From 2a51bfdfcf60e6b8915dbffa83150696fab4f0ec Mon Sep 17 00:00:00 2001 From: Alejandro Dabin Date: Mon, 29 Jan 2024 12:17:30 +0100 Subject: [PATCH] ci: use vault jwt integration --- .gitlab-ci.yml | 29 ++++++++++++----------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index f4a995d4..1f2f9167 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -13,9 +13,6 @@ stages: # List of stages for jobs, and their order of execution build_images: stage: build_images - id_tokens: - VAULT_ID_TOKEN: - aud: $CI_VAULT_ADDR rules: - if: '$CI_COMMIT_TAG =~ /^v1+[.][0-9]+([.][0-9]+)?$/ || $CI_COMMIT_TAG =~ /^v1+[.][0-9]+([.][0-9]+)-dev+([.][0-9]+)?$/ || $CI_COMMIT_BRANCH == "master" || $CI_COMMIT_BRANCH =~ /^RESTAPI-.{10,}$/' image: @@ -23,18 +20,12 @@ build_images: entrypoint: [""] script: - echo "Build images with tag ${CI_COMMIT_SHORT_SHA}" - - - wget https://releases.hashicorp.com/vault/1.11.0/vault_1.11.0_linux_amd64.zip - - unzip vault_1.11.0_linux_amd64.zip - - export PATH=$PATH:$(pwd) - - export VAULT_ADDR="$CI_VAULT_ADDR" - - mkdir -p /kaniko/.docker - echo '{"auths":{"'$CI_REGISTRY'":{"username":"'$CI_REGISTRY_USER'","password":"'$CI_REGISTRY_PASSWORD'"}}}' > /kaniko/.docker/config.json - | - # Base image for each commit″ - /kaniko/executor --context ./ --dockerfile deploy/docker/base/Dockerfile --destination ${CI_REGISTRY_PREFIX}/f7t-base:${CI_COMMIT_SHORT_SHA} --cleanup + # Base image for each commit + /kaniko/executor --context ./ --dockerfile deploy/docker/base/Dockerfile --destination ${CI_REGISTRY_PREFIX}/f7t-base:${CI_COMMIT_SHORT_SHA} --single-snapshot # Core microservices for img in certificator compute reservations status storage tasks utilities; do @@ -46,11 +37,11 @@ build_images: # build web client /kaniko/executor --context src/tests/template_client --dockerfile ./Dockerfile \ - --destination ${CI_REGISTRY_PREFIX}/client:${CI_COMMIT_SHORT_SHA} --cleanup + --destination ${CI_REGISTRY_PREFIX}/client:${CI_COMMIT_SHORT_SHA} --cleanup --single-snapshot # build tester /kaniko/executor --context ./ --dockerfile deploy/docker/tester/Dockerfile \ - --destination ${CI_REGISTRY_PREFIX}/tester:${CI_COMMIT_SHORT_SHA} --cleanup + --destination ${CI_REGISTRY_PREFIX}/tester:${CI_COMMIT_SHORT_SHA} --cleanup --single-snapshot deploy_dev: @@ -65,7 +56,8 @@ deploy_dev: script: - echo "Deploy development environment" - export VAULT_ADDR="$CI_VAULT_ADDR" - - export VAULT_TOKEN=$CI_VAULT_TOKEN + - export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=firecrest jwt=$CI_JOB_JWT)" + - if [[ ${#VAULT_TOKEN} -lt 3 ]]; then echo "Error - Vault token empty"; exit 1; fi - CI_K8S_TOKEN="$(vault kv get -field=firecrest-cicd-secret firecrest/dev)" - CI_REGISTRY_GROUP="$(vault kv get -field=REGISTRY_GROUP firecrest/dev)" - CI_REGISTRY_PREFIX="$(vault kv get -field=REPO_PREFIX firecrest/dev)" @@ -168,7 +160,8 @@ cleanup_dev_deployment: name: ${CI_REGISTRY_PREFIX}/ci-util:latest script: - export VAULT_ADDR="$CI_VAULT_ADDR" - - export VAULT_TOKEN=$CI_VAULT_TOKEN + - export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=firecrest jwt=$CI_JOB_JWT)" + - if [[ ${#VAULT_TOKEN} -lt 3 ]]; then echo "Error - Vault token empty"; exit 1; fi - CI_K8S_TOKEN="$(vault kv get -field=firecrest-cicd-secret firecrest/dev)" - CI_REGISTRY_GROUP="$(vault kv get -field=REGISTRY_GROUP firecrest/dev)" - CI_REGISTRY_PREFIX="$(vault kv get -field=REPO_PREFIX firecrest/dev)" @@ -193,7 +186,8 @@ tag_release: name: ${CI_REGISTRY_PREFIX}/ci-util:latest script: - export VAULT_ADDR="$CI_VAULT_ADDR" - - export VAULT_TOKEN=$CI_VAULT_TOKEN + - export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=firecrest jwt=$CI_JOB_JWT)" + - if [[ ${#VAULT_TOKEN} -lt 3 ]]; then echo "Error - Vault token empty"; exit 1; fi - GITLAB_ACCESS_TOKEN="$(vault kv get -field=GITLAB_ACCESS_TOKEN firecrest/dev)" - CI_REGISTRY_GROUP="$(vault kv get -field=REGISTRY_GROUP firecrest/dev)" @@ -329,7 +323,8 @@ cleanup_dev_images: name: ${CI_REGISTRY_PREFIX}/ci-util:latest script: - export VAULT_ADDR="$CI_VAULT_ADDR" - - export VAULT_TOKEN=$CI_VAULT_TOKEN + - export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=firecrest jwt=$CI_JOB_JWT)" + - if [[ ${#VAULT_TOKEN} -lt 3 ]]; then echo "Error - Vault token empty"; exit 1; fi - CI_REGISTRY_GROUP="$(vault kv get -field=REGISTRY_GROUP firecrest/dev)" - CI_REGISTRY_PREFIX="$(vault kv get -field=REPO_PREFIX firecrest/dev)" - >