Skip to content
Snippets Groups Projects
Commit 1e4b3ad5 authored by Benguria Elguezabal, Gorka's avatar Benguria Elguezabal, Gorka
Browse files

Merge remote-tracking branch 'upstream/master'

# Conflicts:
#	CHANGELOG.md
parents 58020177 a72671ff
No related branches found
No related tags found
No related merge requests found
Pipeline #170012 passed
......@@ -14,7 +14,7 @@ Add the following to your `.gitlab-ci.yml`:
```yaml
include:
# 1: include the component
- component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.1.0
- component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.3.0
# 2: set/override component inputs
inputs:
# ⚠ this is only an example
......@@ -30,7 +30,7 @@ Add the following to your `.gitlab-ci.yml`:
include:
# 1: include the template
- project: 'to-be-continuous/maven'
ref: '4.1.0'
ref: '4.3.0'
file: '/templates/gitlab-ci-maven.yml'
variables:
......@@ -543,7 +543,59 @@ All authentication methods should use masked GitLab environment variables.
```yaml
include:
# main template
- component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.1.0
- component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.3.0
# Jib is implemented as an extension to Maven, and uses supporting features of the TBC Maven template
- component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven-jib@4.1.0
- component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven-jib@4.3.0
```
## Variants
### Vault variant
This variant allows delegating your secrets management to a [Vault](https://www.vaultproject.io/) server.
#### Configuration
In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters:
| Name | Description | Default value |
| ----------------- | -------------------------------------- | ----------------- |
| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master` |
| `VAULT_BASE_URL` | The Vault server base API url | **must be defined** |
| `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` |
| :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | _none_ |
| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | _none_ |
By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.
#### Usage
Then you may retrieve any of your secret(s) from Vault using the following syntax:
```
@url@http://vault-secrets-provider/api/secrets/{secret_path}?field={field}
```
With:
| Name | Description |
| -------------------------------- | -------------------------------------- |
| `secret_path` (_path parameter_) | this is your secret location in the Vault server |
| `field` (_query parameter_) | parameter to access a single basic field from the secret JSON payload |
#### Example
```yaml
include:
# main template
- component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.3.0
# Vault variant
- component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven-vault@4.3.0
variables:
# Vault configuration
VAULT_OIDC_AUD: "https://vault.acme.host"
VAULT_BASE_URL: "https://vault.acme.host/v1"
# Secret managed by Vault
SONAR_PASSWORD: "@url@http://vault-secrets-provider/api/secrets/sonar?field=password"
```
......@@ -351,6 +351,39 @@
"advanced": true
}
]
},
{
"id": "vault",
"name": "Vault",
"description": "Retrieve secrets from a [Vault](https://www.vaultproject.io/) server",
"template_path": "templates/gitlab-ci-maven-vault.yml",
"variables": [
{
"name": "TBC_VAULT_IMAGE",
"description": "The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use",
"default": "registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master",
"advanced": true
},
{
"name": "VAULT_BASE_URL",
"description": "The Vault server base API url"
},
{
"name": "VAULT_OIDC_AUD",
"description": "The `aud` claim for the JWT",
"default": "$CI_SERVER_URL"
},
{
"name": "VAULT_ROLE_ID",
"description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID",
"secret": true
},
{
"name": "VAULT_SECRET_ID",
"description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID",
"secret": true
}
]
}
]
}
# =====================================================================================================================
# === Vault template variant
# =====================================================================================================================
spec:
inputs:
vault-base-url:
description: The Vault server base API url
default: ''
vault-oidc-aud:
description: The `aud` claim for the JWT
default: $CI_SERVER_URL
---
variables:
# variabilized vault-secrets-provider image
TBC_VAULT_IMAGE: registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:latest
# variables have to be explicitly declared in the YAML to be exported to the service
VAULT_ROLE_ID: "$VAULT_ROLE_ID"
VAULT_SECRET_ID: "$VAULT_SECRET_ID"
VAULT_OIDC_AUD: $[[ inputs.vault-oidc-aud ]]
VAULT_BASE_URL: $[[ inputs.vault-base-url ]]
.mvn-base:
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "maven", "4.3.0"]
- name: "$TBC_VAULT_IMAGE"
alias: "vault-secrets-provider"
variables:
VAULT_JWT_TOKEN: "$VAULT_JWT_TOKEN"
id_tokens:
VAULT_JWT_TOKEN:
aud: "$VAULT_OIDC_AUD"
......@@ -209,9 +209,6 @@ workflow:
- when: on_success
variables:
# variabilized tracking image
TBC_TRACKING_IMAGE: "registry.gitlab.com/to-be-continuous/tools/tracking:master"
# Default Maven project root directory
MAVEN_PROJECT_DIR: $[[ inputs.project-dir ]]
# Maven image (can be overridden)
......@@ -638,7 +635,7 @@ stages:
image: $MAVEN_IMAGE
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "maven", "4.1.0"]
command: ["--service", "maven", "4.3.0"]
before_script:
- !reference [.mvn-scripts]
- install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment