Add Azure Key Vault support for CI/CD
What does this MR do and why?
Related to issue #271271 (closed)
Related gitlab-runner MR gitlab-runner!3809 (merged)
Add Azure Key Vault support for CI/CD.
Add a key named azure_key_vault
to the job file in .gitlab-ci.yml
. And under this field, you need to give some information about azure vault, such as:
job:
id_tokens:
AZURE_JWT:
aud: 'azure'
secrets:
DATABASE_PASSWORD:
token: AZURE_JWT
azure_key_vault:
name: 'test'
version: 'test'
The user needs to configure AZURE_KEY_VAULT_SERVER_URL
and AZURE_TENANT_ID
and AZURE_CLIENT_ID
in CI/CD variables. When executing the pipeline, gitlab processed the .gitlab-ci.yml
file accordingly and sent it to runner, who then used Azure SDK and JWT to request secrets corresponding to key according to the above data.
How it works
- The first step, we should add Gitlab as a federated provider to Azure. follow this document https://docs.gitlab.com/ee/ci/cloud_services/azure/.
- Add the
AZURE_KEY_VAULT_SERVER_URL
variable to CI/CD variables, which is the key vault URI of Azure. - Add the
AZURE_TENANT_ID
variable to CI/CD variables, which is the application's tenant id to access Azure key vault. - Add the
AZURE_CLIENT_ID
variable to CI/CD variables, which is the application's client id to access Azure key vault. - Add
azure_key_vault
keyword to.gitlab-ci.yml
. You can add theid_tokens
, this is optional, if we don't addid_tokens
to the job section, it will useCI_JOB_JWT_V2
of CI/CD predefined JWT variables. - This data is then sent to runner, runner will use
AZURE_KEY_VAULT_SERVER_URL
AZURE_TENANT_ID
AZURE_CLIENT_ID
and the JWT to authenticate with Azure, then use thename
and theversion
to get the value of the secret.
/cc @prajnamas
Screenshots or screen recordings
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.