Commit ff66d9b7 authored by Grzegorz Bizon's avatar Grzegorz Bizon

Merge branch 'ci-secrets-yaml-processing' into 'master'

Fetch and store CI secrets configuration when processing CI yaml

See merge request gitlab-org/gitlab!34896
parents 62c2cb5e bff477ad
...@@ -204,4 +204,32 @@ RSpec.describe Gitlab::Ci::YamlProcessor do ...@@ -204,4 +204,32 @@ RSpec.describe Gitlab::Ci::YamlProcessor do
end end
end end
end end
describe 'Secrets' do
let(:secrets) do
{
DATABASE_PASSWORD: {
vault: 'production/db/password'
}
}
end
let(:config) { { deploy_to_production: { stage: 'deploy', script: ['echo'], secrets: secrets } } }
subject(:processor) { described_class.new(YAML.dump(config)) }
it "returns secrets info" do
secrets = processor.stage_builds_attributes('deploy').first.fetch(:secrets)
expect(secrets).to eq({
DATABASE_PASSWORD: {
vault: {
engine: { name: 'kv-v2', path: 'kv-v2' },
path: 'production/db',
field: 'password'
}
}
})
end
end
end end
...@@ -142,6 +142,37 @@ RSpec.describe Ci::CreatePipelineService, '#execute' do ...@@ -142,6 +142,37 @@ RSpec.describe Ci::CreatePipelineService, '#execute' do
end end
end end
describe 'job with secrets' do
before do
stub_ci_pipeline_yaml_file <<~YAML
deploy:
script:
- echo
secrets:
DATABASE_PASSWORD:
vault: production/db/password
YAML
end
it 'persists secrets as job metadata' do
pipeline = create_pipeline!
expect(pipeline).to be_persisted
build = Ci::Build.find(pipeline.builds.first.id)
expect(build.metadata.secrets).to eq({
'DATABASE_PASSWORD' => {
'vault' => {
'engine' => { 'name' => 'kv-v2', 'path' => 'kv-v2' },
'path' => 'production/db',
'field' => 'password'
}
}
})
end
end
def create_pipeline! def create_pipeline!
service.execute(:push) service.execute(:push)
end end
......
...@@ -92,6 +92,7 @@ module Gitlab ...@@ -92,6 +92,7 @@ module Gitlab
cache: job[:cache], cache: job[:cache],
resource_group_key: job[:resource_group], resource_group_key: job[:resource_group],
scheduling_type: job[:scheduling_type], scheduling_type: job[:scheduling_type],
secrets: job[:secrets],
options: { options: {
image: job[:image], image: job[:image],
services: job[:services], services: job[:services],
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment