add gitlab
This commit is contained in:
Vassiliy Yegorov
10
.gitlab-ci.yml
Normal file
10
.gitlab-ci.yml
Normal file
@@ -0,0 +1,10 @@
|
||||
read_secrets:
|
||||
image: vault:latest
|
||||
script:
|
||||
- echo $CI_COMMIT_REF_NAME
|
||||
- echo $CI_COMMIT_REF_PROTECTED
|
||||
- export VAULT_ADDR=http://vault.bildme.ru
|
||||
- export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=gitlabci-role jwt=$CI_JOB_JWT)"
|
||||
- export PASSWORD="$(vault kv get -field=password secret/gitlab/db1)"
|
||||
- echo $PASSWORD
|
||||
when: manual
|
||||
48
docs/vault-gitlab-ci.md
Normal file
48
docs/vault-gitlab-ci.md
Normal file
@@ -0,0 +1,48 @@
|
||||
# Подключаем внешний вольт к Gitlab-CI
|
||||
|
||||
1. настраиваем метод jwt
|
||||
|
||||
```bash
|
||||
vault auth enable jwt
|
||||
vault write auth/jwt/config \
|
||||
jwks_url="https://git.realmanual.ru/-/jwks" \
|
||||
bound_issuer="git.realmanual.ru"
|
||||
```
|
||||
|
||||
2. создаем тестовый секрет
|
||||
|
||||
```bash
|
||||
vault kv put secret/gitlab/db1 password='pa$$w0rd'
|
||||
```
|
||||
|
||||
3. настраиваем политику доступа к конкретному секрету
|
||||
|
||||
```bash
|
||||
vault policy write gitlabci-policy - <<EOF
|
||||
path "secret/data/gitlab/db1" {
|
||||
capabilities = [ "read" ]
|
||||
}
|
||||
EOF
|
||||
```
|
||||
|
||||
4. создаем роль
|
||||
|
||||
```bash
|
||||
vault write auth/jwt/role/gitlabci-role - <<EOF
|
||||
{
|
||||
"role_type": "jwt",
|
||||
"policies": ["gitlabci-policy"],
|
||||
"token_explicit_max_ttl": 60,
|
||||
"user_claim": "user_email",
|
||||
"bound_claims_type": "glob",
|
||||
"bound_claims": {
|
||||
"project_id": "42",
|
||||
"ref_protected": "true",
|
||||
"ref_type": "tag",
|
||||
"ref": "auto-deploy-*"
|
||||
}
|
||||
}
|
||||
EOF
|
||||
```
|
||||
|
||||
5. смотрим пример [.gitlab-ci.yml](../.gitlab-ci.yml)
|
||||
Reference in New Issue
Block a user