feat: add Vault variant (7e328c1a) · Commits · to be continuous... / GitOps

README.md

+57 −0

Original line number	Diff line number	Diff line
		@@ -145,3 +145,60 @@ The triggers definition is formatted as follows:
		> - manage them as [project or group CI/CD variables](https://docs.gitlab.com/ci/variables/#for-a-project):
		> * [masked](https://docs.gitlab.com/ci/variables/#mask-a-cicd-variable) to prevent them from being inadvertently displayed in your job logs,
		> * [protected](https://docs.gitlab.com/ci/variables/#protected-cicd-variables) if you want to secure some secrets you don't want everyone in the project to have access to (for instance production secrets).

		## Variants

		### Vault variant

		This variant allows delegating your secrets management to a [Vault](https://www.vaultproject.io/) server.

		#### Configuration

		In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters:

		\| INPUT / Variable \| Description \| Default value \|
		\| ----------------------------------- \| ------------------------------------------------------------------------------------------------------------------------------- \| -------------------------------------------------------------------------- \|
		\| `TBC_VAULT_IMAGE` \| The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) \| `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master` \|
		\| `vault-base-url` / `VAULT_BASE_URL` \| The Vault server base API url \| must be defined \|
		\| `vault-oidc-aud` / `VAULT_OIDC_AUD` \| The `aud` claim for the JWT \| `$CI_SERVER_URL` \|
		\| :lock: `VAULT_ROLE_ID` \| The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID \| _none_ \|
		\| :lock: `VAULT_SECRET_ID` \| The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID \| _none_ \|

		By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ci/secrets/id_token_authentication/). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.

		#### Usage

		Then you may retrieve any of your secret(s) from Vault using the following syntax:

		```
		@url@http://vault-secrets-provider/api/secrets/{secret_path}?field={field}
		```

		With:

		\| Name \| Description \|
		\| -------------------------------- \| --------------------------------------------------------------------- \|
		\| `secret_path` (_path parameter_) \| this is your secret location in the Vault server \|
		\| `field` (_query parameter_) \| parameter to access a single basic field from the secret JSON payload \|

		#### Example

		```yaml
		include:
		# main template
		- project: "to-be-continuous/gitops"
		ref: "1.0.0"
		file: "/templates/gitlab-ci-gitops.yml"
		# Vault variant
		- project: "to-be-continuous/gitops"
		ref: "1.0.0"
		file: "/templates/gitlab-ci-gitops-vault.yml"

		variables:
		# audience claim for JWT
		VAULT_OIDC_AUD: "https://vault.acme.host"
		# Vault server Url
		VAULT_BASE_URL: "https://vault.acme.host/v1"
		# Secrets managed by Vault
		GITOPS_TRIGGER_ONPROD: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/my-srv/gitops/prod?field=trigger"
		```

kicker.json

+37 −0

Original line number	Diff line number	Diff line
		@@ -32,5 +32,42 @@
		"description": "The GitOps changes to trigger on release tags (JSON) - see doc",
		"secret": true
		}
		],
		"variants": [
		{
		"id": "vault",
		"name": "Vault",
		"description": "Retrieve secrets from a [Vault](https://www.vaultproject.io/) server",
		"template_path": "templates/gitlab-ci-gitops-vault.yml",
		"variables": [
		{
		"name": "TBC_VAULT_IMAGE",
		"description": "The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use",
		"default": "registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master",
		"advanced": true
		},
		{
		"name": "VAULT_BASE_URL",
		"description": "The Vault server base API url"
		},
		{
		"name": "VAULT_OIDC_AUD",
		"description": "The `aud` claim for the JWT",
		"default": "$CI_SERVER_URL"
		},
		{
		"name": "VAULT_ROLE_ID",
		"description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID",
		"mandatory": true,
		"secret": true
		},
		{
		"name": "VAULT_SECRET_ID",
		"description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID",
		"mandatory": true,
		"secret": true
		}
		]
		}
		]
		}

templates/gitlab-ci-gitops-vault.yml

0 → 100644

+32 −0

Original line number	Diff line number	Diff line
		# =====================================================================================================================
		# === Vault template variant
		# =====================================================================================================================
		spec:
		inputs:
		vault-oidc-aud:
		description: The `aud` claim for the JWT
		default: $CI_SERVER_URL
		vault-base-url:
		description: The Vault server base API url
		default: ''
		---
		variables:
		# variabilized vault-secrets-provider image
		TBC_VAULT_IMAGE: registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master
		# variables have to be explicitly declared in the YAML to be exported to the service
		VAULT_ROLE_ID: $VAULT_ROLE_ID
		VAULT_SECRET_ID: $VAULT_SECRET_ID
		VAULT_OIDC_AUD: $[[ inputs.vault-oidc-aud ]]
		VAULT_BASE_URL: $[[ inputs.vault-base-url ]]

		gitops-trigger:
		services:
		- name: "$TBC_TRACKING_IMAGE"
		command: ["--service", "gitops", "1.0.0"]
		- name: "$TBC_VAULT_IMAGE"
		alias: "vault-secrets-provider"
		variables:
		VAULT_JWT_TOKEN: "$VAULT_JWT_TOKEN"
		id_tokens:
		VAULT_JWT_TOKEN:
		aud: "$VAULT_OIDC_AUD"