Merge remote-tracking branch 'upstream/master'

# Conflicts: # CHANGELOG.md

Merge remote-tracking branch 'upstream/master'
1e4b3ad5 · Benguria Elguezabal, Gorka · 58020177 · a72671ff · 1e4b3ad5 · 1e4b3ad5
Commit 1e4b3ad5 authored 4 months ago by Benguria Elguezabal, Gorka
--- a/README.md
+++ b/README.md
@@ -14,7 +14,7 @@ Add the following to your `.gitlab-ci.yml`:
 ```yaml
 include:
  # 1: include the component
-  - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.1.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.3.0
    # 2: set/override component inputs
    inputs:
      # ⚠ this is only an example
@@ -30,7 +30,7 @@ Add the following to your `.gitlab-ci.yml`:
 include:
  # 1: include the template
  - project: 'to-be-continuous/maven'
-    ref: '4.1.0'
+    ref: '4.3.0'
    file: '/templates/gitlab-ci-maven.yml'

 variables:
@@ -543,7 +543,59 @@ All authentication methods should use masked GitLab environment variables.
 ```yaml
 include:
  # main template
-  - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.1.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.3.0
  # Jib is implemented as an extension to Maven, and uses supporting features of the TBC Maven template
-  - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven-jib@4.1.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven-jib@4.3.0
+```
+
+## Variants
+
+### Vault variant
+
+This variant allows delegating your secrets management to a [Vault](https://www.vaultproject.io/) server.
+
+#### Configuration
+
+In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters:
+
+| Name              | Description                            | Default value     |
+| ----------------- | -------------------------------------- | ----------------- |
+| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master` |
+| `VAULT_BASE_URL`  | The Vault server base API url          | **must be defined** |
+| `VAULT_OIDC_AUD`  | The `aud` claim for the JWT | `$CI_SERVER_URL` |
+| :lock: `VAULT_ROLE_ID`   | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | _none_ |
+| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | _none_ |
+
+By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.
+
+#### Usage
+
+Then you may retrieve any of your secret(s) from Vault using the following syntax:
+
+```
+@url@http://vault-secrets-provider/api/secrets/{secret_path}?field={field}
+```
+
+With:
+
+| Name                             | Description                            |
+| -------------------------------- | -------------------------------------- |
+| `secret_path` (_path parameter_) | this is your secret location in the Vault server |
+| `field` (_query parameter_)      | parameter to access a single basic field from the secret JSON payload |
+
+#### Example
+
+```yaml
+include:
+  # main template
+  - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.3.0
+  # Vault variant
+  - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven-vault@4.3.0
+
+variables:
+    # Vault configuration
+    VAULT_OIDC_AUD: "https://vault.acme.host"
+    VAULT_BASE_URL: "https://vault.acme.host/v1"
+    # Secret managed by Vault
+    SONAR_PASSWORD: "@url@http://vault-secrets-provider/api/secrets/sonar?field=password"
 ```
--- a/kicker.json
+++ b/kicker.json
@@ -351,6 +351,39 @@
          "advanced": true
        }
      ]
+    },
+    {
+      "id": "vault",
+      "name": "Vault",
+      "description": "Retrieve secrets from a [Vault](https://www.vaultproject.io/) server",
+      "template_path": "templates/gitlab-ci-maven-vault.yml",
+      "variables": [
+        {
+          "name": "TBC_VAULT_IMAGE",
+          "description": "The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use",
+          "default": "registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master",
+          "advanced": true
+        },
+        {
+          "name": "VAULT_BASE_URL",
+          "description": "The Vault server base API url"
+        },
+        {
+          "name": "VAULT_OIDC_AUD",
+          "description": "The `aud` claim for the JWT",
+          "default": "$CI_SERVER_URL"
+        },
+        {
+          "name": "VAULT_ROLE_ID",
+          "description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID",
+          "secret": true
+        },
+        {
+          "name": "VAULT_SECRET_ID",
+          "description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID",
+          "secret": true
+        }
+      ]
    }
  ]
 }
--- a/templates/gitlab-ci-maven-vault.yml
+++ b/templates/gitlab-ci-maven-vault.yml
+# =====================================================================================================================
+# === Vault template variant
+# =====================================================================================================================
+spec:
+  inputs:
+    vault-base-url:
+      description: The Vault server base API url
+      default: ''
+    vault-oidc-aud:
+      description: The `aud` claim for the JWT
+      default: $CI_SERVER_URL
+---
+variables:
+  # variabilized vault-secrets-provider image
+  TBC_VAULT_IMAGE: registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:latest
+  # variables have to be explicitly declared in the YAML to be exported to the service
+  VAULT_ROLE_ID: "$VAULT_ROLE_ID"
+  VAULT_SECRET_ID: "$VAULT_SECRET_ID"
+  VAULT_OIDC_AUD: $[[ inputs.vault-oidc-aud ]]
+  VAULT_BASE_URL: $[[ inputs.vault-base-url ]]
+
+.mvn-base:
+  services:
+    - name: "$TBC_TRACKING_IMAGE"
+      command: ["--service", "maven", "4.3.0"]
+    - name: "$TBC_VAULT_IMAGE"
+      alias: "vault-secrets-provider"
+  variables:
+    VAULT_JWT_TOKEN: "$VAULT_JWT_TOKEN"
+  id_tokens:
+    VAULT_JWT_TOKEN:
+      aud: "$VAULT_OIDC_AUD"
--- a/templates/gitlab-ci-maven.yml
+++ b/templates/gitlab-ci-maven.yml
@@ -209,9 +209,6 @@ workflow:
    - when: on_success

 variables:
-  # variabilized tracking image
-  TBC_TRACKING_IMAGE: "registry.gitlab.com/to-be-continuous/tools/tracking:master"
-
  # Default Maven project root directory
  MAVEN_PROJECT_DIR: $[[ inputs.project-dir ]]
  # Maven image (can be overridden)
@@ -638,7 +635,7 @@ stages:
  image: $MAVEN_IMAGE
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "maven", "4.1.0"]
+      command: ["--service", "maven", "4.3.0"]
  before_script:
    - !reference [.mvn-scripts]
    - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"