Add Azure key vault support
What does this MR do?
Related to gitlab issue gitlab#271271 (closed)
Related to gitlab MR gitlab!106321 (merged)
Add Azure key vault support for gitlab-runner.
Add a key named azure_key_vault
to the job file in .gitlab-ci.yml
. And under this field, you need to give some information about azure vault, such as:
job:
secrets:
id_tokens:
AZURE_JWT:
- aud: 'azure'
DATABASE_PASSWORD:
token: AZURE_JWT
azure_key_vault:
name: 'test'
version: 'test'
The user needs to configure AZURE_KEY_VAULT_SERVER_URL
and AZURE_TENANT_ID
and AZURE_CLIENT_ID
in CI/CD variables. When executing the pipeline, gitlab processed the .gitlab-ci.yml
file accordingly and sent it to runner, who then used Azure SDK and JWT to request secrets corresponding to key according to the above data.
How it works
- The first step, we should add Gitlab as a federated provider to Azure. follow this document https://docs.gitlab.com/ee/ci/cloud_services/azure/.
- Add the
AZURE_KEY_VAULT_SERVER_URL
variable to CI/CD variables, which is the key vault URI of Azure. - Add the
AZURE_TENANT_ID
variable to CI/CD variables, which is the application's tenant id to access Azure key vault. - Add the
AZURE_CLIENT_ID
variable to CI/CD variables, which is the application's client id to access Azure key vault. - Add
azure_key_vault
keyword to.gitlab-ci.yml
. You can add theid_tokens
, this is optional, if we don't addid_tokens
to the job section, it will useCI_JOB_JWT_V2
of CI/CD predefined JWT variables. - This data is then sent to runner, runner will use
AZURE_KEY_VAULT_SERVER_URL
AZURE_TENANT_ID
AZURE_CLIENT_ID
and the JWT to authenticate with Azure, then use thename
and theversion
to get the value of the secret.
/cc @prajnamas
Screenshots or screen recordings
/cc @prajnamas
How it works
Why was this MR needed?
What's the best way to test this MR?
What are the relevant issue numbers?
Edited by Furkan Ayhan