How to set specific variables/values for an automatic pipeline

I have a GitLab project that contains an application with a companion GitLab project that contains a Helm chart for the application project. The Helm chart values.yaml file has certain values that are sensitive and should not be stored in the file directly. These vaues are either set to an empty value, or provided with a dummy placeholder in values.yaml. We have a few ways to provide the sensitive values when the chart is installed via pipeline (e.g., ArgoCD and Vault), but they are not available in other use cases.

For example, I have set up Review Apps for the application project so that when an MR is ready for merge, reviewers can bring up the app directly from the MR in GitLab and check out what was changed. This is all managed via the pipeline and is automated from the user’s perspective. The problem is that when the pipeline runs, the sensitive values have not been appropriately set and the application pod either fails to start or will quickly fail not long after.

I’m trying to find a way to be able to provide these values to the automated pipeline without placing them somewhere that either places them into source control or otherwise stores them in pipeline artifacts. When I install the chart manually, I specify a “personal” values file that contains my sensitive information at chart install time. This file is never committed to Git. This is different though. The pipeline job uses Helm in the job script to do the install, but I don’t know how to provide it with a “pipeline job” vales file.

Is there a way to do this? I thought of using environment variables, but I don’t how or where to set them (if it’s even possible for this use case).

Versions

Please select whether options apply, and add the version information.

  • Self-managed
  • GitLab.com SaaS
  • Self-hosted Runners

Versions

GitLab: 16.9.1-ee
Runners: 16.3.1, 16.5.0, 15.5.0, 15.5.1

Hi,

Have you considered using CI/CD variables? You can set them on a project / group level via UI and use as any other variable in GitLab pipeline ($VARIALBLE_NAME). If data is sensitive, you can mark it as “masked” - in that case they won’t show up in the log files.

I had looked at that, but for some reason had the impression it wouldn’t work. I will re-look at it.

Took a little trial and error, but I got it to work using GitLab CI/CD variables.
Thanks for the tip.

1 Like