Commit df33dbc8 authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch 'feat/support-id-tokens' into 'master' 

feat: support ID tokens instead of CI_JOB_JWT

Closes #14

See merge request to-be-continuous/gcloud!46
parents 666b5459 f13362ce

README.md

+41 −0
Original line number Diff line number Diff line
@@ -94,6 +94,23 @@ The following commands may help you retrieve the different values: 
- `gcloud iam workload-identity-pools list  --location=global --format="value(name)"` will list you POOL_IDs available on your `GCP_PROJECT`

- `gcloud iam workload-identity-pools providers list --workload-identity-pool=<my-pool>  --location=global --format="value(name)"` will return the list of available `PROVIDER_ID` for one `POOL_ID`



The template supports two ways to retrieve the JSON web token (JWT):



* using GitLab's `CI_JOB_JWT_V2` variable - _default_<br/>

  :warning: deprecated, scheduled to be removed in GitLab 16.5

* using an [ID token](https://docs.gitlab.com/ee/ci/yaml/index.html#id_tokens) named `GCP_JWT` - _configurable_



The ID token can be configured as follows in your `.gitlab-ci.yml` file:



```yaml

# enable GCP_JWT ID token for GCP jobs only

.gcp-base:

  id_tokens:

    GCP_JWT:

      # use your own audience url here

      aud: https://gitlab.com

```



### Deployment context variables



In order to manage the various deployment environments, this template provides a couple of **dynamic variables**
@@ -447,6 +464,23 @@ With: 
| `secret_path` (_path parameter_) | this is your secret location in the Vault server |

| `field` (_query parameter_)      | parameter to access a single basic field from the secret JSON payload |



The variant supports two ways to retrieve the JSON web token (JWT):



* using GitLab's `CI_JOB_JWT` variable - _default_<br/>

  :warning: deprecated, scheduled to be removed in GitLab 16.5

* using an [ID token](https://docs.gitlab.com/ee/ci/yaml/index.html#id_tokens) named `VAULT_JWT_TOKEN` - _configurable_



The ID token can be configured as follows in your `.gitlab-ci.yml` file:



```yaml

# enable VAULT_JWT_TOKEN ID token for GCP jobs only

.gcp-base:

  id_tokens:

    VAULT_JWT_TOKEN:

      # use your own audience url here

      aud: https://gitlab.com

```



#### Example



```yaml
@@ -465,4 +499,11 @@ variables: 
    SOME_SECRET_USED_IN_MY_APP: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/prod/gcloud/secret?field=my.app.secret"

    VAULT_BASE_URL: "https://vault.acme.host/v1"

    # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable



# enable VAULT_JWT_TOKEN ID token for GCP jobs only

.gcp-base:

  id_tokens:

    VAULT_JWT_TOKEN:

      # use your own audience url here

      aud: https://gitlab.com

```

templates/gitlab-ci-gcloud-vault.yml

+1 −0
Original line number Diff line number Diff line
@@ -5,6 +5,7 @@ variables: 
  # variabilized vault-secrets-provider image

  TBC_VAULT_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master"

  # variables have to be explicitly declared in the YAML to be exported to the service

  VAULT_JWT_TOKEN: "$VAULT_JWT_TOKEN"

  VAULT_ROLE_ID: "$VAULT_ROLE_ID"

  VAULT_SECRET_ID: "$VAULT_SECRET_ID"

templates/gitlab-ci-gcloud.yml

+1 −1
Original line number Diff line number Diff line
@@ -285,7 +285,7 @@ stages: 
      # see: https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/

      log_info "Authenticating with OpenID Connect..."

      assert_defined "$oidc_account" 'Missing required OpenID Connect service account'

      echo "${CI_JOB_JWT_V2}" > /tmp/.ci_job_jwt_file 

      echo "${GCP_JWT:-$CI_JOB_JWT_V2}" > /tmp/.ci_job_jwt_file 

      gcloud iam workload-identity-pools create-cred-config "$oidc_provider" \

        --service-account="$oidc_account" \

        --output-file=/tmp/.gcp_temp_cred.json \