.gitlab-ci.yml

@@ -12,7 +12,7 @@ include:
     ref: '3.2'
     file: 'templates/gitlab-ci-bash.yml'
   - project: 'to-be-continuous/semantic-release'
-    ref: '3.4'
+    ref: '3.5'
     file: '/templates/gitlab-ci-semrel.yml'    
 
 stages:

CHANGELOG.md

+# [5.3.0](https://gitlab.com/to-be-continuous/docker/compare/5.2.2...5.3.0) (2023-08-28)
+
+
+### Features
+
+* **oidc:** OIDC authentication support now requires explicit configuration(see doc) ([521f918](https://gitlab.com/to-be-continuous/docker/commit/521f918b9f8fab2d23a021211bbdbfacff152c08))
+
 ## [5.2.2](https://gitlab.com/to-be-continuous/docker/compare/5.2.1...5.2.2) (2023-07-25)
 
 

README.md

@@ -9,7 +9,7 @@ In order to include this template in your project, add the following to your `.g
 ```yaml
 include:
   - project: 'to-be-continuous/docker'
-    ref: '5.2.2'
+    ref: '5.3.0'
     file: '/templates/gitlab-ci-docker.yml'
 ```
 
@@ -473,7 +473,7 @@ Here is a `.gitlab-ci.yaml` using an external Docker registry:
 ```yaml
 include:
   - project: 'to-be-continuous/docker'
-    ref: '5.2.2'
+    ref: '5.3.0'
     file: '/templates/gitlab-ci-docker.yml'
 
 variables:
@@ -491,7 +491,7 @@ Here is a `.gitlab-ci.yaml` that builds 2 Docker images from the same project (u
 ```yaml
 include:
   - project: 'to-be-continuous/docker'
-    ref: '5.2.2'
+    ref: '5.3.0'
     file: '/templates/gitlab-ci-docker.yml'
 
 variables:
@@ -524,6 +524,7 @@ In order to be able to communicate with the Vault server, the variant requires t
 | ----------------- | -------------------------------------- | ----------------- |
 | `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master` |
 | `VAULT_BASE_URL`  | The Vault server base API url          | _none_ |
+| `VAULT_OIDC_AUD`  | The `aud` claim for the JWT | `$CI_SERVER_URL` |
 | :lock: `VAULT_ROLE_ID`   | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** |
 | :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** |
 
@@ -548,14 +549,16 @@ With:
 include:
   # main template
   - project: 'to-be-continuous/docker'
-    ref: '5.2.2'
+    ref: '5.3.0'
     file: '/templates/gitlab-ci-docker.yml'
   # Vault variant
   - project: 'to-be-continuous/docker'
-    ref: '5.2.2'
+    ref: '5.3.0'
     file: '/templates/gitlab-ci-docker-vault.yml'
 
 variables:
+    # audience claim for JWT
+    VAULT_OIDC_AUD: "https://vault.acme.host"
     # Secrets managed by Vault
     DOCKER_REGISTRY_SNAPSHOT_USER: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/snapshot/credentials?field=user"
     DOCKER_REGISTRY_SNAPSHOT_PASSWORD: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/artifactory/snapshot/credentials?field=token"

renovate.json

@@ -10,6 +10,12 @@
         "gitlab-tags"
       ],
       "versioning": "docker"
+    },
+    {
+      "matchPackagePatterns": ["to-be-continuous/*"],
+      "automerge": true,
+      "automergeType": "pr",
+      "platformAutomerge": true
     }
   ]
 }

templates/gitlab-ci-docker-gcp.yml

@@ -2,15 +2,22 @@
 # === GCP Auth template variant
 # =====================================================================================================================
 variables:
-    TBC_GCP_AUTH_PROVIDER: "$CI_REGISTRY/to-be-continuous/tools/gcp-auth-provider:main"
-    CI_JOB_JWT_V2: $CI_JOB_JWT_V2 # For the gitlab runner authentication in TBC_GCP_AUTH_PROVIDER
-    DOCKER_REGISTRY_SNAPSHOT_USER: oauth2accesstoken
-    DOCKER_REGISTRY_RELEASE_USER: oauth2accesstoken
-    DOCKER_REGISTRY_SNAPSHOT_PASSWORD: '@url@http://gcp-auth-provider/token?envType=snapshot'
-    DOCKER_REGISTRY_RELEASE_PASSWORD: '@url@http://gcp-auth-provider/token?envType=release'
+  TBC_GCP_AUTH_PROVIDER: "$CI_REGISTRY/to-be-continuous/tools/gcp-auth-provider:main"
+  GCP_OIDC_AUD: "$CI_SERVER_URL"
+
 .docker-base:
   services:
     - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "5.2.2"]
+      command: ["--service", "docker", "5.3.0"]
     - name: "$TBC_GCP_AUTH_PROVIDER"
       alias: "gcp-auth-provider"
+  variables:
+    #  have to be explicitly declared in the YAML to be exported to the service
+    GCP_JWT: $GCP_JWT
+    DOCKER_REGISTRY_SNAPSHOT_USER: oauth2accesstoken
+    DOCKER_REGISTRY_RELEASE_USER: oauth2accesstoken
+    DOCKER_REGISTRY_SNAPSHOT_PASSWORD: '@url@http://gcp-auth-provider/token?envType=snapshot'
+    DOCKER_REGISTRY_RELEASE_PASSWORD: '@url@http://gcp-auth-provider/token?envType=release'
+  id_tokens:
+    GCP_JWT:
+      aud: "$GCP_OIDC_AUD"

templates/gitlab-ci-docker-vault.yml

@@ -7,10 +7,16 @@ variables:
   # variables have to be explicitly declared in the YAML to be exported to the service
   VAULT_ROLE_ID: "$VAULT_ROLE_ID"
   VAULT_SECRET_ID: "$VAULT_SECRET_ID"
+  VAULT_OIDC_AUD: "$CI_SERVER_URL"
 
 .docker-base:
   services:
     - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "5.2.2"]
+      command: ["--service", "docker", "5.3.0"]
     - name: "$TBC_VAULT_IMAGE"
       alias: "vault-secrets-provider"
+  variables:
+    VAULT_JWT_TOKEN: "$VAULT_JWT_TOKEN"
+  id_tokens:
+    VAULT_JWT_TOKEN:
+      aud: "$VAULT_OIDC_AUD"

templates/gitlab-ci-docker.yml

@@ -447,7 +447,7 @@ stages:
 .docker-base:
   services:
     - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "5.2.2"]
+      command: ["--service", "docker", "5.3.0"]
   before_script:
     - *docker-scripts
 
@@ -476,7 +476,7 @@ stages:
     _TRACE: "${TRACE}"
   services:
     - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "5.2.2"]
+      command: ["--service", "docker", "5.3.0"]
     - name: $DOCKER_DIND_IMAGE
       alias: docker
       command: