diff --git a/README.md b/README.md index 3316b3ddd4a49d0ca42bc4183a82b6359ccce70e..8dc14620356bd3625d14f40e145b028759196955 100644 --- a/README.md +++ b/README.md @@ -174,3 +174,62 @@ Here are some advices about your **secrets** (variables marked with a :lock:): simply define its value as the [Base64](https://en.wikipedia.org/wiki/Base64) encoded value prefixed with `@b64@`: it will then be possible to mask it and the template will automatically decode it prior to using it. 3. Don't forget to escape special characters (ex: `$` -> `$$`). +4. You can also manage secrets using Vault variant + + +## Variants + +The Docker template can be used in conjunction with template variants to cover specific cases. + +### Vault variant + +This variant allows delegating your secrets management to a [Vault](https://www.vaultproject.io/) server. + +#### Configuration + +In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters: + +| Name | Description | Default value | +| ----------------- | -------------------------------------- | ----------------- | +| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master` | +| `VAULT_BASE_URL` | The Vault server base API url | _none_ | +| `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` | +| :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** | +| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** | + +#### Usage + +Then you may retrieve any of your secret(s) from Vault using the following syntax: + +```text +@url@http://vault-secrets-provider/api/secrets/{secret_path}?field={field} +``` + +With: + +| Name | Description | +| -------------------------------- | -------------------------------------- | +| `secret_path` (_path parameter_) | this is your secret location in the Vault server | +| `field` (_query parameter_) | parameter to access a single basic field from the secret JSON payload | + +#### Example + +```yaml +include: + # main template + - project: 'to-be-continuous/semantic-release' + ref: '3.5.2' + file: '/templates/gitlab-ci-semrel.yml' + # Vault variant + - project: 'to-be-continuous/semantic-release' + ref: '3.5.2' + file: '/templates/gitlab-ci-semrel-vault.yml' + +variables: + # audience claim for JWT + VAULT_OIDC_AUD: "https://vault.acme.host" + # Secrets managed by Vault + GITLAB_TOKEN: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/semantic-release/token?field=group-access-token" + VAULT_BASE_URL: "https://vault.acme.host/v1" + # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable +``` diff --git a/kicker.json b/kicker.json index 8a5af296a28aeac790ebde10f78e3e02eecd5924..2090095e72dd80bdeb2ebea7abce53eda63dbd9b 100644 --- a/kicker.json +++ b/kicker.json @@ -118,5 +118,38 @@ } ] } + ], + "variants": [ + { + "id": "vault", + "name": "Vault", + "description": "Retrieve secrets from a [Vault](https://www.vaultproject.io/) server", + "template_path": "templates/gitlab-ci-semrel-vault.yml", + "variables": [ + { + "name": "TBC_VAULT_IMAGE", + "description": "The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use", + "default": "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master", + "advanced": true + }, + { + "name": "VAULT_BASE_URL", + "description": "The Vault server base API url", + "mandatory": true + }, + { + "name": "VAULT_ROLE_ID", + "description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID", + "mandatory": true, + "secret": true + }, + { + "name": "VAULT_SECRET_ID", + "description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID", + "mandatory": true, + "secret": true + } + ] + } ] } diff --git a/templates/gitlab-ci-semrel-vault.yml b/templates/gitlab-ci-semrel-vault.yml new file mode 100644 index 0000000000000000000000000000000000000000..758349cb7dfe849f9772f69117adcc050f84aa76 --- /dev/null +++ b/templates/gitlab-ci-semrel-vault.yml @@ -0,0 +1,22 @@ +# ===================================================================================================================== +# === Vault template variant +# ===================================================================================================================== +variables: + # variabilized vault-secrets-provider image + TBC_VAULT_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master" + # variables have to be explicitly declared in the YAML to be exported to the service + VAULT_ROLE_ID: "$VAULT_ROLE_ID" + VAULT_SECRET_ID: "$VAULT_SECRET_ID" + VAULT_OIDC_AUD: "$CI_SERVER_URL" + +.semrel-base: + services: + - name: "$TBC_TRACKING_IMAGE" + command: ["--service", "semrel", "3.5.2" ] + - name: "$TBC_VAULT_IMAGE" + alias: "vault-secrets-provider" + variables: + VAULT_JWT_TOKEN: "$VAULT_JWT_TOKEN" + id_tokens: + VAULT_JWT_TOKEN: + aud: "$VAULT_OIDC_AUD"