Unresolved secrets now return error by default
What does this MR do?
Unresolved secrets now return an error by default.
For now, this behaviour can be disabled by setting the Runner feature flag FF_SECRET_RESOLVING_FAILS_IF_MISSING
to false.
Why was this MR needed?
Unresolved secrets were returning "", making it hard to determine why a build wasn't working as expected.
What's the best way to test this MR?
- You need a GitLab Ultimate (or a test GitLab instance). If using gitlab.com, you can request this here: https://about.gitlab.com/handbook/incentives/#gitlab-ultimate
- You need a Vault installation. You may want to create a Hashicorp Vault cloud account (https://portal.cloud.hashicorp.com/sign-up) and create a development cluster.
- Install vault cli:
brew install vault-cli
-
vault-cli login
to login. - Create JWT auth config:
vault write auth/jwt/config jwks_url="https://gitlab.com/-/jwks" bound_issuer="gitlab.com"
- Create policy:
echo 'path "ops/data/production/*" { capabilities = [ "read" ] }' | vault policy write a-policy -
- Create JWT role:
echo '{"role_type": "jwt", "policies": ["a-policy"], "user_claim": "user_login", "bound_claims_type": "glob", "bound_claims": {"ref":"main"}}' | vault write auth/jwt/role/my-role -
- Update auth config with default role:
vault write auth/jwt/config jwks_url="https://gitlab.com/-/jwks" bound_issuer="gitlab.com" role=my-role
- Configure a job with the vault server url:
VAULT_SERVER_URL
=https://vault-cluster-public-vault-....hashicorp.cloud:8200
- Configure job to fetch some secret from vault:
a-job: id_tokens: VAULT_ID_TOKEN: aud: https://gitlab.com secrets: DATABASE_PASSWORD: vault: production/db/password@ops token: $VAULT_ID_TOKEN
- Run job
Before this MR: DATABASE_PASSWORD
would have been nil.
Now:
What are the relevant issue numbers?
Closes gitlab#353080 (closed)
Edited by Arran Walker