diff --git a/README.md b/README.md index 46c9aa9650e59e3693531bc5a7953a0623e4341f..96df302024634d5e17307b33a5005ca535e70fb2 100644 --- a/README.md +++ b/README.md @@ -53,4 +53,56 @@ Note that when not explictly set, the template will use `$CI_PROJECT_PATH_SLUG` The `sonar-project.properties` file is also the recommended way to configure other SonarQube [analysis parameters](https://docs.sonarqube.org/latest/analysis/analysis-parameters/) as well as [language specific parameters](https://docs.sonarqube.org/latest/analyzing-source-code/test-coverage/overview/). -Each _to-be-continuous_ build template shall briefly document the supported language-specific SonarQube parameters. \ No newline at end of file +Each _to-be-continuous_ build template shall briefly document the supported language-specific SonarQube parameters. + +## Variants + +### Vault variant + +This variant allows delegating your secrets management to a [Vault](https://www.vaultproject.io/) server. + +#### Configuration + +In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters: + +| Name | description | default value | +| ----------------- | -------------------------------------- | ----------------- | +| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master` | +| `VAULT_BASE_URL` | The Vault server base API url | _none_ | +| :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** | +| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** | + +#### Usage + +Then you may retrieve any of your secret(s) from Vault using the following syntax: + +```text +@url@http://vault-secrets-provider/api/secrets/{secret_path}?field={field} +``` + +With: + +| Name | description | +| -------------------------------- | -------------------------------------- | +| `secret_path` (_path parameter_) | this is your secret location in the Vault server | +| `field` (_query parameter_) | parameter to access a single basic field from the secret JSON payload | + +#### Example + +```yaml +include: + # main template + - project: 'to-be-continuous/sonar' + ref: '3.2.0' + file: '/templates/gitlab-ci-sonar.yml' + # Vault variant + - project: 'to-be-continuous/sonar' + ref: '3.2.0' + file: '/templates/gitlab-ci-sonar-vault.yml' + +variables: + # Secrets managed by Vault + SONAR_TOKEN: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/my-app/sonar?field=token" + VAULT_BASE_URL: "https://vault.acme.host/v1" + # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable +``` diff --git a/kicker.json b/kicker.json index 74610538a5e330698e3f548ef095424d0e92efde..1b813fbc24421e2eca4730f31ab1c024eca407a2 100644 --- a/kicker.json +++ b/kicker.json @@ -51,5 +51,37 @@ "description": "Enables SonarQube [Quality Gate](https://docs.sonarqube.org/latest/user-guide/quality-gates/) verification.\n\n_Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarqube.org/latest/analysis/ci-integration-overview/#header-1))._", "type": "boolean" } + ], + "variants": [ + { + "id": "vault", + "name": "Vault", + "description": "Retrieve secrets from a [Vault](https://www.vaultproject.io/) server", + "template_path": "templates/gitlab-ci-openshift-vault.yml", + "variables": [ + { + "name": "TBC_VAULT_IMAGE", + "description": "The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use", + "default": "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master", + "advanced": true + }, + { + "name": "VAULT_BASE_URL", + "description": "The Vault server base API url" + }, + { + "name": "VAULT_ROLE_ID", + "description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID", + "mandatory": true, + "secret": true + }, + { + "name": "VAULT_SECRET_ID", + "description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID", + "mandatory": true, + "secret": true + } + ] + } ] } diff --git a/templates/gitlab-ci-sonar-vault.yml b/templates/gitlab-ci-sonar-vault.yml new file mode 100644 index 0000000000000000000000000000000000000000..51fdf2d0a82f733ab02509b3ef4a6d7f99072b52 --- /dev/null +++ b/templates/gitlab-ci-sonar-vault.yml @@ -0,0 +1,16 @@ +# ===================================================================================================================== +# === Vault template variant +# ===================================================================================================================== +variables: + # variabilized vault-secrets-provider image + TBC_VAULT_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master" + # variables have to be explicitly declared in the YAML to be exported to the service + VAULT_ROLE_ID: "$VAULT_ROLE_ID" + VAULT_SECRET_ID: "$VAULT_SECRET_ID" + +sonar: + services: + - name: "$TBC_TRACKING_IMAGE" + command: ["--service", "sonar", "3.2.0" ] + - name: "$TBC_VAULT_IMAGE" + alias: "vault-secrets-provider"