Utiliser Vault depuis vos pipelines Gitlab CI | https://lightcode.fr/article/vault-gitlab/
demo: | |
image: vault:1.6.0 | |
script: | |
- export VAULT_ADDR=https://vault.example.com | |
- export VAULT_TOKEN="$(vault write -field=token auth/gitlab-jwt/login role=read-secret-demo jwt=$CI_JOB_JWT)" | |
- USERNAME="$(vault kv get -field=username kv/demo/hello)" | |
- PASSWORD="$(vault kv get -field=password kv/demo/hello)" | |
- echo "The secret is ${USERNAME}:${PASSWORD}" | |
only: | |
refs: ["master"] |
# Input variables | |
variable vault_url { | |
type = string | |
description = "URL to Vault (example: https://vault.example.com)" | |
} | |
variable gitlab_url { | |
type = string | |
description = "URL to Gitlab (example: https://gitlab.example.com)" | |
} | |
variable gitlab_host { | |
type = string | |
description = "Host of Gitlab (example: gitlab.example.com)" | |
} | |
variable gitlab_project_id { | |
type = string | |
description = "ID of the Gitlab project" | |
} | |
# Enable JWT backend | |
resource "vault_auth_backend" "jwt" { | |
type = "jwt" | |
} | |
# Configure JWT backend with the Gitlab URL | |
resource "vault_jwt_auth_backend" "gitlab" { | |
path = "gitlab-jwt" | |
jwks_url = "${var.gitlab_url}/-/jwks" | |
bound_issuer = var.gitlab_host | |
} | |
# Role for our demo pipeline | |
resource "vault_jwt_auth_backend_role" "read_secret_demo" { | |
backend = vault_jwt_auth_backend.gitlab.path | |
role_name = "read-secret-demo" | |
role_type = "jwt" | |
token_policies = [vault_policy.read_secret_demo.name] | |
user_claim = "user_email" | |
bound_claims = { | |
project_id = var.gitlab_project_id | |
ref = "master" | |
ref_type = "branch" | |
} | |
} | |
# Policy to allow our role to read secrets in kv/demo/* | |
resource "vault_policy" "read_secret_demo" { | |
name = "read-secret-demo" | |
policy = <<EOT | |
path "kv/demo/*" { | |
capabilities = ["read"] | |
} | |
EOT | |
} | |
# Demo secret in the KV store | |
resource "vault_generic_secret" "demo_secret" { | |
path = "kv/demo/hello" | |
data_json = <<EOT | |
{ | |
"username": "foo", | |
"password": "bar" | |
} | |
EOT | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment