I have the integration between gitlab-ci and vault functioning but I have found that you cannot use variables in the secret definition. I can do:
secrets:
my_secret:
vault: my-org/my-subgroup/my-project/prd/database/password@secret
to read:
secret/data/my-org/my-subgroup/my-project/prd/database:
password: something_really_secure
But would like to do something like:
secrets:
my_secret:
vault: $CI_PROJECT_PATH/$CI_ENVIRONMENT_NAME/database/password@secret
This would allow me to put all my secrets into a hidden job and then easily extend other jobs to include them. As it is I cannot see any way to use this integration short of hand coding each secret in each environment.