add gitlab

2022-08-24 12:36:38 +07:00
parent 9c63fb579b
commit eb2c93c28c
2 changed files with 58 additions and 0 deletions
--- a/docs/vault-gitlab-ci.md
+++ b/docs/vault-gitlab-ci.md
@@ -0,0 +1,48 @@
+# Подключаем внешний вольт к Gitlab-CI
+
+1. настраиваем метод jwt
+
+```bash
+vault auth enable jwt
+vault write auth/jwt/config \
+  jwks_url="https://git.realmanual.ru/-/jwks" \
+  bound_issuer="git.realmanual.ru"
+```
+
+2. создаем тестовый секрет
+
+```bash
+vault kv put secret/gitlab/db1 password='pa$$w0rd'
+```
+
+3. настраиваем политику доступа к конкретному секрету
+
+```bash
+vault policy write gitlabci-policy - <<EOF
+path "secret/data/gitlab/db1" {
+  capabilities = [ "read" ]
+}
+EOF
+```
+
+4. создаем роль
+
+```bash
+vault write auth/jwt/role/gitlabci-role - <<EOF
+{
+  "role_type": "jwt",
+  "policies": ["gitlabci-policy"],
+  "token_explicit_max_ttl": 60,
+  "user_claim": "user_email",
+  "bound_claims_type": "glob",
+  "bound_claims": {
+    "project_id": "42",
+    "ref_protected": "true",
+    "ref_type": "tag",
+    "ref": "auto-deploy-*"
+  }
+}
+EOF
+```
+
+5. смотрим пример [.gitlab-ci.yml](../.gitlab-ci.yml)