Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/doc/ci/secrets/index.md
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2023-01-20 21:10:05 +0300
committerGitLab Bot <gitlab-bot@gitlab.com>2023-01-20 21:10:05 +0300
commitcc4e1c884cd6b8782fb6a247d840a2d1c7f4603e (patch)
tree8a54c659b82873efafe04887708140785caea153 /doc/ci/secrets/index.md
parent709948b7a69597b1efe24df9b0f388cc0b493dd9 (diff)
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc/ci/secrets/index.md')
-rw-r--r--doc/ci/secrets/index.md35
1 files changed, 25 insertions, 10 deletions
diff --git a/doc/ci/secrets/index.md b/doc/ci/secrets/index.md
index ba12508beeb..14f771431e5 100644
--- a/doc/ci/secrets/index.md
+++ b/doc/ci/secrets/index.md
@@ -23,10 +23,16 @@ GitLab has selected [Vault by HashiCorp](https://www.vaultproject.io) as the
first supported provider, and [KV-V2](https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v2)
as the first supported secrets engine.
-GitLab authenticates using Vault's
+By default, GitLab authenticates using Vault's
[JSON Web Token (JWT) authentication method](https://developer.hashicorp.com/vault/docs/auth/jwt#jwt-authentication), using
-the [JSON Web Token](https://gitlab.com/gitlab-org/gitlab/-/issues/207125) (`CI_JOB_JWT`)
-introduced in GitLab 12.10.
+the [JSON Web Token](https://gitlab.com/gitlab-org/gitlab/-/issues/207125) (`CI_JOB_JWT`).
+
+[ID tokens](../yaml/index.md#id_tokens) is the preferred secure way to authenticate with Vault,
+because ID tokens are defined per-job. GitLab can also authenticate with Vault by using the `CI_JOB_JWT`,
+but that token is provided to every job, which can be a security risk.
+
+The [Authenticating and Reading Secrets With HashiCorp Vault](../examples/authenticating-with-hashicorp-vault/index.md)
+tutorial has more details about authenticating with ID tokens.
You must [configure your Vault server](#configure-your-vault-server) before you
can use [use Vault secrets in a CI job](#use-vault-secrets-in-a-ci-job).
@@ -106,9 +112,14 @@ After [configuring your Vault server](#configure-your-vault-server), you can use
the secrets stored in Vault by defining them with the `vault` keyword:
```yaml
-secrets:
- DATABASE_PASSWORD:
- vault: production/db/password@ops # translates to secret `ops/data/production/db`, field `password`
+job_using_vault:
+ id_tokens:
+ VAULT_ID_TOKEN:
+ aud: https://gitlab.com
+ secrets:
+ DATABASE_PASSWORD:
+ vault: production/db/password@ops # translates to secret `ops/data/production/db`, field `password`
+ token: $VAULT_ID_TOKEN
```
In this example:
@@ -125,9 +136,13 @@ To overwrite the default behavior, set the `file` option explicitly:
```yaml
secrets:
+ id_tokens:
+ VAULT_ID_TOKEN:
+ aud: https://gitlab.com
DATABASE_PASSWORD:
vault: production/db/password@ops
file: false
+ token: $VAULT_ID_TOKEN
```
In this example, the secret value is put directly in the `DATABASE_PASSWORD` variable
@@ -177,8 +192,8 @@ Always restrict your roles to a project or namespace by using one of the provide
claims like `project_id` or `namespace_id`. Without these restrictions, any JWT
generated by this GitLab instance may be allowed to authenticate using this role.
-For a full list of `CI_JOB_JWT` claims, read the
-[How it works](../examples/authenticating-with-hashicorp-vault/index.md#how-it-works) section of the
+For a full list of ID token JWT claims, read the
+[How It Works](../examples/authenticating-with-hashicorp-vault/index.md#how-it-works) section of the
[Authenticating and Reading Secrets With HashiCorp Vault](../examples/authenticating-with-hashicorp-vault/index.md) tutorial.
You can also specify some attributes for the resulting Vault tokens, such as time-to-live,
@@ -188,7 +203,7 @@ for the JSON web token method.
## Using a self-signed Vault server
-When the Vault server is using a self-signed certificate, you will see the following error in the job logs:
+When the Vault server is using a self-signed certificate, you see the following error in the job logs:
```plaintext
ERROR: Job failed (system failure): resolving secrets: initializing Vault service: preparing authenticated client: checking Vault server health: Get https://vault.example.com:8000/v1/sys/health?drsecondarycode=299&performancestandbycode=299&sealedcode=299&standbycode=299&uninitcode=299: x509: certificate signed by unknown authority
@@ -197,7 +212,7 @@ ERROR: Job failed (system failure): resolving secrets: initializing Vault servic
You have two options to solve this error:
- Add the self-signed certificate to the GitLab Runner server's CA store.
- If you deployed GitLab Runner using the [Helm chart](https://docs.gitlab.com/runner/install/kubernetes.html), you will have to create your own GitLab Runner image.
+ If you deployed GitLab Runner using the [Helm chart](https://docs.gitlab.com/runner/install/kubernetes.html), you have to create your own GitLab Runner image.
- Use the `VAULT_CACERT` environment variable to configure GitLab Runner to trust the certificate:
- If you are using systemd to manage GitLab Runner, see [how to add an environment variable for GitLab Runner](https://docs.gitlab.com/runner/configuration/init.html#setting-custom-environment-variables).
- If you deployed GitLab Runner using the [Helm chart](https://docs.gitlab.com/runner/install/kubernetes.html):
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-09 04:21:54 +0300