Commit 3bb0167e authored by Cédric OLIVIER's avatar Cédric OLIVIER
Browse files

feat: add vault variant

parent a36f0255

README.md

+57 −0
Original line number Diff line number Diff line
@@ -160,3 +160,60 @@ The data stored in the database is not encrypted at rest. Intra-platform network 
## Version history



See [Tags page](https://gitlab.com/to-be-continuous/defectdojo/-/tags)



## Variants



The DefectDojo template can be used in conjunction with template variants to cover specific cases.



### Vault variant



This variant allows delegating your secrets management to a [Vault](https://www.vaultproject.io/) server.



#### Configuration



In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters:



| Name              | Description                            | Default value     |

| ----------------- | -------------------------------------- | ----------------- |

| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master` |

| `VAULT_BASE_URL`  | The Vault server base API url          | _none_ |

| `VAULT_OIDC_AUD`  | The `aud` claim for the JWT | `$CI_SERVER_URL` |

| :lock: `VAULT_ROLE_ID`   | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** |

| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** |



#### Usage



Then you may retrieve any of your secret(s) from Vault using the following syntax:



```text

@url@http://vault-secrets-provider/api/secrets/{secret_path}?field={field}

```



With:



| Name                             | Description                            |

| -------------------------------- | -------------------------------------- |

| `secret_path` (_path parameter_) | this is your secret location in the Vault server |

| `field` (_query parameter_)      | parameter to access a single basic field from the secret JSON payload |



#### Example



```yaml

include:

  # main template

  - project: 'to-be-continuous/defectdojo'

    ref: '2.1.1'

    file: '/templates/gitlab-ci-defectdojo.yml'

  # Vault variant

  - project: 'to-be-continuous/defectdojo'

    ref: '2.1.1'

    file: '/templates/gitlab-ci-defectdojo-vault.yml'



variables:

    # audience claim for JWT

    VAULT_OIDC_AUD: "https://vault.acme.host"

    # Secrets managed by Vault

    DEFECTDOJO_API_KEY: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/defectdojo/credentials?field=token"

    VAULT_BASE_URL: "https://vault.acme.host/v1"

    # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable

```

kicker.json

+34 −0
Original line number Diff line number Diff line
@@ -115,5 +115,39 @@ 
      "type": "boolean",

      "advanced": true

    }

  ],

  "variants": [

    {

      "id": "vault",

      "name": "Vault",

      "description": "Retrieve secrets from a [Vault](https://www.vaultproject.io/) server",

      "template_path": "templates/gitlab-ci-defectdojo-vault.yml",

      "variables": [

        {

          "name": "TBC_VAULT_IMAGE",

          "description": "The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use",

          "default": "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master",

          "advanced": true

        },

        {

          "name": "VAULT_BASE_URL",

          "description": "The Vault server base API url",

          "mandatory": true

        },

        {

          "name": "VAULT_ROLE_ID",

          "description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID",

          "mandatory": true,

          "secret": true

        },

        {

          "name": "VAULT_SECRET_ID",

          "description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID",

          "mandatory": true,

          "secret": true

        }

      ]

    }

  ]



}

templates/gitlab-ci-defectdojo-vault.yml

0 → 100644
+23 −0
Original line number Diff line number Diff line 
# =====================================================================================================================

# === Vault template variant

# =====================================================================================================================

variables:

  # variabilized vault-secrets-provider image

  TBC_VAULT_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master"

  # variables have to be explicitly declared in the YAML to be exported to the service

  VAULT_ROLE_ID: "$VAULT_ROLE_ID"

  VAULT_SECRET_ID: "$VAULT_SECRET_ID"

  VAULT_OIDC_AUD: "$CI_SERVER_URL"



defectdojo:

  services:

    - name: "$TBC_TRACKING_IMAGE"

      command: ["--service", "defectdojo", "2.1.1" ]

    - name: "$TBC_VAULT_IMAGE"

      alias: "vault-secrets-provider"

  variables:

    VAULT_JWT_TOKEN: "$VAULT_JWT_TOKEN"

  id_tokens:

    VAULT_JWT_TOKEN:

      aud: "$VAULT_OIDC_AUD"