CODEWITHSUNDEEP
kubernetesgitlabhashicorp-vault
Sinankoylu
Sinankoylu

Reputation: 11

Vault integration with gitlab and define in gitlab-ci.yaml

I try to integrate vault and gitlab.

Vault side is ok , and I try to locate vault in our gitlab-ci.yaml but I confused something.

Where is the location of vault in yaml ?

We use gitlab ee (community).

Our yaml:

.kaniko-build:
  stage: build
  before_script:
    - mkdir -p /kaniko/.docker
    - |
      cat <<EOF > /kaniko/.docker/config.json
        {
          "auths":{
            "${CI_REGISTRY}":{
              "auth":"$(printf "%s:%s" "${CI_REGISTRY_USER}" "${CI_REGISTRY_PASSWORD}" | base64 | tr -d '\n')"
            },
            "https://index.docker.io/v1/":{
              "auth":"$(printf "%s:%s" "${DOCKERHUB_USERNAME}" "${DOCKERHUB_PASSWORD}" | base64 | tr -d '\n')"
            }
          }
        }
      EOF
    - cat /kaniko/.docker/config.json
  script:
    - >-
      /kaniko/executor
      --context "${CI_PROJECT_DIR}"
      --dockerfile "${DOCKERFILE_PATH}"
      --destination "${CI_REGISTRY_IMAGE}:${CI_PIPELINE_IID}"
      --destination "${CI_REGISTRY_IMAGE}:latest"
      --cache
    - echo $(date) $(date)
  image:     
    name: gcr.io/kaniko-project/executor:v1.8.0-debug
    entrypoint: [""]

test-build:
  extends: .kaniko-build
  when: manual
  variables:
    DOCKERFILE_PATH: "devops/test/Dockerfile"
  
  rules:
    - if: $CI_COMMIT_BRANCH
      exists:
        - devops/test/Dockerfile
  interruptible: true

Upvotes: 1

Views: 1055

Answers (1)

LiveByTheCode
LiveByTheCode

Reputation: 41

If you've not already done so, you first need to configure vault for jwt authentication.

vault auth enable -path=jwt/gitlab jwt

Then configure the new jwt auth with a token validation endpoint that references your gitlab instance.

vault write auth/jwt/config \
jwks_url="https://gitlab.example.com/-/jwks" \
bound_issuer="gitlab.example.com"

Now in your gitlab-ci.yml, login to vault.

- export VAULT_ADDR="https://gitlab.example.com"
- export VAULT_TOKEN="$(vault write -field=token auth/jwt/gitlab/login role=SOME_ROLE_NAME jwt=$CI_JOB_JWT)"

Next in your gitlab-ci.yml, retrieve the secret.

- export EXAMPLE_SECRET="$(vault kv get -field=EXAMPLE_SECRET_KEY kv-v2/example/secret/path)"

This is all covered in more detail in the official GitLab docs here

Upvotes: 2

Related Questions