I’ve create a pipeline that includes a component that I wrote earlier. This component needs some env variables set that come from my Hashicorp Vault instance.
To do this, I’ve created the following as per the Hashicorp Vault ↔ GitLab CI docs:
include:
- component: <reference to component>
inputs:
job_name: job-that-needs-secrets
job-that-needs-secrets:
id_tokens:
VAULT_ID_TOKEN:
aud: <my vault server>
secrets:
SECRET_ONE:
file: false
vault: <path to secret>
SECRET_TWO:
file: false
vault: <path to secret>
This works as expected, with the secrets being resolved and the job, job-that-needs-secrets running successfully.
However, I have an issue. I want to have the option of only resolving SECRET_ONE, since the job in the component won’t always need SECRET_TWO. In other words, I want to do something like this (which doesn’t work):
spec:
inputs:
use_secret_two:
default: true
description: "Whether to use SECRET_TWO"
---
variables:
USE_SECRET_TWO: $[[ inputs.use_secret_two ]]
include:
- component: <reference to component>
inputs:
job_name: job-that-needs-secrets
use_secret_two: $[[ inputs.use_secret_two ]]
job-that-needs-secrets:
id_tokens:
VAULT_ID_TOKEN:
aud: <my vault server>
secrets:
SECRET_ONE:
file: false
vault: <path to secret>
rules:
- if: $USE_SECRET_TWO == false
job-that-needs-secrets:
id_tokens:
VAULT_ID_TOKEN:
aud: <my vault server>
secrets:
SECRET_ONE:
file: false
vault: <path to secret>
SECRET_TWO:
file: false
vault: <path to secret>
rules:
- if: $USE_SECRET_TWO == true
Does anybody know if there is currently a way to achieve this? I can’t use the vault image in a pre job since there’s no way to securely pass a secret to another job.
I’d also like to avoid having to triggering or including another pipeline since that won’t scale well. E.g. I got it to work by having an include-secret-two.yml and no-secret-two.yml file that is included depending on the input but that wouldn’t be ideal when the number of secrets increases.
Thank you! 