Job artifacts should be encryptable
Release notes
Support for selectively encrypting/decrypting job artifacts.
Problem to solve
I have job artifacts that are passed from one stage to another and contain sensitive information that I cannot restrict access to via project membership, such as a Terraform plan file.
I would like to encrypt these files so that users with access to the project that can see the CI pipeline job artifacts are unable to do anything with them due to being encrypted.
Proposal
Vault has a transit backend that is perfectly suited for this. Additionally, since GitLab is already well integrated with Vault much of the framework to do this should already be there.
We could indicate which paths should be encrypted (and by which keys) by adding a new configuration job:artifacts:encrypt that is a list of objects with a path and key keys. The path would describe which paths need to be encrypted and with which key. Only paths within the job:artifacts:paths would be considered. Something like:
job:
...
artifacts:
paths:
- terraform.plan
- terraform-plan-graph.dot
# which paths from above should be treated as sensitive
encrypt:
- path: *.plan
key: my-app-gitlab-ci-terraformWith that specified, GitLab would call each transit endpoint to encrypt the data transparently before uploading the artifact. On subsequent artifact retrieval it would decrypt the artifacts.
Here is an example of that call using cUrl:
# encryption
curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data "{\"plaintext\": \"$(base64 -w0< terraform.plan)\"}" https://vault.example.com:8200/v1/transit/encrypt/my-app-gitlab-ci-terraform
# decryption
curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data "{\"ciphertext\": \"$(cat terraform.plan.enc)\"}" https://vault.example.com:8200/v1/transit/decrypt/my-app-gitlab-ci-terraformWhere VAULT_TOKEN is the token generated using the Vault GitLab auth integration.