.vaultproject.io/) server",
+      "template_path": "templates/gitlab-ci-docker-vault.yml",
+      "variables": [
+        {
+          "name": "VAULT_BASE_URL",
+          "description": "The Vault server base API url",
+          "mandatory": true
+        },
+        {
+          "name": "VAULT_ROLE_ID",
+          "description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID",
+          "mandatory": true,
+          "secret": true
+        },
+        {
+          "name": "VAULT_SECRET_ID",
+          "description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID",
+          "mandatory": true,
+          "secret": true
+        }
+      ]
+    }
   ]
 }
diff --git a/templates/gitlab-ci-docker-vault.yml b/templates/gitlab-ci-docker-vault.yml
new file mode 100644
index 0000000..f7e9b90
--- /dev/null
+++ b/templates/gitlab-ci-docker-vault.yml
@@ -0,0 +1,14 @@
+# =====================================================================================================================
+# === Vault template variant
+# =====================================================================================================================
+variables:
+  # variables have to be explicitly declared in the YAML to be exported to the service
+  VAULT_ROLE_ID: "$VAULT_ROLE_ID"
+  VAULT_SECRET_ID: "$VAULT_SECRET_ID"
+
+.docker-base:
+  services:
+    - name: "$CI_REGISTRY/to-be-continuous/tools/tracking:master"
+      command: ["--service", "docker", "2.2.0"]
+    - name: "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master"
+      alias: "vault-secrets-provider"
-- 
GitLab