Secrets do not use string interpolation for vault field
Summary
The external secrets manager with vault does not allow the usage of variables to reference the secret desired in a job. This is important because the job may require a secret and different teams/orgs may need to provide their own secret. Providing the secret location via an environment variable is desired so each team that uses pipeline templates does not have to declare a secret for each job in the pipeline. From each team's perspective, it is nondeterministic when a template may change and break their pipelines. Thus the need to consume variables is important for pointing to where a resides, not having to declare the secret explicitly in the pipeline.
Steps to reproduce
Create a project level environment variable in the project settings or provide an environment variable from the pipeline run widget. This creates a variable that is accessible at the same time as pre-defined ci/cd variables when a pipeline is being created.
Reference this variable in the vault keyword for secrets and the job will immediately error.
Declare VAULT_PATH
with a value of production/db/password@ops
at the project level settings.
job_using_vault:
id_tokens:
VAULT_ID_TOKEN:
aud: https://gitlab.com
secrets:
DATABASE_PASSWORD:
vault: $VAULT_PATH # translates to secret `ops/data/production/db`, field `password`
token: $VAULT_ID_TOKEN
What is the current bug behavior?
The job does not interpolate the variable for the vault path and errors immediately.
What is the expected correct behavior?
The job will interpolate the variable and load the secret.
Results of GitLab environment info
gitlab-runner 15.8.1 (f86890c6)
GitLab Enterprise Edition 15.8.2-ee
Possible fixes
None.