Commit 34a26aab authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch 'feat/deprecated-jwt-variables' into 'master' 

feat(oidc): OIDC authentication support now requires explicit configuration(see doc)

Closes #56

See merge request to-be-continuous/docker!82
parents 94a549b6 521f918b

README.md

+3 −0
Original line number Diff line number Diff line
@@ -524,6 +524,7 @@ In order to be able to communicate with the Vault server, the variant requires t 
| ----------------- | -------------------------------------- | ----------------- |

| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master` |

| `VAULT_BASE_URL`  | The Vault server base API url          | _none_ |

| `VAULT_OIDC_AUD`  | The `aud` claim for the JWT | `$CI_SERVER_URL` |

| :lock: `VAULT_ROLE_ID`   | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** |

| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** |
@@ -556,6 +557,8 @@ include: 
    file: '/templates/gitlab-ci-docker-vault.yml'



variables:

    # audience claim for JWT

    VAULT_OIDC_AUD: "https://vault.acme.host"

    # Secrets managed by Vault

    DOCKER_REGISTRY_SNAPSHOT_USER: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/snapshot/credentials?field=user"

    DOCKER_REGISTRY_SNAPSHOT_PASSWORD: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/snapshot/credentials?field=token"

templates/gitlab-ci-docker-gcp.yml

+13 −6
Original line number Diff line number Diff line
@@ -3,14 +3,21 @@ 
# =====================================================================================================================

variables:

  TBC_GCP_AUTH_PROVIDER: "$CI_REGISTRY/to-be-continuous/tools/gcp-auth-provider:main"

    CI_JOB_JWT_V2: $CI_JOB_JWT_V2 # For the gitlab runner authentication in TBC_GCP_AUTH_PROVIDER

    DOCKER_REGISTRY_SNAPSHOT_USER: oauth2accesstoken

    DOCKER_REGISTRY_RELEASE_USER: oauth2accesstoken

    DOCKER_REGISTRY_SNAPSHOT_PASSWORD: '@url@http://gcp-auth-provider/token?envType=snapshot'

    DOCKER_REGISTRY_RELEASE_PASSWORD: '@url@http://gcp-auth-provider/token?envType=release'

  GCP_OIDC_AUD: "$CI_SERVER_URL"



.docker-base:

  services:

    - name: "$TBC_TRACKING_IMAGE"

      command: ["--service", "docker", "5.2.2"]

    - name: "$TBC_GCP_AUTH_PROVIDER"

      alias: "gcp-auth-provider"

  variables:

    #  have to be explicitly declared in the YAML to be exported to the service

    GCP_JWT: $GCP_JWT

    DOCKER_REGISTRY_SNAPSHOT_USER: oauth2accesstoken

    DOCKER_REGISTRY_RELEASE_USER: oauth2accesstoken

    DOCKER_REGISTRY_SNAPSHOT_PASSWORD: '@url@http://gcp-auth-provider/token?envType=snapshot'

    DOCKER_REGISTRY_RELEASE_PASSWORD: '@url@http://gcp-auth-provider/token?envType=release'

  id_tokens:

    GCP_JWT:

      aud: "$GCP_OIDC_AUD"

templates/gitlab-ci-docker-vault.yml

+6 −0
Original line number Diff line number Diff line
@@ -7,6 +7,7 @@ variables: 
  # variables have to be explicitly declared in the YAML to be exported to the service

  VAULT_ROLE_ID: "$VAULT_ROLE_ID"

  VAULT_SECRET_ID: "$VAULT_SECRET_ID"

  VAULT_OIDC_AUD: "$CI_SERVER_URL"



.docker-base:

  services:
@@ -14,3 +15,8 @@ variables: 
      command: ["--service", "docker", "5.2.2"]

    - name: "$TBC_VAULT_IMAGE"

      alias: "vault-secrets-provider"

  variables:

    VAULT_JWT_TOKEN: "$VAULT_JWT_TOKEN"

  id_tokens:

    VAULT_JWT_TOKEN:

      aud: "$VAULT_OIDC_AUD"