Skip to content
Snippets Groups Projects
Commit a80ac306 authored by Clement Bois's avatar Clement Bois
Browse files

feat: add vault variant

parent 73aabbe6
No related branches found
No related tags found
No related merge requests found
......@@ -537,3 +537,55 @@ include:
# Jib is implemented as an extension to Maven, and uses supporting features of the TBC Maven template
- component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven-jib@4.2.0
```
## Variants
### Vault variant
This variant allows delegating your secrets management to a [Vault](https://www.vaultproject.io/) server.
#### Configuration
In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters:
| Name | Description | Default value |
| ----------------- | -------------------------------------- | ----------------- |
| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master` |
| `VAULT_BASE_URL` | The Vault server base API url | **must be defined** |
| `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` |
| :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | _none_ |
| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | _none_ |
By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.
#### Usage
Then you may retrieve any of your secret(s) from Vault using the following syntax:
```
@url@http://vault-secrets-provider/api/secrets/{secret_path}?field={field}
```
With:
| Name | Description |
| -------------------------------- | -------------------------------------- |
| `secret_path` (_path parameter_) | this is your secret location in the Vault server |
| `field` (_query parameter_) | parameter to access a single basic field from the secret JSON payload |
#### Example
```yaml
include:
# main template
- component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.2.0
# Vault variant
- component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven-vault@4.2.0
variables:
# Vault configuration
VAULT_OIDC_AUD: "https://vault.acme.host"
VAULT_BASE_URL: "https://vault.acme.host/v1"
# Secret managed by Vault
SONAR_PASSWORD: "@url@http://vault-secrets-provider/api/secrets/sonar?field=password"
```
......@@ -288,6 +288,39 @@
"description": "Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options)"
}
]
},
{
"id": "vault",
"name": "Vault",
"description": "Retrieve secrets from a [Vault](https://www.vaultproject.io/) server",
"template_path": "templates/gitlab-ci-maven-vault.yml",
"variables": [
{
"name": "TBC_VAULT_IMAGE",
"description": "The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use",
"default": "registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master",
"advanced": true
},
{
"name": "VAULT_BASE_URL",
"description": "The Vault server base API url"
},
{
"name": "VAULT_OIDC_AUD",
"description": "The `aud` claim for the JWT",
"default": "$CI_SERVER_URL"
},
{
"name": "VAULT_ROLE_ID",
"description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID",
"secret": true
},
{
"name": "VAULT_SECRET_ID",
"description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID",
"secret": true
}
]
}
]
}
# =====================================================================================================================
# === Vault template variant
# =====================================================================================================================
spec:
inputs:
vault-base-url:
description: The Vault server base API url
default: ''
vault-oidc-aud:
description: The `aud` claim for the JWT
default: $CI_SERVER_URL
---
variables:
# variabilized vault-secrets-provider image
TBC_VAULT_IMAGE: registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:latest
# variables have to be explicitly declared in the YAML to be exported to the service
VAULT_ROLE_ID: "$VAULT_ROLE_ID"
VAULT_SECRET_ID: "$VAULT_SECRET_ID"
VAULT_OIDC_AUD: $[[ inputs.vault-oidc-aud ]]
VAULT_BASE_URL: $[[ inputs.vault-base-url ]]
.mvn-base:
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "maven", "4.2.0"]
- name: "$TBC_VAULT_IMAGE"
alias: "vault-secrets-provider"
variables:
VAULT_JWT_TOKEN: "$VAULT_JWT_TOKEN"
id_tokens:
VAULT_JWT_TOKEN:
aud: "$VAULT_OIDC_AUD"
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment