Loading README.md +56 −0 Original line number Diff line number Diff line Loading @@ -365,6 +365,62 @@ variables: DOCKER_RELEASE_IMAGE: "$CI_REGISTRY/$CI_PROJECT_PATH/back:$CI_COMMIT_REF_NAME" ``` ## Variants The Docker template can be used in conjunction with template variants to cover specific cases. ### Vault variant This variant allows delegating your secrets management to a [Vault](https://www.vaultproject.io/) server. #### Configuration In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters: | Name | description | default value | | ----------------- | -------------------------------------- | ----------------- | | `VAULT_BASE_URL` | The Vault server base API url | _none_ | | :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** | | :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** | #### Usage Then you may retrieve any of your secret(s) from Vault using the following syntax: ```text @url@http://vault-secrets-provider/api/secrets/{secret_path}?field={field} ``` With: | Name | description | | -------------------------------- | -------------------------------------- | | `secret_path` (_path parameter_) | this is your secret location in the Vault server | | `field` (_query parameter_) | parameter to access a single basic field from the secret JSON payload | #### Example ```yaml include: # main template - project: 'to-be-continuous/docker' ref: '2.2.0' file: '/templates/gitlab-ci-docker.yml' # Vault variant - project: 'to-be-continuous/docker' ref: '2.2.0' file: '/templates/gitlab-ci-docker-vault.yml' variables: # Secrets managed by Vault DOCKER_REGISTRY_SNAPSHOT_USER: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/snapshot/credentials?field=user" DOCKER_REGISTRY_SNAPSHOT_PASSWORD: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/snapshot/credentials?field=token" DOCKER_REGISTRY_RELEASE_USER: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/release/credentials?field=user" DOCKER_REGISTRY_RELEASE_PASSWORD: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/release/credentials?field=token" VAULT_BASE_URL: "https://vault.acme.host/v1" # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable ``` ## Gitlab compatibility :information_source: This template is actually tested and validated on GitLab Community Edition instance version 13.12.11 kicker.json +27 −0 Original line number Diff line number Diff line Loading @@ -170,5 +170,32 @@ } ] } ], "variants": [ { "id": "vault", "name": "Vault", "description": "Retrieve secrets from a [Vault](https://www.vaultproject.io/) server", "template_path": "templates/gitlab-ci-docker-vault.yml", "variables": [ { "name": "VAULT_BASE_URL", "description": "The Vault server base API url", "mandatory": true }, { "name": "VAULT_ROLE_ID", "description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID", "mandatory": true, "secret": true }, { "name": "VAULT_SECRET_ID", "description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID", "mandatory": true, "secret": true } ] } ] } templates/gitlab-ci-docker-vault.yml 0 → 100644 +14 −0 Original line number Diff line number Diff line # ===================================================================================================================== # === Vault template variant # ===================================================================================================================== variables: # variables have to be explicitly declared in the YAML to be exported to the service VAULT_ROLE_ID: "$VAULT_ROLE_ID" VAULT_SECRET_ID: "$VAULT_SECRET_ID" .docker-base: services: - name: "$CI_REGISTRY/to-be-continuous/tools/tracking:master" command: ["--service", "docker", "2.2.0"] - name: "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master" alias: "vault-secrets-provider" Loading
README.md +56 −0 Original line number Diff line number Diff line Loading @@ -365,6 +365,62 @@ variables: DOCKER_RELEASE_IMAGE: "$CI_REGISTRY/$CI_PROJECT_PATH/back:$CI_COMMIT_REF_NAME" ``` ## Variants The Docker template can be used in conjunction with template variants to cover specific cases. ### Vault variant This variant allows delegating your secrets management to a [Vault](https://www.vaultproject.io/) server. #### Configuration In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters: | Name | description | default value | | ----------------- | -------------------------------------- | ----------------- | | `VAULT_BASE_URL` | The Vault server base API url | _none_ | | :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** | | :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** | #### Usage Then you may retrieve any of your secret(s) from Vault using the following syntax: ```text @url@http://vault-secrets-provider/api/secrets/{secret_path}?field={field} ``` With: | Name | description | | -------------------------------- | -------------------------------------- | | `secret_path` (_path parameter_) | this is your secret location in the Vault server | | `field` (_query parameter_) | parameter to access a single basic field from the secret JSON payload | #### Example ```yaml include: # main template - project: 'to-be-continuous/docker' ref: '2.2.0' file: '/templates/gitlab-ci-docker.yml' # Vault variant - project: 'to-be-continuous/docker' ref: '2.2.0' file: '/templates/gitlab-ci-docker-vault.yml' variables: # Secrets managed by Vault DOCKER_REGISTRY_SNAPSHOT_USER: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/snapshot/credentials?field=user" DOCKER_REGISTRY_SNAPSHOT_PASSWORD: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/snapshot/credentials?field=token" DOCKER_REGISTRY_RELEASE_USER: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/release/credentials?field=user" DOCKER_REGISTRY_RELEASE_PASSWORD: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/release/credentials?field=token" VAULT_BASE_URL: "https://vault.acme.host/v1" # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable ``` ## Gitlab compatibility :information_source: This template is actually tested and validated on GitLab Community Edition instance version 13.12.11
kicker.json +27 −0 Original line number Diff line number Diff line Loading @@ -170,5 +170,32 @@ } ] } ], "variants": [ { "id": "vault", "name": "Vault", "description": "Retrieve secrets from a [Vault](https://www.vaultproject.io/) server", "template_path": "templates/gitlab-ci-docker-vault.yml", "variables": [ { "name": "VAULT_BASE_URL", "description": "The Vault server base API url", "mandatory": true }, { "name": "VAULT_ROLE_ID", "description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID", "mandatory": true, "secret": true }, { "name": "VAULT_SECRET_ID", "description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID", "mandatory": true, "secret": true } ] } ] }
templates/gitlab-ci-docker-vault.yml 0 → 100644 +14 −0 Original line number Diff line number Diff line # ===================================================================================================================== # === Vault template variant # ===================================================================================================================== variables: # variables have to be explicitly declared in the YAML to be exported to the service VAULT_ROLE_ID: "$VAULT_ROLE_ID" VAULT_SECRET_ID: "$VAULT_SECRET_ID" .docker-base: services: - name: "$CI_REGISTRY/to-be-continuous/tools/tracking:master" command: ["--service", "docker", "2.2.0"] - name: "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master" alias: "vault-secrets-provider"
