Commit bff477ad authored by Krasimir Angelov's avatar Krasimir Angelov

Save secrets config in DB when processing CI yaml

Update CI YAML processor to fetch secrets configuration from
CI config and store it the database.

Related to https://gitlab.com/gitlab-org/gitlab/-/issues/28321 and
https://gitlab.com/gitlab-org/gitlab/-/issues/218746.
parent 661d1ff7
...@@ -204,4 +204,32 @@ RSpec.describe Gitlab::Ci::YamlProcessor do ...@@ -204,4 +204,32 @@ RSpec.describe Gitlab::Ci::YamlProcessor do
end end
end end
end end
describe 'Secrets' do
let(:secrets) do
{
DATABASE_PASSWORD: {
vault: 'production/db/password'
}
}
end
let(:config) { { deploy_to_production: { stage: 'deploy', script: ['echo'], secrets: secrets } } }
subject(:processor) { described_class.new(YAML.dump(config)) }
it "returns secrets info" do
secrets = processor.stage_builds_attributes('deploy').first.fetch(:secrets)
expect(secrets).to eq({
DATABASE_PASSWORD: {
vault: {
engine: { name: 'kv-v2', path: 'kv-v2' },
path: 'production/db',
field: 'password'
}
}
})
end
end
end end
...@@ -142,6 +142,37 @@ RSpec.describe Ci::CreatePipelineService, '#execute' do ...@@ -142,6 +142,37 @@ RSpec.describe Ci::CreatePipelineService, '#execute' do
end end
end end
describe 'job with secrets' do
before do
stub_ci_pipeline_yaml_file <<~YAML
deploy:
script:
- echo
secrets:
DATABASE_PASSWORD:
vault: production/db/password
YAML
end
it 'persists secrets as job metadata' do
pipeline = create_pipeline!
expect(pipeline).to be_persisted
build = Ci::Build.find(pipeline.builds.first.id)
expect(build.metadata.secrets).to eq({
'DATABASE_PASSWORD' => {
'vault' => {
'engine' => { 'name' => 'kv-v2', 'path' => 'kv-v2' },
'path' => 'production/db',
'field' => 'password'
}
}
})
end
end
def create_pipeline! def create_pipeline!
service.execute(:push) service.execute(:push)
end end
......
...@@ -92,6 +92,7 @@ module Gitlab ...@@ -92,6 +92,7 @@ module Gitlab
cache: job[:cache], cache: job[:cache],
resource_group_key: job[:resource_group], resource_group_key: job[:resource_group],
scheduling_type: job[:scheduling_type], scheduling_type: job[:scheduling_type],
secrets: job[:secrets],
options: { options: {
image: job[:image], image: job[:image],
services: job[:services], services: job[:services],
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment