Skip to content

Plugin for Gitlab integration with DSV.

License

Notifications You must be signed in to change notification settings

DelineaXPM/dsv-gitlab

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Delinea DevOps Secrets Vault GitLab Integration

codecov

Delinea DevOps Secrets Vault (DSV) CI plugin allows you to access and reference your Secrets data available for use in GitLab Jobs.

Getting Started

Using With Gitlab

Review the file: .gitlab-ci.yml

To test this out, you'll have to create variables in GitLab under: https://gitlab.com/{org}/{project}/-/settings/ci_cd.

Prerequisites

This plugin uses authentication based on Client Credentials, i.e. via Client ID and Client Secret.

dsvprofile=

rolename="gitlab-dsv-gitlab-tests"
secretpath="ci:tests:dsv-gitlab"
secretpathclient="clients:${secretpath}"

desc="a secret for testing operation of secrets against dsv-gitlab"
clientcredfile=".cache/${rolename}.json"
clientcredname="${rolename}"

dsv role create --name "${rolename}" --profile $dsvprofile

# Option 1: Less Optimal - Save Credential to local json for testing
# dsv client create --role "${rolename}" --out "file:${clientcredfile}"

# Option 2: 🔒 MOST SECURE
# Create credential info for dsv, and set as variable.
# Create an org secret instead if you want to share this credential in many repos.

# compress to a single line
clientcred=$(dsv client create --role "${rolename}" --plain | jq -c)

# configure the credentials in gitlab
echo 'DSV_SERVER in GitLab variables, example: mytenant.secretsvaultcloud.com'
echo "Save DSV_CLIENT_ID in GitLab variables: $(echo "${clientcred}" | jq '.clientId' -r)"
echo "Save DSV_CLIENT_SECRET in GitLab variables: $(echo "${clientcred}" | jq '.clientSecret' -r )"

For further setup, here's how you could extend that script block above with also creating a secret and the policy to read just this secret.

# Create a secret
secretkey="secret-01"
secretvalue='{"value1":"taco","value2":"burrito"}'
dsv secret create \
  --path "secrets:${secretpath}:${secretkey}" \
  --data "${secretvalue}" \
  --desc "${desc}"

# Create a policy to allow role "$rolename" to read secrets under "ci:tests:integration-configs/dsv-gitlab":
dsv policy create \
  --path "secrets:${secretpath}" \
  --actions 'read' \
  --effect 'allow' \
  --subjects "roles:$rolename" \
  --desc "${desc}" \
  --resources "secrets:${secretpath}:<.*>"

Usage

See integration.yml for an example of how to use this to retrieve secrets and use outputs on other tasks.

Retrieve 2 Values from Same Secret

The json expects an array, so just add a new line.

retrieve: |
  [
   {"secretPath": "ci:tests:dsv-github-action:secret-01", "secretKey": "value1", "outputVariable": "RETURN_VALUE_1"},
   {"secretPath": "ci:tests:dsv-github-action:secret-01", "secretKey": "value2", "outputVariable": "RETURN_VALUE_2"}
  ]

Retrieve 2 Values from Different Secrets

Note: Make sure your generated client credentials are associated a policy that has rights to read the different secrets.

retrieve: |
  [
   {"secretPath": "ci:tests:dsv-github-action:secret-01", "secretKey": "value1", "outputVariable": "RETURN_VALUE_1"},
   {"secretPath": "ci:tests:dsv-github-action:secret-02", "secretKey": "value1", "outputVariable": "RETURN_VALUE_2"}
  ]

Contributors ✨

Thanks goes to these wonderful people (emoji key):

Mariia
Mariia

💻
sheldonhull
sheldonhull

💻
andrii-zakurenyi
andrii-zakurenyi

💻
gg-delinea
gg-delinea

📓

This project follows the all-contributors specification. Contributions of any kind welcome!