diff --git a/README.md b/README.md index 018f4f8888e6e394aa4c859a9275446659c152fe..94b3d1de5331895a1b470e567bf3789ed3478846 100644 --- a/README.md +++ b/README.md @@ -69,6 +69,7 @@ In order to be able to communicate with the Vault server, the variant requires t | ----------------- | -------------------------------------- | ----------------- | | `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master` | | `VAULT_BASE_URL` | The Vault server base API url | _none_ | +| `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` | | :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** | | :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** | @@ -101,6 +102,8 @@ include: file: '/templates/gitlab-ci-sonar-vault.yml' variables: + # audience claim for JWT + VAULT_OIDC_AUD: "https://vault.acme.host" # Secrets managed by Vault SONAR_TOKEN: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/my-app/sonar?field=token" VAULT_BASE_URL: "https://vault.acme.host/v1" diff --git a/templates/gitlab-ci-sonar-vault.yml b/templates/gitlab-ci-sonar-vault.yml index 9340de55e186933e3f7b2d0bcf4d6c8dd87d43e4..1f605cc22bec0bd8d51116c8ff212789b4989173 100644 --- a/templates/gitlab-ci-sonar-vault.yml +++ b/templates/gitlab-ci-sonar-vault.yml @@ -7,6 +7,7 @@ variables: # variables have to be explicitly declared in the YAML to be exported to the service VAULT_ROLE_ID: "$VAULT_ROLE_ID" VAULT_SECRET_ID: "$VAULT_SECRET_ID" + VAULT_OIDC_AUD: "$CI_SERVER_URL" sonar: services: @@ -14,3 +15,8 @@ sonar: command: ["--service", "sonar", "3.3.0" ] - name: "$TBC_VAULT_IMAGE" alias: "vault-secrets-provider" + variables: + VAULT_JWT_TOKEN: "$VAULT_JWT_TOKEN" + id_tokens: + VAULT_JWT_TOKEN: + aud: "$VAULT_OIDC_AUD"