Commit 86894deb authored by Aleksander Zak's avatar Aleksander Zak Committed by Furkan Ayhan

Support Vault EE namespaces

Currently the vault integration does not support Vault EE namespaces.
Only the vault server URL, role name and auth path can be configured
with the variables. It is possible to just prefix the engine's path
with the namespace, but it is not possible to specify the namespace
for the authentication - it always uses the root namespace.

This change makes the namespace configurable wiht the VAULT_NAMESPACE
variable (similar to how `VAULT_SERVER_URL`, `VAULT_AUTH_ROLE` and
`VAULT_AUTH_PATH are being used already). It will fall-back to an
empty string in case the variable is not defined by the user.

Fallback to an empty string instead of 'root' when no vault namespace specified by the user.

Changelog: added
parent c97e9f4f
...@@ -9,6 +9,7 @@ type: concepts, howto ...@@ -9,6 +9,7 @@ type: concepts, howto
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/218746) in GitLab 13.4 and GitLab Runner 13.4. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/218746) in GitLab 13.4 and GitLab Runner 13.4.
> - `file` setting [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/250695) in GitLab 14.1 and GitLab Runner 14.1. > - `file` setting [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/250695) in GitLab 14.1 and GitLab Runner 14.1.
> - `VAULT_NAMESPACE` setting [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/255619) in GitLab 14.9 and GitLab Runner 14.9.
Secrets represent sensitive information your CI job needs to complete work. This Secrets represent sensitive information your CI job needs to complete work. This
sensitive information can be items like API tokens, database credentials, or private keys. sensitive information can be items like API tokens, database credentials, or private keys.
...@@ -90,6 +91,9 @@ To configure your Vault server: ...@@ -90,6 +91,9 @@ To configure your Vault server:
If no role is specified, Vault uses the [default role](https://www.vaultproject.io/api/auth/jwt#default_role) If no role is specified, Vault uses the [default role](https://www.vaultproject.io/api/auth/jwt#default_role)
specified when the authentication method was configured. specified when the authentication method was configured.
- `VAULT_AUTH_PATH` - Optional. The path where the authentication method is mounted, default is `jwt`. - `VAULT_AUTH_PATH` - Optional. The path where the authentication method is mounted, default is `jwt`.
- `VAULT_NAMESPACE` - Optional. The [Vault Enterprise namespace](https://www.vaultproject.io/docs/enterprise/namespaces) to use for reading secrets and authentication.
If no namespace is specified, Vault uses the `root` ("`/`") namespace.
The setting is ignored by Vault Open Source.
NOTE: NOTE:
Support for providing these values in the user interface [is tracked in this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/218677). Support for providing these values in the user interface [is tracked in this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/218677).
......
...@@ -17,6 +17,7 @@ module EE ...@@ -17,6 +17,7 @@ module EE
def vault_server def vault_server
@vault_server ||= { @vault_server ||= {
'url' => variable_value('VAULT_SERVER_URL'), 'url' => variable_value('VAULT_SERVER_URL'),
'namespace' => variable_value('VAULT_NAMESPACE'),
'auth' => { 'auth' => {
'name' => 'jwt', 'name' => 'jwt',
'path' => variable_value('VAULT_AUTH_PATH', 'jwt'), 'path' => variable_value('VAULT_AUTH_PATH', 'jwt'),
......
...@@ -83,6 +83,24 @@ RSpec.describe Ci::BuildRunnerPresenter do ...@@ -83,6 +83,24 @@ RSpec.describe Ci::BuildRunnerPresenter do
end end
end end
context 'Vault namespace' do
let(:vault_server) { presenter.secrets_configuration.dig('DATABASE_PASSWORD', 'vault', 'server') }
context 'VAULT_NAMESPACE CI variable is present' do
it 'contains user defined namespace' do
create(:ci_variable, project: ci_build.project, key: 'VAULT_NAMESPACE', value: 'custom_namespace')
expect(vault_server.fetch('namespace')).to eq('custom_namespace')
end
end
context 'VAULT_NAMESPACE CI variable is not present' do
it 'returns nil' do
expect(vault_server.fetch('namespace')).to be_nil
end
end
end
context 'File variable configuration' do context 'File variable configuration' do
subject { presenter.secrets_configuration.dig('DATABASE_PASSWORD') } subject { presenter.secrets_configuration.dig('DATABASE_PASSWORD') }
......
...@@ -59,6 +59,7 @@ RSpec.describe API::Ci::Runner do ...@@ -59,6 +59,7 @@ RSpec.describe API::Ci::Runner do
'vault' => { 'vault' => {
'server' => { 'server' => {
'url' => 'https://vault.example.com', 'url' => 'https://vault.example.com',
'namespace' => nil,
'auth' => { 'auth' => {
'name' => 'jwt', 'name' => 'jwt',
'path' => 'jwt', 'path' => 'jwt',
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment