Skip to content

Instantly share code, notes, and snippets.

@lightcode

lightcode/.gitlab-ci.yml

Last active Jan 2, 2021
Embed
What would you like to do?
Utiliser Vault depuis vos pipelines Gitlab CI | https://lightcode.fr/article/vault-gitlab/
demo:
image: vault:1.6.0
script:
- export VAULT_ADDR=https://vault.example.com
- export VAULT_TOKEN="$(vault write -field=token auth/gitlab-jwt/login role=read-secret-demo jwt=$CI_JOB_JWT)"
- USERNAME="$(vault kv get -field=username kv/demo/hello)"
- PASSWORD="$(vault kv get -field=password kv/demo/hello)"
- echo "The secret is ${USERNAME}:${PASSWORD}"
only:
refs: ["master"]
# Input variables
variable vault_url {
type = string
description = "URL to Vault (example: https://vault.example.com)"
}
variable gitlab_url {
type = string
description = "URL to Gitlab (example: https://gitlab.example.com)"
}
variable gitlab_host {
type = string
description = "Host of Gitlab (example: gitlab.example.com)"
}
variable gitlab_project_id {
type = string
description = "ID of the Gitlab project"
}
# Enable JWT backend
resource "vault_auth_backend" "jwt" {
type = "jwt"
}
# Configure JWT backend with the Gitlab URL
resource "vault_jwt_auth_backend" "gitlab" {
path = "gitlab-jwt"
jwks_url = "${var.gitlab_url}/-/jwks"
bound_issuer = var.gitlab_host
}
# Role for our demo pipeline
resource "vault_jwt_auth_backend_role" "read_secret_demo" {
backend = vault_jwt_auth_backend.gitlab.path
role_name = "read-secret-demo"
role_type = "jwt"
token_policies = [vault_policy.read_secret_demo.name]
user_claim = "user_email"
bound_claims = {
project_id = var.gitlab_project_id
ref = "master"
ref_type = "branch"
}
}
# Policy to allow our role to read secrets in kv/demo/*
resource "vault_policy" "read_secret_demo" {
name = "read-secret-demo"
policy = <<EOT
path "kv/demo/*" {
capabilities = ["read"]
}
EOT
}
# Demo secret in the KV store
resource "vault_generic_secret" "demo_secret" {
path = "kv/demo/hello"
data_json = <<EOT
{
"username": "foo",
"password": "bar"
}
EOT
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment