Make secrets: stanza global (applicable to all jobs)
Release notes
Problem to solve
As secrets: vault
is only applicable at the job level, it prevents a template based DRY approach.
What I would like to do:
- Project A contains
template.yml
with multiple jobs that all need secrets. - Project B to Z consume the
template.yml
viainclude:
but have unique secrets per project.
example:
# Project A - template.yml
job1:
script: run.sh
job2:
script: run.sh
job3:
script: run.sh
---
# Project B - .gitlab-ci.yml
include:
- project: 'Project A'
file: '/template.yml'
secrets:
project_a:
vault: project_a/key@secret
---
# Project C - .gitlab-ci.yml
include:
- project: 'Project A'
file: '/template.yml'
secrets:
project_c:
vault: project_c/key@secret
Intended users
User experience goal
The experience should mimic variables:
which can be applied at the Group, Project, .gitlab-ci.yml (global), and .gitlab-ci.yml (job).
Proposal
Further details
Permissions and Security
Documentation
Availability & Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
Links / references
/cc @jreporter
Edited by Brad Downey