Commit 3eaecb42 authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch 'gcp-oidc' into 'master' 

Use OIDC authentication for GCP Artifact registry when publishing charts.

Closes #58

See merge request to-be-continuous/helm!88
parents 68ef1a45 9a384b66

README.md

+39 −0
Original line number Diff line number Diff line
@@ -548,3 +548,42 @@ variables: 
  HELM_DEFAULT_KUBE_CONFIG: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/my-app/helm/noprod?field=kube_config"

  HELM_PROD_KUBE_CONFIG: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/my-app/helm/prod?field=kube_config"

```



### Google Cloud variant



This variant allows publishing your helm packages to Google Cloud's [Artifact Registry](https://cloud.google.com/artifact-registry).



:warning: this template doesn't support Google Cloud's [Container Registry](https://cloud.google.com/container-registry) that is [deprecated](https://cloud.google.com/container-registry/docs/deprecations/container-registry-deprecation) and whose support will be discontinued in May 2024.



List of requirements before using this variant for publishing your container images:



1. You must have a **Docker** repository in Artifact Registry (cf [Artifact Registry - Work with Helm charts](https://cloud.google.com/artifact-registry/docs/helm)),

2. You must have a Workload Identity Federation Pool,

3. You must have a Service Account with enough permissions to push to your Artifact Registry repository.



#### Configuration



| Input / Variable         | Description                            | Default value     |

| ------------------------ | -------------------------------------- | ----------------- |

| `TBC_GCP_PROVIDER_IMAGE` | The [GCP Auth Provider](https://gitlab.com/to-be-continuous/tools/gcp-auth-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:latest` |

| `gcp-oidc-aud` / `GCP_OIDC_AUD` | The `aud` claim for the JWT token      | `$CI_SERVER_URL` |

| `gcp-oidc-provider` / `GCP_OIDC_PROVIDER` | Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/) | _none_ |

| `gcp-oidc-account` / `GCP_OIDC_ACCOUNT` | Default Service Account to which impersonate with OpenID Connect authentication | _none_ |



#### Example



```yaml

include:

  # main template

  - component: gitlab.com/to-be-continuous/helm/gitlab-ci-helm@7.2.6

    inputs:

      # GCP Artifact Registry url

      publish-url: "oci://{GCP_REGION}-docker.pkg.dev/${GCP_PROJECT_ID}/charts"

  # GCP auth variant

  - component: gitlab.com/to-be-continuous/helm/gitlab-ci-helm-gcp@7.2.6

    inputs:

      # default WIF provider

      gcp-oidc-provider: "projects/{GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/{YOUR_WIF_POOL_NAME}/providers/gitlab-diod"

      # default GCP Service Account

      gcp-oidc-account: "{YOUR_REGISTRY_SA}@{GCP_PROJECT_ID}.iam.gserviceaccount.com"

```

kicker.json

+29 −0
Original line number Diff line number Diff line
@@ -434,6 +434,35 @@ 
          "secret": true

        }

      ]

    },

    {

      "id": "gcp",

      "name": "Google Cloud",

      "description": "Retrieves a registry authentication for the Google Cloud's [Artifact Registry](https://cloud.google.com/artifact-registry)",

      "template_path": "templates/gitlab-ci-helm-gcp.yml",

      "variables": [

        {

          "name": "TBC_GCP_PROVIDER_IMAGE",

          "description": "The [GCP Auth Provider](https://gitlab.com/to-be-continuous/tools/gcp-auth-provider) image to use",

          "default": "registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:latest",

          "advanced": true

        },

        {

          "name": "GCP_OIDC_AUD",

          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_",

          "default": "$CI_SERVER_URL",

          "advanced": true

        },

        {

          "name": "GCP_OIDC_ACCOUNT",

          "description": "Default Service Account to which impersonate with OpenID Connect authentication"

        },

        {

          "name": "GCP_OIDC_PROVIDER",

          "description": "Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)"

        }

      ]

    }



  ]

}

templates/gitlab-ci-helm-gcp.yml

0 → 100644
+38 −0
Original line number Diff line number Diff line 
# =====================================================================================================================

# === GCP Auth template variant

# =====================================================================================================================

spec:

  inputs:

    gcp-oidc-aud:

      description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_

      default: $CI_SERVER_URL

    gcp-oidc-account:

      description: Default Service Account to which impersonate with OpenID Connect

        authentication

      default: ''

    gcp-oidc-provider:

      description: Default Workload Identity Provider associated with GitLab to [authenticate

        with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)

      default: ''

---

variables:

  TBC_GCP_PROVIDER_IMAGE: registry.gitlab.com/to-be-continuous/tools/gcp-auth-provider:latest

  GCP_OIDC_AUD: $[[ inputs.gcp-oidc-aud ]]

  GCP_OIDC_ACCOUNT: $[[ inputs.gcp-oidc-account ]]

  GCP_OIDC_PROVIDER: $[[ inputs.gcp-oidc-provider ]]

  

.helm-publish:

  extends: .helm-base

  services:

    - name: "$TBC_TRACKING_IMAGE"

      command: ["--service", "docker", "7.2.6"]

    - name: "$TBC_GCP_PROVIDER_IMAGE"

      alias: "gcp-auth-provider"

  variables:

    #  have to be explicitly declared in the YAML to be exported to the service

    GCP_JWT: $GCP_JWT

    HELM_PUBLISH_USER: oauth2accesstoken

    HELM_PUBLISH_PASSWORD: '@url@http://gcp-auth-provider/token'

  id_tokens:

    GCP_JWT:

      aud: "$GCP_OIDC_AUD"

templates/gitlab-ci-helm.yml

+9 −2
Original line number Diff line number Diff line
@@ -1116,11 +1116,18 @@ helm-lint: 
        # workaround https://gitlab.com/gitlab-org/gitlab/-/issues/451764

        - "Chart.yaml"





# ==================================================

# Stage: For helm-package and helm-publish, we need a hidden job that could be override by authentication variant.

# ==================================================

.helm-publish:

  extends: .helm-base



# ==================================================

# Stage: package-build

# ==================================================

helm-package:

  extends: .helm-base

  extends: .helm-publish

  stage: package-build

  before_script:

    - !reference [.helm-scripts]
@@ -1145,7 +1152,7 @@ helm-package: 
# Stage: publish

# ==================================================

helm-publish:

  extends: .helm-base

  extends: .helm-publish

  stage: publish

  script:

    # skip if semantic-release integration enabled and no release is required