Commit ee3a95a5 authored by Clement Bois's avatar Clement Bois
Browse files

Merge branch '1-add-variant-template-with-vault' into 'master' 

Resolve "Add variant template with Vault"

Closes #1

See merge request to-be-continuous/bruno!32
parents 72ac706d c703b169

README.md

+58 −2
Original line number Diff line number Diff line
@@ -14,7 +14,7 @@ Add the following to your `.gitlab-ci.yml`: 
```yaml

include:

  # 1: include the component

  - component: $CI_SERVER_FQDN/to-be-continuous/bruno/gitlab-ci-bruno@1.0.0

  - component: $CI_SERVER_FQDN/to-be-continuous/bruno/gitlab-ci-bruno@1.10.0

    # 2: set/override component inputs

    inputs:

      review-enabled: true # ⚠ this is only an example
@@ -28,7 +28,7 @@ Add the following to your `.gitlab-ci.yml`: 
include:

  # 1: include the template

  - project: 'to-be-continuous/bruno'

    ref: '1.0.0'

    ref: '1.10.0'

    file: '/templates/gitlab-ci-bruno.yml'



variables:
@@ -76,3 +76,59 @@ The Bruno template supports _optional_ **hook scripts** from your project, locat 


* `pre-bruno.sh` is executed **before** running Bruno,

* `post-bruno.sh` is executed **after** running Bruno (whichever the tests status).



## Variants



The Bruno template can be used in conjunction with template variants to cover specific cases.



### Vault variant



This variant allows delegating your secrets management to a [Vault](https://www.vaultproject.io/) server.



#### Configuration



In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters:



| Input / Variable                    | Description                                                                                                                     | Default value                                                              |

| ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- |

| `TBC_VAULT_IMAGE`                   | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:latest` |

| `vault-base-url` / `VAULT_BASE_URL` | The Vault server base API url                                                                                                   | **must be defined**                                                        |

| `vault-oidc-aud` / `VAULT_OIDC_AUD` | The `aud` claim for the JWT                                                                                                     | `$CI_SERVER_URL`                                                           |

| :lock: `VAULT_ROLE_ID`              | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID                                                             | _none_                                                                     |

| :lock: `VAULT_SECRET_ID`            | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID                                                           | _none_                                                                     |



By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ci/secrets/id_token_authentication/). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.



#### Usage



Then you may retrieve any of your secret(s) from Vault using the following syntax:



```text

@url@http://vault-secrets-provider/api/secrets/{secret_path}?field={field}

```



With:



| Parameter                        | Description                                                           |

| -------------------------------- | --------------------------------------------------------------------- |

| `secret_path` (_path parameter_) | this is your secret location in the Vault server                      |

| `field` (_query parameter_)      | parameter to access a single basic field from the secret JSON payload |



#### Example



```yaml

include:

  # main template

  - component: $CI_SERVER_FQDN/to-be-continuous/bruno/gitlab-ci-bruno@1.10.0

  # Vault variant

  - component: $CI_SERVER_FQDN/to-be-continuous/bruno/gitlab-ci-bruno-vault@1.10.0

    inputs:

      # audience claim for JWT

      vault-oidc-aud: "https://vault.acme.host"

      vault-base-url: "https://vault.acme.host/v1"



variables:

  # Secrets managed by Vault

  MY_APP_TESTING_USER: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/testing/snapshot/credentials?field=user"

  MY_APP_TESTING_PASSWORD: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/testing/snapshot/credentials?field=password"

```

kicker.json

+38 −0
Original line number Diff line number Diff line
@@ -40,5 +40,43 @@ 
      "description": "Set to enable Bruno tests on review environments (dynamic environments instantiated on development branches)",

      "type": "boolean"

    }

  ],

  "variants": [

    {

      "id": "vault",

      "name": "Vault",

      "description": "Retrieve secrets from a [Vault](https://www.vaultproject.io/) server",

      "template_path": "templates/gitlab-ci-bruno-vault.yml",

      "variables": [

        {

          "name": "TBC_VAULT_IMAGE",

          "description": "The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use",

          "default": "registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:latest",

          "advanced": true

        },

        {

          "name": "VAULT_BASE_URL",

          "description": "The Vault server base API url",

          "mandatory": true

        },

        {

          "name": "VAULT_OIDC_AUD",

          "description": "The `aud` claim for the JWT",

          "default": "$CI_SERVER_URL"

        },

        {

          "name": "VAULT_ROLE_ID",

          "description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID",

          "mandatory": true,

          "secret": true

        },

        {

          "name": "VAULT_SECRET_ID",

          "description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID",

          "mandatory": true,

          "secret": true

        }

      ]

    }

  ]

}

templates/gitlab-ci-bruno-vault.yml

0 → 100644
+38 −0
Original line number Diff line number Diff line 
# =====================================================================================================================

# === Vault template variant

# =====================================================================================================================

spec:

  inputs:

    vault-base-url:

      description: The Vault server base API url

      default: ''

    vault-oidc-aud:

      description: The `aud` claim for the JWT

      default: $CI_SERVER_URL

---

variables:

  # variabilized vault-secrets-provider image

  TBC_VAULT_IMAGE: registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:latest

  VAULT_BASE_URL: $[[ inputs.vault-base-url ]]

  # variables have to be explicitly declared in the YAML to be exported to the service

  VAULT_ROLE_ID: "$VAULT_ROLE_ID"

  VAULT_SECRET_ID: "$VAULT_SECRET_ID"

  VAULT_OIDC_AUD: $[[ inputs.vault-oidc-aud ]]



bruno:

  services:

    - name: "$TBC_TRACKING_IMAGE"

      command: ["--service", "bruno", "1.10.0"]

    - name: "$TBC_VAULT_IMAGE"

      alias: "vault-secrets-provider"

      variables:

        SKIP_SSL: "false"

  variables:

    VAULT_JWT_TOKEN: "$VAULT_JWT_TOKEN"

    VAULT_CA_CERTS: |

      $DEFAULT_CA_CERTS

      $CUSTOM_CA_CERTS

  id_tokens:

    VAULT_JWT_TOKEN:

      aud: "$VAULT_OIDC_AUD"