Running with gitlab-runner 13.9.0 (2ebc4dc4)
on global-it-services-gitlab-runner-6967469784-z2n46 KDaxbzYz
Resolving secrets
00:00
Resolving secret “KV1_PASSWORD”…
Using “vault” secret resolver…
ERROR: Job failed (system failure): resolving secrets: initializing Vault service: preparing authenticated client: checking Vault server health: Get https://test-vault.***.net/v1/sys/health?drsecondarycode=299&performancestandbycode=299&sealedcode=299&standbycode=299&uninitcode=299: x509: certificate signed by unknown authority
QA Gitlab JWT vault secrets:
stage: QA-review-deploy
allow_failure: true
tags:
- Global IT Services
variables:
# Vault Environment Variables
VAULT_SERVER_URL: https://test-vault.***.net
VAULT_AUTH_PATH: gitlab-jwt
VAULT_AUTH_ROLE: gitlab-role-test
secrets:
KV1_PASSWORD:
vault:
engine:
name: kv-v1
path: kv1_qa
path: kv1_qa/gitlab_jwt
field: password
script:
- echo “Test vault JWT Read KV Store”
- echo {CI_JOB_JWT}
- echo {KV1_PASSWORD}
The Runner is a gitlab helm chart deployment
With the self signed CA cert set as per
Set the certsSecretName in order to pass custom certificates for GitLab Runner to use
Provide resource name for a Kubernetes Secret Object in the same namespace,
this is used to populate the /etc/gitlab-runner/certs directory
ref: Self-signed certificates or custom Certification Authorities | GitLab
certsSecretName: “${CERT_SECRET_NAME}”
Testing on image with Self signed cert backed in image
QA Gitlab JWT role gitlab-kv1-qa-test:
stage: QA-review-deploy
tags:
- Global IT Services
variables:
# Vault Environment Variables
VAULT_ADDR: https://test-vault.***.net
script:
- echo “Test vault JWT Read KV Store”
- echo {CI_JOB_JWT}
#- export VAULT_ADDR=http://vault.example.com:8200
# Authenticate and get token. Token expiry time and other properties can be configured
# when configuring JWT Auth - https://www.vaultproject.io/api/auth/jwt#parameters-1
- export VAULT_TOKEN="(vault write -field=token auth/gitlab-jwt/login role=gitlab-kv1-qa-test jwt=CI_JOB_JWT)"
# Now use the VAULT_TOKEN to read the secret and store it in an environment variable
- KV1_PASSWORD="(vault kv get -field=password kv1_qa/gitlab_jwt)"
# Use the secret
- echo ${KV1_PASSWORD}
KV1_PASSWORD="(vault kv get -field=password kv1_qa/gitlab_jwt)"
echo {KV1_PASSWORD}
gitlab-kv1-jwt-test-password
Cleaning up file based variables
00:00
Job succeeded