Add Azure key vault support (!3809) · Merge requests · GitLab.org / gitlab-runner

What does this MR do?

Related to gitlab issue gitlab#271271 (closed)

Related to gitlab MR gitlab!106321 (merged)

Add Azure key vault support for gitlab-runner.

Add a key named azure_key_vault to the job file in .gitlab-ci.yml. And under this field, you need to give some information about azure vault, such as:

job:
  secrets:
    id_tokens:
      AZURE_JWT:
        - aud: 'azure'
    DATABASE_PASSWORD:
      token: AZURE_JWT
      azure_key_vault:
        name: 'test'
        version: 'test'

The user needs to configure AZURE_KEY_VAULT_SERVER_URL and AZURE_TENANT_ID and AZURE_CLIENT_ID in CI/CD variables. When executing the pipeline, gitlab processed the .gitlab-ci.yml file accordingly and sent it to runner, who then used Azure SDK and JWT to request secrets corresponding to key according to the above data.

How it works

The first step, we should add Gitlab as a federated provider to Azure. follow this document https://docs.gitlab.com/ee/ci/cloud_services/azure/.
Add the AZURE_KEY_VAULT_SERVER_URL variable to CI/CD variables, which is the key vault URI of Azure.
Add the AZURE_TENANT_ID variable to CI/CD variables, which is the application's tenant id to access Azure key vault.
Add the AZURE_CLIENT_ID variable to CI/CD variables, which is the application's client id to access Azure key vault.
Add azure_key_vault keyword to .gitlab-ci.yml. You can add the id_tokens, this is optional, if we don't add id_tokens to the job section, it will use CI_JOB_JWT_V2 of CI/CD predefined JWT variables.
This data is then sent to runner, runner will use AZURE_KEY_VAULT_SERVER_URL AZURE_TENANT_ID AZURE_CLIENT_ID and the JWT to authenticate with Azure, then use the name and the version to get the value of the secret.