Add Azure Key Vault support for CI/CD

Zehua Zhangrequested to merge
gitlab-jh/jh-team/gitlab:azure-key-vault-support into master

What does this MR do and why?

Related to issue #271271 (closed)

Related gitlab-runner MR gitlab-runner!3809 (merged)

Add Azure Key Vault support for CI/CD.

Add a key named azure_key_vault to the job file in .gitlab-ci.yml. And under this field, you need to give some information about azure vault, such as:

job:
  id_tokens:
    AZURE_JWT:
      aud: 'azure'
  secrets:
    DATABASE_PASSWORD:
      token: AZURE_JWT
      azure_key_vault:
        name: 'test'
        version: 'test'

The user needs to configure AZURE_KEY_VAULT_SERVER_URL and AZURE_TENANT_ID and AZURE_CLIENT_ID in CI/CD variables. When executing the pipeline, gitlab processed the .gitlab-ci.yml file accordingly and sent it to runner, who then used Azure SDK and JWT to request secrets corresponding to key according to the above data.

How it works

  1. The first step, we should add Gitlab as a federated provider to Azure. follow this document https://docs.gitlab.com/ee/ci/cloud_services/azure/.
  2. Add the AZURE_KEY_VAULT_SERVER_URL variable to CI/CD variables, which is the key vault URI of Azure.
  3. Add the AZURE_TENANT_ID variable to CI/CD variables, which is the application's tenant id to access Azure key vault.
  4. Add the AZURE_CLIENT_ID variable to CI/CD variables, which is the application's client id to access Azure key vault.
  5. Add azure_key_vault keyword to .gitlab-ci.yml. You can add the id_tokens, this is optional, if we don't add id_tokens to the job section, it will use CI_JOB_JWT_V2 of CI/CD predefined JWT variables.
  6. This data is then sent to runner, runner will use AZURE_KEY_VAULT_SERVER_URL AZURE_TENANT_ID AZURE_CLIENT_ID and the JWT to authenticate with Azure, then use the name and the version to get the value of the secret.

/cc @prajnamas

Screenshots or screen recordings

azure_key_vault_video

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Furkan Ayhan

Merge request reports