diff --git a/README.md b/README.md index b1f2949615ff5020d9424db1beb4ff4aadee0df0..57c6990fa133ffa792192d61d8be4e8ea7376b00 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ Add the following to your `.gitlab-ci.yml`: ```yaml include: # 1: include the component - - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.1.0 + - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.3.0 # 2: set/override component inputs inputs: # ⚠ this is only an example @@ -30,7 +30,7 @@ Add the following to your `.gitlab-ci.yml`: include: # 1: include the template - project: 'to-be-continuous/maven' - ref: '4.1.0' + ref: '4.3.0' file: '/templates/gitlab-ci-maven.yml' variables: @@ -543,7 +543,59 @@ All authentication methods should use masked GitLab environment variables. ```yaml include: # main template - - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.1.0 + - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.3.0 # Jib is implemented as an extension to Maven, and uses supporting features of the TBC Maven template - - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven-jib@4.1.0 + - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven-jib@4.3.0 +``` + +## Variants + +### Vault variant + +This variant allows delegating your secrets management to a [Vault](https://www.vaultproject.io/) server. + +#### Configuration + +In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters: + +| Name | Description | Default value | +| ----------------- | -------------------------------------- | ----------------- | +| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master` | +| `VAULT_BASE_URL` | The Vault server base API url | **must be defined** | +| `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` | +| :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | _none_ | +| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | _none_ | + +By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables. + +#### Usage + +Then you may retrieve any of your secret(s) from Vault using the following syntax: + +``` +@url@http://vault-secrets-provider/api/secrets/{secret_path}?field={field} +``` + +With: + +| Name | Description | +| -------------------------------- | -------------------------------------- | +| `secret_path` (_path parameter_) | this is your secret location in the Vault server | +| `field` (_query parameter_) | parameter to access a single basic field from the secret JSON payload | + +#### Example + +```yaml +include: + # main template + - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.3.0 + # Vault variant + - component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven-vault@4.3.0 + +variables: + # Vault configuration + VAULT_OIDC_AUD: "https://vault.acme.host" + VAULT_BASE_URL: "https://vault.acme.host/v1" + # Secret managed by Vault + SONAR_PASSWORD: "@url@http://vault-secrets-provider/api/secrets/sonar?field=password" ``` diff --git a/kicker.json b/kicker.json index caca0220f60d894c29bb862ec723636cb90c1469..f82cb7da42921fabe10f48e7023fe46a670406d4 100644 --- a/kicker.json +++ b/kicker.json @@ -351,6 +351,39 @@ "advanced": true } ] + }, + { + "id": "vault", + "name": "Vault", + "description": "Retrieve secrets from a [Vault](https://www.vaultproject.io/) server", + "template_path": "templates/gitlab-ci-maven-vault.yml", + "variables": [ + { + "name": "TBC_VAULT_IMAGE", + "description": "The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use", + "default": "registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master", + "advanced": true + }, + { + "name": "VAULT_BASE_URL", + "description": "The Vault server base API url" + }, + { + "name": "VAULT_OIDC_AUD", + "description": "The `aud` claim for the JWT", + "default": "$CI_SERVER_URL" + }, + { + "name": "VAULT_ROLE_ID", + "description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID", + "secret": true + }, + { + "name": "VAULT_SECRET_ID", + "description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID", + "secret": true + } + ] } ] } diff --git a/templates/gitlab-ci-maven-vault.yml b/templates/gitlab-ci-maven-vault.yml new file mode 100644 index 0000000000000000000000000000000000000000..9584991a908d6448de10f27dc15f39ad5dd288c9 --- /dev/null +++ b/templates/gitlab-ci-maven-vault.yml @@ -0,0 +1,32 @@ +# ===================================================================================================================== +# === Vault template variant +# ===================================================================================================================== +spec: + inputs: + vault-base-url: + description: The Vault server base API url + default: '' + vault-oidc-aud: + description: The `aud` claim for the JWT + default: $CI_SERVER_URL +--- +variables: + # variabilized vault-secrets-provider image + TBC_VAULT_IMAGE: registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:latest + # variables have to be explicitly declared in the YAML to be exported to the service + VAULT_ROLE_ID: "$VAULT_ROLE_ID" + VAULT_SECRET_ID: "$VAULT_SECRET_ID" + VAULT_OIDC_AUD: $[[ inputs.vault-oidc-aud ]] + VAULT_BASE_URL: $[[ inputs.vault-base-url ]] + +.mvn-base: + services: + - name: "$TBC_TRACKING_IMAGE" + command: ["--service", "maven", "4.3.0"] + - name: "$TBC_VAULT_IMAGE" + alias: "vault-secrets-provider" + variables: + VAULT_JWT_TOKEN: "$VAULT_JWT_TOKEN" + id_tokens: + VAULT_JWT_TOKEN: + aud: "$VAULT_OIDC_AUD" diff --git a/templates/gitlab-ci-maven.yml b/templates/gitlab-ci-maven.yml index d579bf61d7fb27489d30a4f7851b6a4758bc8697..a1d11fa0b8e0abe8c26a1a38e5fb5312307dd1a4 100644 --- a/templates/gitlab-ci-maven.yml +++ b/templates/gitlab-ci-maven.yml @@ -209,9 +209,6 @@ workflow: - when: on_success variables: - # variabilized tracking image - TBC_TRACKING_IMAGE: "registry.gitlab.com/to-be-continuous/tools/tracking:master" - # Default Maven project root directory MAVEN_PROJECT_DIR: $[[ inputs.project-dir ]] # Maven image (can be overridden) @@ -638,7 +635,7 @@ stages: image: $MAVEN_IMAGE services: - name: "$TBC_TRACKING_IMAGE" - command: ["--service", "maven", "4.1.0"] + command: ["--service", "maven", "4.3.0"] before_script: - !reference [.mvn-scripts] - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"