From a617e8e48db080d489ac4824149150827d15f03f Mon Sep 17 00:00:00 2001
From: Pierre Smeyers <pierre.smeyers@gmail.com>
Date: Tue, 1 Aug 2023 09:26:24 +0200
Subject: [PATCH] feat(oidc): OIDC authentication support now requires explicit
 configuration (see doc)

Due to CI_JOB_JWT-* variables discontinued, TBC now switches
to ID tokens for Vault authentication support.

BREAKING CHANGE: OIDC authentication support now requires explicit configuration (see doc)
---
 README.md                           | 3 +++
 templates/gitlab-ci-sonar-vault.yml | 6 ++++++
 2 files changed, 9 insertions(+)

diff --git a/README.md b/README.md
index 018f4f8..94b3d1d 100644
--- a/README.md
+++ b/README.md
@@ -69,6 +69,7 @@ In order to be able to communicate with the Vault server, the variant requires t
 | ----------------- | -------------------------------------- | ----------------- |
 | `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master` |
 | `VAULT_BASE_URL`  | The Vault server base API url          | _none_ |
+| `VAULT_OIDC_AUD`  | The `aud` claim for the JWT | `$CI_SERVER_URL` |
 | :lock: `VAULT_ROLE_ID`   | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** |
 | :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** |
 
@@ -101,6 +102,8 @@ include:
     file: '/templates/gitlab-ci-sonar-vault.yml'
 
 variables:
+    # audience claim for JWT
+    VAULT_OIDC_AUD: "https://vault.acme.host"
     # Secrets managed by Vault
     SONAR_TOKEN: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/my-app/sonar?field=token"
     VAULT_BASE_URL: "https://vault.acme.host/v1"
diff --git a/templates/gitlab-ci-sonar-vault.yml b/templates/gitlab-ci-sonar-vault.yml
index 9340de5..1f605cc 100644
--- a/templates/gitlab-ci-sonar-vault.yml
+++ b/templates/gitlab-ci-sonar-vault.yml
@@ -7,6 +7,7 @@ variables:
   # variables have to be explicitly declared in the YAML to be exported to the service
   VAULT_ROLE_ID: "$VAULT_ROLE_ID"
   VAULT_SECRET_ID: "$VAULT_SECRET_ID"
+  VAULT_OIDC_AUD: "$CI_SERVER_URL"
 
 sonar:
   services:
@@ -14,3 +15,8 @@ sonar:
       command: ["--service", "sonar", "3.3.0" ]
     - name: "$TBC_VAULT_IMAGE"
       alias: "vault-secrets-provider"
+  variables:
+    VAULT_JWT_TOKEN: "$VAULT_JWT_TOKEN"
+  id_tokens:
+    VAULT_JWT_TOKEN:
+      aud: "$VAULT_OIDC_AUD"
-- 
GitLab