Skip to content

Add akeyless integration

Max Orefice requested to merge morefice/add-akeyless-integration into master

Ref: https://gitlab.com/gitlab-org/gitlab/-/issues/475179

This is an experimental feature. Please review the support policy prior to use.

What does this MR do and why?

This MR allows akeyless vault integration within gitlab. This is taken from the original implementation in !147283 (closed).

This feature is introduced as an experiment until we add support for Handling sensitive values (&14416).

Here an example of a .gitlab-ci.yml to illustrate how this would work:

job:
  id_tokens:
    AKEYLESS_JWT:
      aud: 'https://gitlab.com'
  secrets:
    DATABASE_PASSWORD:
      token: $AKEYLESS_JWT
      akeyless:
        name: 'my-project-secret'

In addition to the above config, the user needs to provide the following variables:

  • Akeyless access id AKEYLESS_ACCESS_ID

Given the above yaml and CI variables, the job payload to Runner should contain the following json:

{
  "secrets": {
    "DATABASE_PASSWORD": {
      "akeyless": {
        "name": "my-project-secret",
        "data_key": "",
        "cert_user_name": "",
        "public_key_data": "",
        "csr_data": "",
        "server": {
          "access_id": "akeyless access id",
          "access_key": "",
          "akeyless_api_url": "https://api.akeyless.io",
          "akeyless_access_type": "jwt",
          "akeyless_token": "",
          "uid_token": "",
          "gcp_audience": "",
          "azure_object_id": "",
          "k8s_service_account_token": "",
          "k8s_auth_config_name": "",
          "gateway_ca_certificate": "", 
          "jwt": "$AKEYLESS_JWT"
        }
      }
    }
  }
}

With this configuration, the job would have the secret retrieved from Akeyless stored in the build variable DATABASE_PASSWORD.

The runner implementation to handle this payload is done in gitlab-runner!4704 (closed)

What's the best way to test this MR?

  1. Log in to Akeyless https://console.akeyless.io/
  2. Create a new static secret: https://docs.akeyless.io/docs/static-secrets
  3. Create authenticate method of type OAuth2.0/JWT: https://docs.akeyless.io/docs/oauth20jwt
  4. Create a Role to the auth method you created to be able to access the secret: https://docs.akeyless.io/docs/rbac
  5. Set up a GDK environment with this gitlab changes and gitlab-runner gitlab-runner!4704 (closed)
  6. Use the YAML example I wrote in the description and update the name and the AKEYLESS_ACCESS_ID variable in the CI/CD.
  7. Run the pipeline and see that you got the secret in the build variable DATABASE_PASSWORD.
Edited by Jocelyn Eillis

Merge request reports