support akeyless secrets (!4704) · Merge requests · GitLab.org / gitlab-runner

Amir Maor requested to merge amir.m2/gitlab-runner:443305-support-akeyless-secrets into main Apr 01, 2024

What does this MR do?

Adding support to authenticate and fetch secrets from akeyless

Why was this MR needed?

With this feature we will be adding a new CI configuration as such:

job:
  id_tokens:
    AKEYLESS_JWT:
      aud: 'https://gitlab.com'
  secrets:
    DATABASE_PASSWORD:
      token: $AKEYLESS_JWT
      akeyless:
        name: 'my-project-secret'

With this configuration, the job would have the secret retrieved from Akeyless Secret stored in the build variable DATABASE_PASSWORD.

The implementation of the CI config in Rails is in this MR: gitlab!147283 (closed)

What's the best way to test this MR?

Log in to Akeyless https://console.akeyless.io/
Create a new static secret: https://docs.akeyless.io/docs/static-secrets
Create authenticate method of type OAuth2.0/JWT: https://docs.akeyless.io/docs/oauth20jwt
Create a Role to the auth method you created to be able to access the secret: https://docs.akeyless.io/docs/rbac
Set up a GDK environment with this gitlab-runner and gitlab gitlab!147283 (closed)
Use the YAML example I wrote in the description and update the name and the AKEYLESS_ACCESS_ID variable in the CI/CD.
Run the pipeline and see that you got the secret in the build variable DATABASE_PASSWORD.

What are the relevant issue numbers?

Related to gitlab#443305 (closed)

Edited Apr 07, 2024 by Amir Maor

Admin message

support akeyless secrets

What does this MR do?

Why was this MR needed?

What's the best way to test this MR?

What are the relevant issue numbers?

Merge request reports