Skip to content
Snippets Groups Projects
Commit dba29378 authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

docs: update GitLab links

parent 3cf7d1f3
Branches
Tags
No related merge requests found
...@@ -8,8 +8,8 @@ Closes #999 ...@@ -8,8 +8,8 @@ Closes #999
## Checklist ## Checklist
* General: * General:
* [ ] use [rules](https://docs.gitlab.com/ee/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ee/ci/yaml/#onlyexcept-advanced) * [ ] use [rules](https://docs.gitlab.com/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ci/yaml/#onlyexcept-advanced)
* [ ] optimized [cache](https://docs.gitlab.com/ee/ci/caching/) configuration (wherever applicable) * [ ] optimized [cache](https://docs.gitlab.com/ci/caching/) configuration (wherever applicable)
* Publicly usable: * Publicly usable:
* [ ] untagged runners * [ ] untagged runners
* [ ] no proxy configuration but support `http_proxy`/`https_proxy`/`no_proxy` * [ ] no proxy configuration but support `http_proxy`/`https_proxy`/`no_proxy`
......
...@@ -61,7 +61,7 @@ To contribute: ...@@ -61,7 +61,7 @@ To contribute:
1. Create an issue describing the bug or enhancement you want to propose (select the right issue template). 1. Create an issue describing the bug or enhancement you want to propose (select the right issue template).
2. Make sure the issue has been reviewed and agreed. 2. Make sure the issue has been reviewed and agreed.
3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html) documentation). 3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/user/project/repository/forking_workflow/) documentation).
Don't hesitate to mark your MR as `Draft` as long as you think it's not ready to be reviewed. Don't hesitate to mark your MR as `Draft` as long as you think it's not ready to be reviewed.
### Git Commit Conventions ### Git Commit Conventions
......
...@@ -6,8 +6,8 @@ or [Kustomize](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustom ...@@ -6,8 +6,8 @@ or [Kustomize](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustom
## Usage ## Usage
This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component) This template can be used both as a [CI/CD component](https://docs.gitlab.com/ci/components/#use-a-component)
or using the legacy [`include:project`](https://docs.gitlab.com/ee/ci/yaml/index.html#includeproject) syntax. or using the legacy [`include:project`](https://docs.gitlab.com/ci/yaml/#includeproject) syntax.
### Use as a CI/CD component ### Use as a CI/CD component
...@@ -71,7 +71,7 @@ _ongoing developments_ (a.k.a. _feature_ or _topic_ branches). ...@@ -71,7 +71,7 @@ _ongoing developments_ (a.k.a. _feature_ or _topic_ branches).
When enabled, it deploys the result from upstream build stages to a dedicated and temporary environment. When enabled, it deploys the result from upstream build stages to a dedicated and temporary environment.
It is only active for non-production, non-integration branches. It is only active for non-production, non-integration branches.
It is a strict equivalent of GitLab's [Review Apps](https://docs.gitlab.com/ee/ci/review_apps/) feature. It is a strict equivalent of GitLab's [Review Apps](https://docs.gitlab.com/ci/review_apps/) feature.
It also comes with a _cleanup_ job (accessible either from the _environments_ page, or from the pipeline view). It also comes with a _cleanup_ job (accessible either from the _environments_ page, or from the pipeline view).
...@@ -99,8 +99,8 @@ You're free to enable whichever or both, and you can also choose your deployment ...@@ -99,8 +99,8 @@ You're free to enable whichever or both, and you can also choose your deployment
The Kubernetes template supports 3 ways of login/accessing your Kubernetes cluster(s): The Kubernetes template supports 3 ways of login/accessing your Kubernetes cluster(s):
1. Using [GitLab agents with the CI/CD workflow](https://docs.gitlab.com/ee/user/clusters/agent/ci_cd_workflow.html): when enabled, the template automatically retrieves and uses your Kubernetes cluster configuration (`KUBECONFIG` env), 1. Using [GitLab agents with the CI/CD workflow](https://docs.gitlab.com/user/clusters/agent/ci_cd_workflow/): when enabled, the template automatically retrieves and uses your Kubernetes cluster configuration (`KUBECONFIG` env),
:warning: don't forget to set the `KUBE_CONTEXT` variable (to `path/to/agent/project:agent-name`) as [stated in the documentation](https://docs.gitlab.com/ee/user/clusters/agent/ci_cd_workflow.html#environments-that-use-auto-devops). :warning: don't forget to set the `KUBE_CONTEXT` variable (to `path/to/agent/project:agent-name`) as [stated in the documentation](https://docs.gitlab.com/user/clusters/agent/ci_cd_workflow/#environments-that-use-auto-devops).
2. By defining an explicit `kubeconfig` from env (either file or yaml content), 2. By defining an explicit `kubeconfig` from env (either file or yaml content),
3. By defining explicit `kubeconfig` **exploded parameters** from env: server url, server certificate authority and user token. 3. By defining explicit `kubeconfig` **exploded parameters** from env: server url, server certificate authority and user token.
...@@ -275,8 +275,8 @@ by using available environment variables: ...@@ -275,8 +275,8 @@ by using available environment variables:
(ex: `MYPROJECT_REVIEW_FIX_BUG_12` or `MYPROJECT_STAGING`) (ex: `MYPROJECT_REVIEW_FIX_BUG_12` or `MYPROJECT_STAGING`)
* `${k8s_namespace}`: the Kubernetes namespace currently used for deployment/cleanup * `${k8s_namespace}`: the Kubernetes namespace currently used for deployment/cleanup
* `${hostname}`: the environment hostname, extracted from the current environment url (after late variable expansion - see below) * `${hostname}`: the environment hostname, extracted from the current environment url (after late variable expansion - see below)
2. any [GitLab CI variable](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html) 2. any [GitLab CI variable](https://docs.gitlab.com/ci/variables/predefined_variables/)
3. any [custom variable](https://docs.gitlab.com/ee/ci/variables/#for-a-project) 3. any [custom variable](https://docs.gitlab.com/ci/variables/#for-a-project)
(ex: `${SECRET_TOKEN}` that you have set in your project CI/CD variables) (ex: `${SECRET_TOKEN}` that you have set in your project CI/CD variables)
#### Variables substitution mechanism #### Variables substitution mechanism
...@@ -311,7 +311,7 @@ resources can use a **variables substitution** mechanism implemented by the temp ...@@ -311,7 +311,7 @@ resources can use a **variables substitution** mechanism implemented by the temp
The K8S template supports two ways of providing your environments url: The K8S template supports two ways of providing your environments url:
* a **static way**: when the environments url can be determined in advance, probably because you're exposing your routes through a DNS you manage, * a **static way**: when the environments url can be determined in advance, probably because you're exposing your routes through a DNS you manage,
* a [**dynamic way**](https://docs.gitlab.com/ee/ci/environments/#set-a-dynamic-environment-url): when the url cannot be known before the * a [**dynamic way**](https://docs.gitlab.com/ci/environments/#set-a-dynamic-environment-url): when the url cannot be known before the
deployment job is executed. deployment job is executed.
The **static way** can be implemented simply by setting the appropriate configuration variable(s) depending on the environment (see environments configuration chapters): The **static way** can be implemented simply by setting the appropriate configuration variable(s) depending on the environment (see environments configuration chapters):
...@@ -340,7 +340,7 @@ the dynamically generated url. When detected by the template, it will use it as ...@@ -340,7 +340,7 @@ the dynamically generated url. When detected by the template, it will use it as
### Deployment output variables ### Deployment output variables
Each deployment job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsdotenv)): Each deployment job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ci/yaml/artifacts_reports/#artifactsreportsdotenv)):
* `$environment_type`: set to the type of environment (`review`, `integration`, `staging` or `production`), * `$environment_type`: set to the type of environment (`review`, `integration`, `staging` or `production`),
* `$environment_name`: the application name (see below), * `$environment_name`: the application name (see below),
...@@ -356,12 +356,12 @@ You may also add and propagate your own custom variables, by pushing them to the ...@@ -356,12 +356,12 @@ You may also add and propagate your own custom variables, by pushing them to the
Here are some advices about your **secrets** (variables marked with a :lock:): Here are some advices about your **secrets** (variables marked with a :lock:):
1. Manage them as [project or group CI/CD variables](https://docs.gitlab.com/ee/ci/variables/#for-a-project): 1. Manage them as [project or group CI/CD variables](https://docs.gitlab.com/ci/variables/#for-a-project):
* [**masked**](https://docs.gitlab.com/ee/ci/variables/#mask-a-cicd-variable) to prevent them from being inadvertently * [**masked**](https://docs.gitlab.com/ci/variables/#mask-a-cicd-variable) to prevent them from being inadvertently
displayed in your job logs, displayed in your job logs,
* [**protected**](https://docs.gitlab.com/ee/ci/variables/#protected-cicd-variables) if you want to secure some secrets * [**protected**](https://docs.gitlab.com/ci/variables/#protected-cicd-variables) if you want to secure some secrets
you don't want everyone in the project to have access to (for instance production secrets). you don't want everyone in the project to have access to (for instance production secrets).
2. In case a secret contains [characters that prevent it from being masked](https://docs.gitlab.com/ee/ci/variables/#mask-a-cicd-variable), 2. In case a secret contains [characters that prevent it from being masked](https://docs.gitlab.com/ci/variables/#mask-a-cicd-variable),
simply define its value as the [Base64](https://en.wikipedia.org/wiki/Base64) encoded value prefixed with `@b64@`: simply define its value as the [Base64](https://en.wikipedia.org/wiki/Base64) encoded value prefixed with `@b64@`:
it will then be possible to mask it and the template will automatically decode it prior to using it. it will then be possible to mask it and the template will automatically decode it prior to using it.
3. Don't forget to escape special characters (ex: `$` -> `$$`). 3. Don't forget to escape special characters (ex: `$` -> `$$`).
...@@ -373,9 +373,9 @@ The Kubernetes template uses some global configuration used throughout all jobs. ...@@ -373,9 +373,9 @@ The Kubernetes template uses some global configuration used throughout all jobs.
| Input / Variable | Description | Default value | | Input / Variable | Description | Default value |
| --------------------- | -------------------------------------- | ----------------- | | --------------------- | -------------------------------------- | ----------------- |
| `kubectl-image` / `K8S_KUBECTL_IMAGE` | the Docker image used to run Kubernetes `kubectl` commands <br/>:warning: **set the version required by your Kubernetes server** | `registry.hub.docker.com/bitnami/kubectl:latest` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-K8S_KUBECTL_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-K8S_KUBECTL_IMAGE) | | `kubectl-image` / `K8S_KUBECTL_IMAGE` | the Docker image used to run Kubernetes `kubectl` commands <br/>:warning: **set the version required by your Kubernetes server** | `registry.hub.docker.com/bitnami/kubectl:latest` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-K8S_KUBECTL_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-K8S_KUBECTL_IMAGE) |
| `base-app-name` / `K8S_BASE_APP_NAME` | Default application name | `$CI_PROJECT_NAME` ([see GitLab doc](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html)) | | `base-app-name` / `K8S_BASE_APP_NAME` | Default application name | `$CI_PROJECT_NAME` ([see GitLab doc](https://docs.gitlab.com/ci/variables/predefined_variables/)) |
| `environment-url` / `K8S_ENVIRONMENT_URL` | Default environments url _(only define for static environment URLs declaration)_<br/>_supports late variable expansion (ex: `https://%{environment_name}.k8s.acme.com`)_ | _none_ | | `environment-url` / `K8S_ENVIRONMENT_URL` | Default environments url _(only define for static environment URLs declaration)_<br/>_supports late variable expansion (ex: `https://%{environment_name}.k8s.acme.com`)_ | _none_ |
| `KUBE_CONTEXT` | Defines the context to be used in `KUBECONFIG`. When using [GitLab agents with the CI/CD workflow](https://docs.gitlab.com/ee/user/clusters/agent/ci_cd_workflow.html), the value should be like `path/to/agent/project:agent-name`. To use different agents per environment, define an [environment-scoped CI/CD variable](https://docs.gitlab.com/ee/ci/environments/index.html#limit-the-environment-scope-of-a-cicd-variable) for each agent. | _none_ | | `KUBE_CONTEXT` | Defines the context to be used in `KUBECONFIG`. When using [GitLab agents with the CI/CD workflow](https://docs.gitlab.com/user/clusters/agent/ci_cd_workflow/), the value should be like `path/to/agent/project:agent-name`. To use different agents per environment, define an [environment-scoped CI/CD variable](https://docs.gitlab.com/ci/environments/#limit-the-environment-scope-of-a-cicd-variable) for each agent. | _none_ |
| :lock: `K8S_DEFAULT_KUBE_CONFIG`| The default kubeconfig to use (either content or file variable) | **required if not using exploded kubeconfig parameters** | | :lock: `K8S_DEFAULT_KUBE_CONFIG`| The default kubeconfig to use (either content or file variable) | **required if not using exploded kubeconfig parameters** |
| `url` / `K8S_URL` | the Kubernetes API url | **required if using exploded kubeconfig parameters** | | `url` / `K8S_URL` | the Kubernetes API url | **required if using exploded kubeconfig parameters** |
| :lock: `K8S_CA_CERT` | the default Kubernetes server certificate authority | **optional if using exploded kubeconfig parameters** | | :lock: `K8S_CA_CERT` | the default Kubernetes server certificate authority | **optional if using exploded kubeconfig parameters** |
...@@ -501,7 +501,7 @@ In order to be able to communicate with the Vault server, the variant requires t ...@@ -501,7 +501,7 @@ In order to be able to communicate with the Vault server, the variant requires t
| :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | _none_ | | :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | _none_ |
| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | _none_ | | :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | _none_ |
By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables. By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ci/secrets/id_token_authentication/). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.
#### Usage #### Usage
...@@ -560,7 +560,7 @@ This [blog post about OIDC impersonation through Workload Identify Federation][g ...@@ -560,7 +560,7 @@ This [blog post about OIDC impersonation through Workload Identify Federation][g
[gcp-adc]: https://cloud.google.com/docs/authentication/client-libraries [gcp-adc]: https://cloud.google.com/docs/authentication/client-libraries
[gcp-provider]: https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#running-terraform-outside-of-google-cloud [gcp-provider]: https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#running-terraform-outside-of-google-cloud
[gcp-iam-principals]: https://cloud.google.com/iam/docs/principal-identifiers [gcp-iam-principals]: https://cloud.google.com/iam/docs/principal-identifiers
[gcp-gitlab-wif]: https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/ [gcp-gitlab-wif]: https://docs.gitlab.com/ci/cloud_services/google_cloud/
[gcp-wif-example]: https://blog.salrashid.dev/articles/2021/understanding_workload_identity_federation/#oidc-impersonated [gcp-wif-example]: https://blog.salrashid.dev/articles/2021/understanding_workload_identity_federation/#oidc-impersonated
#### Configuration #### Configuration
...@@ -570,15 +570,15 @@ The variant requires the additional configuration parameters: ...@@ -570,15 +570,15 @@ The variant requires the additional configuration parameters:
| Input / Variable | Description | Default value | | Input / Variable | Description | Default value |
| ----------------- | -------------------------------------- | ----------------- | | ----------------- | -------------------------------------- | ----------------- |
| `gcp-oidc-aud` / `GCP_OIDC_AUD` | The `aud` claim for the JWT token | `$CI_SERVER_URL` | | `gcp-oidc-aud` / `GCP_OIDC_AUD` | The `aud` claim for the JWT token | `$CI_SERVER_URL` |
| `gcp-oidc-provider` / `GCP_OIDC_PROVIDER` | Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) | _none_ | | `gcp-oidc-provider` / `GCP_OIDC_PROVIDER` | Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) | _none_ |
| `gcp-oidc-account` / `GCP_OIDC_ACCOUNT` | Default Service Account to which impersonate with OpenID Connect authentication | _none_ | | `gcp-oidc-account` / `GCP_OIDC_ACCOUNT` | Default Service Account to which impersonate with OpenID Connect authentication | _none_ |
| `gcp-review-oidc-provider` / `GCP_REVIEW_OIDC_PROVIDER` | Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `review` environment _(only define to override default)_ | _none_ | | `gcp-review-oidc-provider` / `GCP_REVIEW_OIDC_PROVIDER` | Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `review` environment _(only define to override default)_ | _none_ |
| `gcp-review-oidc-account` / `GCP_REVIEW_OIDC_ACCOUNT` | Service Account to which impersonate with OpenID Connect authentication on `review` environment _(only define to override default)_ | _none_ | | `gcp-review-oidc-account` / `GCP_REVIEW_OIDC_ACCOUNT` | Service Account to which impersonate with OpenID Connect authentication on `review` environment _(only define to override default)_ | _none_ |
| `gcp-integ-oidc-provider` / `GCP_INTEG_OIDC_PROVIDER` | Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `integration` environment _(only define to override default)_ | _none_ | | `gcp-integ-oidc-provider` / `GCP_INTEG_OIDC_PROVIDER` | Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `integration` environment _(only define to override default)_ | _none_ |
| `gcp-integ-oidc-account` / `GCP_INTEG_OIDC_ACCOUNT` | Service Account to which impersonate with OpenID Connect authentication on `integration` environment _(only define to override default)_ | _none_ | | `gcp-integ-oidc-account` / `GCP_INTEG_OIDC_ACCOUNT` | Service Account to which impersonate with OpenID Connect authentication on `integration` environment _(only define to override default)_ | _none_ |
| `gcp-staging-oidc-provider` / `GCP_STAGING_OIDC_PROVIDER` | Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `staging` environment _(only define to override default)_ | _none_ | | `gcp-staging-oidc-provider` / `GCP_STAGING_OIDC_PROVIDER` | Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `staging` environment _(only define to override default)_ | _none_ |
| `gcp-staging-oidc-account` / `GCP_STAGING_OIDC_ACCOUNT` | Service Account to which impersonate with OpenID Connect authentication on `staging` environment _(only define to override default)_ | _none_ | | `gcp-staging-oidc-account` / `GCP_STAGING_OIDC_ACCOUNT` | Service Account to which impersonate with OpenID Connect authentication on `staging` environment _(only define to override default)_ | _none_ |
| `gcp-prod-oidc-provider` / `GCP_PROD_OIDC_PROVIDER` | Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `production` environment _(only define to override default)_ | _none_ | | `gcp-prod-oidc-provider` / `GCP_PROD_OIDC_PROVIDER` | Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `production` environment _(only define to override default)_ | _none_ |
| `gcp-prod-oidc-account` / `GCP_PROD_OIDC_ACCOUNT` | Service Account to which impersonate with OpenID Connect authentication on `production` environment _(only define to override default)_ | _none_ | | `gcp-prod-oidc-account` / `GCP_PROD_OIDC_ACCOUNT` | Service Account to which impersonate with OpenID Connect authentication on `production` environment _(only define to override default)_ | _none_ |
| `kubectl-image` / `K8S_KUBECTL_IMAGE` | The Docker image used to run Kubernetes `kubectl` commands on [GKE](https://cloud.google.com/kubernetes-engine/docs) | `gcr.io/google.com/cloudsdktool/cloud-sdk:latest` | | `kubectl-image` / `K8S_KUBECTL_IMAGE` | The Docker image used to run Kubernetes `kubectl` commands on [GKE](https://cloud.google.com/kubernetes-engine/docs) | `gcr.io/google.com/cloudsdktool/cloud-sdk:latest` |
...@@ -609,7 +609,7 @@ This variant use the OIDC and [AWS STS](https://docs.aws.amazon.com/fr_fr/STS/la ...@@ -609,7 +609,7 @@ This variant use the OIDC and [AWS STS](https://docs.aws.amazon.com/fr_fr/STS/la
- [Create an OpenID Connect (OIDC) identity provider in IAM - [Create an OpenID Connect (OIDC) identity provider in IAM
](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html) ](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)
- [Configure a web identity role](https://docs.gitlab.com/ee/ci/cloud_services/aws/#configure-a-role-and-trust) - [Configure a web identity role](https://docs.gitlab.com/ci/cloud_services/aws/#configure-a-role-and-trust)
#### Configuration #### Configuration
...@@ -620,11 +620,11 @@ The variant requires the additional configuration parameters : ...@@ -620,11 +620,11 @@ The variant requires the additional configuration parameters :
| Input / Variable | Description | Default value | | Input / Variable | Description | Default value |
|-----------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------| |-----------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------|
| `aws-oidc-aud` / `AWS_OIDC_AUD` | The `aud` claim for the JWT token | `$CI_SERVER_URL` | | `aws-oidc-aud` / `AWS_OIDC_AUD` | The `aud` claim for the JWT token | `$CI_SERVER_URL` |
| `aws-oidc-role-arn` / `AWS_OIDC_ROLE_ARN` | Default IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) | _none_ | | `aws-oidc-role-arn` / `AWS_OIDC_ROLE_ARN` | Default IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) | _none_ |
| `aws-review-oidc-role-arn` / `AWS_REVIEW_OIDC_ROLE_ARN` | IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `review` env _(only define to override default)_ | _none_ | | `aws-review-oidc-role-arn` / `AWS_REVIEW_OIDC_ROLE_ARN` | IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `review` env _(only define to override default)_ | _none_ |
| `aws-integ-oidc-role-arn` / `AWS_INTEG_OIDC_ROLE_ARN` | IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `integration` env _(only define to override default)_ | _none_ | | `aws-integ-oidc-role-arn` / `AWS_INTEG_OIDC_ROLE_ARN` | IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `integration` env _(only define to override default)_ | _none_ |
| `aws-staging-oidc-role-arn` / `AWS_STAGING_OIDC_ROLE_ARN` | IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `staging` env _(only define to override default)_ | _none_ | | `aws-staging-oidc-role-arn` / `AWS_STAGING_OIDC_ROLE_ARN` | IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `staging` env _(only define to override default)_ | _none_ |
| `aws-prod-oidc-role-arn` / `AWS_PROD_OIDC_ROLE_ARN` | IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `production` env _(only define to override default)_ | _none_ | | `aws-prod-oidc-role-arn` / `AWS_PROD_OIDC_ROLE_ARN` | IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `production` env _(only define to override default)_ | _none_ |
| `kubectl-image` / `K8S_KUBECTL_IMAGE` | The Docker image used to run Kubernetes `kubectl` commands on [AWS] | `docker.io/alpine/k8s:1.32.1` | | `kubectl-image` / `K8S_KUBECTL_IMAGE` | The Docker image used to run Kubernetes `kubectl` commands on [AWS] | `docker.io/alpine/k8s:1.32.1` |
#### Example #### Example
......
...@@ -88,7 +88,7 @@ ...@@ -88,7 +88,7 @@
{ {
"id": "review", "id": "review",
"name": "Review", "name": "Review",
"description": "Dynamic review environments for your topic branches (see GitLab [Review Apps](https://docs.gitlab.com/ee/ci/review_apps/))", "description": "Dynamic review environments for your topic branches (see GitLab [Review Apps](https://docs.gitlab.com/ci/review_apps/))",
"variables": [ "variables": [
{ {
"name": "K8S_REVIEW_SPACE", "name": "K8S_REVIEW_SPACE",
...@@ -318,7 +318,7 @@ ...@@ -318,7 +318,7 @@
"variables": [ "variables": [
{ {
"name": "GCP_OIDC_AUD", "name": "GCP_OIDC_AUD",
"description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_", "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_",
"default": "$CI_SERVER_URL", "default": "$CI_SERVER_URL",
"advanced": true "advanced": true
}, },
...@@ -328,7 +328,7 @@ ...@@ -328,7 +328,7 @@
}, },
{ {
"name": "GCP_OIDC_PROVIDER", "name": "GCP_OIDC_PROVIDER",
"description": "Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)" "description": "Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/)"
}, },
{ {
"name": "GCP_REVIEW_OIDC_ACCOUNT", "name": "GCP_REVIEW_OIDC_ACCOUNT",
...@@ -337,7 +337,7 @@ ...@@ -337,7 +337,7 @@
}, },
{ {
"name": "GCP_REVIEW_OIDC_PROVIDER", "name": "GCP_REVIEW_OIDC_PROVIDER",
"description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `review` environment", "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `review` environment",
"advanced": true "advanced": true
}, },
{ {
...@@ -347,7 +347,7 @@ ...@@ -347,7 +347,7 @@
}, },
{ {
"name": "GCP_INTEG_OIDC_PROVIDER", "name": "GCP_INTEG_OIDC_PROVIDER",
"description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `integration` environment", "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `integration` environment",
"advanced": true "advanced": true
}, },
{ {
...@@ -357,7 +357,7 @@ ...@@ -357,7 +357,7 @@
}, },
{ {
"name": "GCP_STAGING_OIDC_PROVIDER", "name": "GCP_STAGING_OIDC_PROVIDER",
"description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `staging` environment", "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `staging` environment",
"advanced": true "advanced": true
}, },
{ {
...@@ -367,7 +367,7 @@ ...@@ -367,7 +367,7 @@
}, },
{ {
"name": "GCP_PROD_OIDC_PROVIDER", "name": "GCP_PROD_OIDC_PROVIDER",
"description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `production` environment", "description": "Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `production` environment",
"advanced": true "advanced": true
}, },
{ {
...@@ -385,7 +385,7 @@ ...@@ -385,7 +385,7 @@
"variables": [ "variables": [
{ {
"name": "AWS_OIDC_AUD", "name": "AWS_OIDC_AUD",
"description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_", "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_",
"default": "$CI_SERVER_URL", "default": "$CI_SERVER_URL",
"advanced": true "advanced": true
}, },
......
...@@ -10,19 +10,19 @@ spec: ...@@ -10,19 +10,19 @@ spec:
description: The `aud` claim for the JWT description: The `aud` claim for the JWT
default: $CI_SERVER_URL default: $CI_SERVER_URL
aws-oidc-role-arn: aws-oidc-role-arn:
description: Default IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) description: Default IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/)
default: '' default: ''
aws-review-oidc-role-arn: aws-review-oidc-role-arn:
description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `review` env _(only define to override default)_ description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `review` env _(only define to override default)_
default: '' default: ''
aws-integ-oidc-role-arn: aws-integ-oidc-role-arn:
description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `integration` env _(only define to override default)_ description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `integration` env _(only define to override default)_
default: '' default: ''
aws-staging-oidc-role-arn: aws-staging-oidc-role-arn:
description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `staging` env _(only define to override default)_ description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `staging` env _(only define to override default)_
default: '' default: ''
aws-prod-oidc-role-arn: aws-prod-oidc-role-arn:
description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/aws/) on `production` env _(only define to override default)_ description: IAM Role ARN associated with GitLab to [authenticate using OpenID Connect](https://docs.gitlab.com/ci/cloud_services/aws/) on `production` env _(only define to override default)_
default: '' default: ''
--- ---
......
...@@ -13,31 +13,31 @@ spec: ...@@ -13,31 +13,31 @@ spec:
description: Default Service Account to which impersonate with OpenID Connect authentication description: Default Service Account to which impersonate with OpenID Connect authentication
default: '' default: ''
gcp-oidc-provider: gcp-oidc-provider:
description: Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) description: Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/)
default: '' default: ''
gcp-review-oidc-account: gcp-review-oidc-account:
description: Service Account to which impersonate with OpenID Connect authentication on `review` environment description: Service Account to which impersonate with OpenID Connect authentication on `review` environment
default: '' default: ''
gcp-review-oidc-provider: gcp-review-oidc-provider:
description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `review` environment description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `review` environment
default: '' default: ''
gcp-integ-oidc-account: gcp-integ-oidc-account:
description: Service Account to which impersonate with OpenID Connect authentication on `integration` environment description: Service Account to which impersonate with OpenID Connect authentication on `integration` environment
default: '' default: ''
gcp-integ-oidc-provider: gcp-integ-oidc-provider:
description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `integration` environment description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `integration` environment
default: '' default: ''
gcp-staging-oidc-account: gcp-staging-oidc-account:
description: Service Account to which impersonate with OpenID Connect authentication on `staging` environment description: Service Account to which impersonate with OpenID Connect authentication on `staging` environment
default: '' default: ''
gcp-staging-oidc-provider: gcp-staging-oidc-provider:
description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `staging` environment description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `staging` environment
default: '' default: ''
gcp-prod-oidc-account: gcp-prod-oidc-account:
description: Service Account to which impersonate with OpenID Connect authentication on `production` environment description: Service Account to which impersonate with OpenID Connect authentication on `production` environment
default: '' default: ''
gcp-prod-oidc-provider: gcp-prod-oidc-provider:
description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) on `production` environment description: Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/) on `production` environment
default: '' default: ''
--- ---
variables: variables:
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment