Skip to content
Snippets Groups Projects
Commit dd6fac6c authored by Xavier FRANCOIS's avatar Xavier FRANCOIS Committed by Pierre Smeyers
Browse files

feat: add vault variant

parent b5cb127b
Branches
No related tags found
No related merge requests found
...@@ -174,3 +174,62 @@ Here are some advices about your **secrets** (variables marked with a :lock:): ...@@ -174,3 +174,62 @@ Here are some advices about your **secrets** (variables marked with a :lock:):
simply define its value as the [Base64](https://en.wikipedia.org/wiki/Base64) encoded value prefixed with `@b64@`: simply define its value as the [Base64](https://en.wikipedia.org/wiki/Base64) encoded value prefixed with `@b64@`:
it will then be possible to mask it and the template will automatically decode it prior to using it. it will then be possible to mask it and the template will automatically decode it prior to using it.
3. Don't forget to escape special characters (ex: `$` -> `$$`). 3. Don't forget to escape special characters (ex: `$` -> `$$`).
4. You can also manage secrets using Vault variant
## Variants
The Docker template can be used in conjunction with template variants to cover specific cases.
### Vault variant
This variant allows delegating your secrets management to a [Vault](https://www.vaultproject.io/) server.
#### Configuration
In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters:
| Name | Description | Default value |
| ----------------- | -------------------------------------- | ----------------- |
| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master` |
| `VAULT_BASE_URL` | The Vault server base API url | _none_ |
| `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` |
| :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** |
| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** |
#### Usage
Then you may retrieve any of your secret(s) from Vault using the following syntax:
```text
@url@http://vault-secrets-provider/api/secrets/{secret_path}?field={field}
```
With:
| Name | Description |
| -------------------------------- | -------------------------------------- |
| `secret_path` (_path parameter_) | this is your secret location in the Vault server |
| `field` (_query parameter_) | parameter to access a single basic field from the secret JSON payload |
#### Example
```yaml
include:
# main template
- project: 'to-be-continuous/semantic-release'
ref: '3.5.2'
file: '/templates/gitlab-ci-semrel.yml'
# Vault variant
- project: 'to-be-continuous/semantic-release'
ref: '3.5.2'
file: '/templates/gitlab-ci-semrel-vault.yml'
variables:
# audience claim for JWT
VAULT_OIDC_AUD: "https://vault.acme.host"
# Secrets managed by Vault
GITLAB_TOKEN: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/semantic-release/token?field=group-access-token"
VAULT_BASE_URL: "https://vault.acme.host/v1"
# $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable
```
...@@ -118,5 +118,38 @@ ...@@ -118,5 +118,38 @@
} }
] ]
} }
],
"variants": [
{
"id": "vault",
"name": "Vault",
"description": "Retrieve secrets from a [Vault](https://www.vaultproject.io/) server",
"template_path": "templates/gitlab-ci-semrel-vault.yml",
"variables": [
{
"name": "TBC_VAULT_IMAGE",
"description": "The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use",
"default": "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master",
"advanced": true
},
{
"name": "VAULT_BASE_URL",
"description": "The Vault server base API url",
"mandatory": true
},
{
"name": "VAULT_ROLE_ID",
"description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID",
"mandatory": true,
"secret": true
},
{
"name": "VAULT_SECRET_ID",
"description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID",
"mandatory": true,
"secret": true
}
]
}
] ]
} }
# =====================================================================================================================
# === Vault template variant
# =====================================================================================================================
variables:
# variabilized vault-secrets-provider image
TBC_VAULT_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master"
# variables have to be explicitly declared in the YAML to be exported to the service
VAULT_ROLE_ID: "$VAULT_ROLE_ID"
VAULT_SECRET_ID: "$VAULT_SECRET_ID"
VAULT_OIDC_AUD: "$CI_SERVER_URL"
.semrel-base:
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "semrel", "3.5.2" ]
- name: "$TBC_VAULT_IMAGE"
alias: "vault-secrets-provider"
variables:
VAULT_JWT_TOKEN: "$VAULT_JWT_TOKEN"
id_tokens:
VAULT_JWT_TOKEN:
aud: "$VAULT_OIDC_AUD"
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment