Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
208aca80
Commit
208aca80
authored
Sep 18, 2020
by
Amy Qualls (slowly returning after surgery)
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'secrets-docsadd' into 'master'
Add hashicorp image for JWT flow See merge request gitlab-org/gitlab!42404
parents
0378c9fd
85d55682
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
19 additions
and
6 deletions
+19
-6
doc/ci/img/gitlab_vault_workflow_v13_4.png
doc/ci/img/gitlab_vault_workflow_v13_4.png
+0
-0
doc/ci/secrets/index.md
doc/ci/secrets/index.md
+19
-6
No files found.
doc/ci/img/gitlab_vault_workflow_v13_4.png
0 → 100644
View file @
208aca80
46.4 KB
doc/ci/secrets/index.md
View file @
208aca80
...
@@ -17,23 +17,36 @@ Unlike CI variables, which are always presented to a job, secrets must be explic
...
@@ -17,23 +17,36 @@ Unlike CI variables, which are always presented to a job, secrets must be explic
required by a job. Read
[
GitLab CI/CD pipeline configuration reference
](
../yaml/README.md#secrets
)
required by a job. Read
[
GitLab CI/CD pipeline configuration reference
](
../yaml/README.md#secrets
)
for more information about the syntax.
for more information about the syntax.
GitLab has selected
[
Vault by Hashi
c
orp
](
https://www.vaultproject.io
)
as the
GitLab has selected
[
Vault by Hashi
C
orp
](
https://www.vaultproject.io
)
as the
first supported provider, and
[
KV-V2
](
https://www.vaultproject.io/docs/secrets/kv/kv-v2
)
first supported provider, and
[
KV-V2
](
https://www.vaultproject.io/docs/secrets/kv/kv-v2
)
as the first supported secrets engine.
as the first supported secrets engine.
GitLab authenticates using Vault's
GitLab authenticates using Vault's
[
J
WT Auth
method
](
https://www.vaultproject.io/docs/auth/jwt#jwt-authentication
)
, using
[
J
SON Web Token (JWT) authentication
method
](
https://www.vaultproject.io/docs/auth/jwt#jwt-authentication
)
, using
the
[
JSON Web Token
](
https://gitlab.com/gitlab-org/gitlab/-/issues/207125
)
(
`CI_JOB_JWT`
)
the
[
JSON Web Token
](
https://gitlab.com/gitlab-org/gitlab/-/issues/207125
)
(
`CI_JOB_JWT`
)
introduced in GitLab 12.10.
introduced in GitLab 12.10.
You must
[
configure your Vault server
](
#configure-your-vault-server
)
before you
You must
[
configure your Vault server
](
#configure-your-vault-server
)
before you
can use
[
use Vault secrets in a CI job
](
#use-vault-secrets-in-a-ci-job
)
.
can use
[
use Vault secrets in a CI job
](
#use-vault-secrets-in-a-ci-job
)
.
The flow for using GitLab with HashiCorp Vault
is summarized by this diagram:
![
Flow between GitLab and HashiCorp
](
../img/gitlab_vault_workflow_v13_4.png
"How GitLab CI_JOB_JWT works with HashiCorp Vault"
)
1.
Configure your vault and secrets.
1.
Generate your JWT and provide it to your CI job.
1.
Runner contacts HashiCorp Vault and authenticates using the JWT.
1.
HashiCorp Vault verifies the JWT.
1.
HashiCorp Vault checks the bounded claims and attaches policies.
1.
HashiCorp Vault returns the token.
1.
Runner reads secrets from the HashiCoupr Vault.
NOTE:
**Note:**
NOTE:
**Note:**
Read the
[
Authenticating and Reading Secrets With Hashi
c
orp Vault
](
../examples/authenticating-with-hashicorp-vault/index.md
)
Read the
[
Authenticating and Reading Secrets With Hashi
C
orp Vault
](
../examples/authenticating-with-hashicorp-vault/index.md
)
tutorial for a version of this feature
that i
s available to all
tutorial for a version of this feature
. It'
s available to all
subscription levels, supports writing secrets to and deleting secrets from Vault,
subscription levels, supports writing secrets to and deleting secrets from Vault,
and multiple secrets engines.
and
supports
multiple secrets engines.
## Configure your Vault server
## Configure your Vault server
...
@@ -149,7 +162,7 @@ generated by this GitLab instance may be allowed to authenticate using this role
...
@@ -149,7 +162,7 @@ generated by this GitLab instance may be allowed to authenticate using this role
For a full list of
`CI_JOB_JWT`
claims, read the
For a full list of
`CI_JOB_JWT`
claims, read the
[
How it works
](
../examples/authenticating-with-hashicorp-vault/index.md#how-it-works
)
section of the
[
How it works
](
../examples/authenticating-with-hashicorp-vault/index.md#how-it-works
)
section of the
[
Authenticating and Reading Secrets With Hashi
c
orp Vault
](
../examples/authenticating-with-hashicorp-vault/index.md
)
tutorial.
[
Authenticating and Reading Secrets With Hashi
C
orp Vault
](
../examples/authenticating-with-hashicorp-vault/index.md
)
tutorial.
You can also specify some attributes for the resulting Vault tokens, such as time-to-live,
You can also specify some attributes for the resulting Vault tokens, such as time-to-live,
IP address range, and number of uses. The full list of options is available in
IP address range, and number of uses. The full list of options is available in
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment