Skip to content
Snippets Groups Projects
Commit 4f6302cf authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch 'feat/deprecated-jwt-variables' into 'master'

feat(oidc): OIDC authentication support now requires explicit configuration(see doc)

Closes #17

See merge request to-be-continuous/openshift!46
parents 2638af3a 2e65130e
No related branches found
No related tags found
No related merge requests found
...@@ -479,6 +479,7 @@ In order to be able to communicate with the Vault server, the variant requires t ...@@ -479,6 +479,7 @@ In order to be able to communicate with the Vault server, the variant requires t
| ----------------- | -------------------------------------- | ----------------- | | ----------------- | -------------------------------------- | ----------------- |
| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master` | | `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master` |
| `VAULT_BASE_URL` | The Vault server base API url | _none_ | | `VAULT_BASE_URL` | The Vault server base API url | _none_ |
| `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` |
| :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** | | :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** |
| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** | | :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** |
...@@ -511,6 +512,8 @@ include: ...@@ -511,6 +512,8 @@ include:
file: '/templates/gitlab-ci-openshift-vault.yml' file: '/templates/gitlab-ci-openshift-vault.yml'
variables: variables:
# audience claim for JWT
VAULT_OIDC_AUD: "https://vault.acme.host"
# Secrets managed by Vault # Secrets managed by Vault
OS_TOKEN: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/my-app/openshift/noprod?field=token" OS_TOKEN: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/my-app/openshift/noprod?field=token"
OS_PROD_TOKEN: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/my-app/openshift/noprod?field=token" OS_PROD_TOKEN: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/my-app/openshift/noprod?field=token"
......
...@@ -7,6 +7,7 @@ variables: ...@@ -7,6 +7,7 @@ variables:
# variables have to be explicitly declared in the YAML to be exported to the service # variables have to be explicitly declared in the YAML to be exported to the service
VAULT_ROLE_ID: "$VAULT_ROLE_ID" VAULT_ROLE_ID: "$VAULT_ROLE_ID"
VAULT_SECRET_ID: "$VAULT_SECRET_ID" VAULT_SECRET_ID: "$VAULT_SECRET_ID"
VAULT_OIDC_AUD: "$CI_SERVER_URL"
.os-base: .os-base:
services: services:
...@@ -14,3 +15,8 @@ variables: ...@@ -14,3 +15,8 @@ variables:
command: ["--service", "openshift", "3.1.0" ] command: ["--service", "openshift", "3.1.0" ]
- name: "$TBC_VAULT_IMAGE" - name: "$TBC_VAULT_IMAGE"
alias: "vault-secrets-provider" alias: "vault-secrets-provider"
variables:
VAULT_JWT_TOKEN: "$VAULT_JWT_TOKEN"
id_tokens:
VAULT_JWT_TOKEN:
aud: "$VAULT_OIDC_AUD"
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment