feat(vault): add Vault support (variant)

1be92594 · Pierre Smeyers · ef9e15e0 · 1be92594 · 1be92594 · 1be92594
Commit 1be92594 authored 1 year ago by Pierre Smeyers
--- a/README.md
+++ b/README.md
@@ -54,3 +54,55 @@ The `sonar-project.properties` file is also the recommended way to configure oth
 as well as [language specific parameters](https://docs.sonarqube.org/latest/analyzing-source-code/test-coverage/overview/).
 Each _to-be-continuous_ build template shall briefly document the supported language-specific SonarQube parameters.
+## Variants
+### Vault variant
+This variant allows delegating your secrets management to a [Vault](https://www.vaultproject.io/) server.
+#### Configuration
+In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters:
+| Name              | description                            | default value     |
+| ----------------- | -------------------------------------- | ----------------- |
+| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master` |
+| `VAULT_BASE_URL`  | The Vault server base API url          | _none_ |
+| :lock: `VAULT_ROLE_ID`   | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** |
+| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** |
+#### Usage
+Then you may retrieve any of your secret(s) from Vault using the following syntax:
+```text
+@url@http://vault-secrets-provider/api/secrets/{secret_path}?field={field}
+```
+With:
+| Name                             | description                            |
+| -------------------------------- | -------------------------------------- |
+| `secret_path` (_path parameter_) | this is your secret location in the Vault server |
+| `field` (_query parameter_)      | parameter to access a single basic field from the secret JSON payload |
+#### Example
+```yaml
+include:
+  # main template
+  - project: 'to-be-continuous/sonar'
+    ref: '3.2.0'
+    file: '/templates/gitlab-ci-sonar.yml'
+  # Vault variant
+  - project: 'to-be-continuous/sonar'
+    ref: '3.2.0'
+    file: '/templates/gitlab-ci-sonar-vault.yml'
+variables:
+    # Secrets managed by Vault
+    SONAR_TOKEN: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/my-app/sonar?field=token"
+    VAULT_BASE_URL: "https://vault.acme.host/v1"
+    # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable
+```
--- a/kicker.json
+++ b/kicker.json
@@ -51,5 +51,37 @@
      "description": "Enables SonarQube [Quality Gate](https://docs.sonarqube.org/latest/user-guide/quality-gates/) verification.\n\n_Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarqube.org/latest/analysis/ci-integration-overview/#header-1))._",
      "type": "boolean"
    }
+  ],
+  "variants": [
+    {
+      "id": "vault",
+      "name": "Vault",
+      "description": "Retrieve secrets from a [Vault](https://www.vaultproject.io/) server",
+      "template_path": "templates/gitlab-ci-openshift-vault.yml",
+      "variables": [
+        {
+          "name": "TBC_VAULT_IMAGE",
+          "description": "The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use",
+          "default": "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master",
+          "advanced": true
+        },
+        {
+          "name": "VAULT_BASE_URL",
+          "description": "The Vault server base API url"
+        },
+        {
+          "name": "VAULT_ROLE_ID",
+          "description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID",
+          "mandatory": true,
+          "secret": true
+        },
+        {
+          "name": "VAULT_SECRET_ID",
+          "description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID",
+          "mandatory": true,
+          "secret": true
+        }
+      ]
+    }
  ]
 }
--- a/templates/gitlab-ci-sonar-vault.yml
+++ b/templates/gitlab-ci-sonar-vault.yml
+# =====================================================================================================================
+# === Vault template variant
+# =====================================================================================================================
+variables:
+  # variabilized vault-secrets-provider image
+  TBC_VAULT_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master"
+  # variables have to be explicitly declared in the YAML to be exported to the service
+  VAULT_ROLE_ID: "$VAULT_ROLE_ID"
+  VAULT_SECRET_ID: "$VAULT_SECRET_ID"
+sonar:
+  services:
+    - name: "$TBC_TRACKING_IMAGE"
+      command: ["--service", "sonar", "3.2.0" ]
+    - name: "$TBC_VAULT_IMAGE"
+      alias: "vault-secrets-provider"