Skip to content

Add support for Akeyless

Amir Maor requested to merge gitlab-community/gitlab:443305-support-akeyless-secrets-vault into master

Note to approvers - please do NOT merge until Product @jocelynjane has approved. Thanks!

What does this MR do and why?

Support authenticating and fetching from akeyless. Added all the supported fields in the .gitlab-ci.yml file for authenticating and fetching secrets from akeyless.

The secret manager is added as akeyless keyword on secrets. An example of a yaml would be as follows:

job:
  id_tokens:
    AKEYLESS_JWT:
      aud: 'https://gitlab.com'
  secrets:
    DATABASE_PASSWORD:
      token: $AKEYLESS_JWT
      akeyless:
        name: 'my-project-secret'

In addition to the above config, the user needs to provide the following variables:

  • Akeyless access id AKEYLESS_ACCESS_ID

Given the above yaml and CI variables, the job payload to Runner should contain the following json:

{
  "secrets": {
    "DATABASE_PASSWORD": {
      "akeyless": {
        "name": "my-project-secret",
        "data_key": "",
        "cert_user_name": "",
        "public_key_data": "",
        "csr_data": "",
        "server": {
          "access_id": "akeyless access id",
          "access_key": "",
          "akeyless_api_url": "https://api.akeyless.io",
          "akeyless_access_type": "jwt",
          "akeyless_token": "",
          "uid_token": "",
          "gcp_audience": "",
          "azure_object_id": "",
          "k8s_service_account_token": "",
          "k8s_auth_config_name": "",
          "gateway_ca_certificate": "", 
          "jwt": "$AKEYLESS_JWT"
        }
      }
    }
  }
}

With this configuration, the job would have the secret retrieved from Akeyless stored in the build variable DATABASE_PASSWORD.

The runner implementation to handle this payload is done in gitlab-runner!4704 (closed)

What's the best way to test this MR?

  1. Log in to Akeyless https://console.akeyless.io/
  2. Create a new static secret: https://docs.akeyless.io/docs/static-secrets
  3. Create authenticate method of type OAuth2.0/JWT: https://docs.akeyless.io/docs/oauth20jwt
  4. Create a Role to the auth method you created to be able to access the secret: https://docs.akeyless.io/docs/rbac
  5. Set up a GDK environment with this gitlab changes and gitlab-runner gitlab-runner!4704 (closed)
  6. Use the YAML example I wrote in the description and update the name and the AKEYLESS_ACCESS_ID variable in the CI/CD.
  7. Run the pipeline and see that you got the secret in the build variable DATABASE_PASSWORD.

What are the relevant issue numbers?

Related to #443305

Edited by Amir Maor

Merge request reports