Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/delineaxpm/dsv-gitlab

Plugin for Gitlab integration with DSV.
https://github.com/delineaxpm/dsv-gitlab

dsv gitlab

Last synced: about 2 months ago
JSON representation

Plugin for Gitlab integration with DSV.

Awesome Lists containing this project

README

        

# Delinea DevOps Secrets Vault GitLab Integration

[![codecov](https://codecov.io/gh/delineaxpm/dsv-gitlab/branch/main/graph/badge.svg?token=FPHYYO5ZF2)](https://codecov.io/gh/delineaxpm/dsv-gitlab)

Delinea DevOps Secrets Vault (DSV) CI plugin allows you to access and reference your Secrets data available for use in GitLab Jobs.

## Getting Started

- [Developer](DEVELOPER.md): instructions on running tests, local tooling, and other resources.
- [DSV Documentation](https://docs.delinea.com/dsv/current?ref=githubrepo)

## Using With Gitlab

Review the file: [.gitlab-ci.yml](examples/.gitlab-ci.yml)

To test this out, you'll have to create variables in GitLab under: `https://gitlab.com/{org}/{project}/-/settings/ci_cd`.

## Prerequisites

This plugin uses authentication based on Client Credentials, i.e. via Client ID and Client Secret.

```shell
dsvprofile=

rolename="gitlab-dsv-gitlab-tests"
secretpath="ci:tests:dsv-gitlab"
secretpathclient="clients:${secretpath}"

desc="a secret for testing operation of secrets against dsv-gitlab"
clientcredfile=".cache/${rolename}.json"
clientcredname="${rolename}"

dsv role create --name "${rolename}" --profile $dsvprofile

# Option 1: Less Optimal - Save Credential to local json for testing
# dsv client create --role "${rolename}" --out "file:${clientcredfile}"

# Option 2: 🔒 MOST SECURE
# Create credential info for dsv, and set as variable.
# Create an org secret instead if you want to share this credential in many repos.

# compress to a single line
clientcred=$(dsv client create --role "${rolename}" --plain | jq -c)

# configure the credentials in gitlab
echo 'DSV_SERVER in GitLab variables, example: mytenant.secretsvaultcloud.com'
echo "Save DSV_CLIENT_ID in GitLab variables: $(echo "${clientcred}" | jq '.clientId' -r)"
echo "Save DSV_CLIENT_SECRET in GitLab variables: $(echo "${clientcred}" | jq '.clientSecret' -r )"
```

For further setup, here's how you could extend that script block above with also creating a secret and the policy to read just this secret.

```shell
# Create a secret
secretkey="secret-01"
secretvalue='{"value1":"taco","value2":"burrito"}'
dsv secret create \
--path "secrets:${secretpath}:${secretkey}" \
--data "${secretvalue}" \
--desc "${desc}"

# Create a policy to allow role "$rolename" to read secrets under "ci:tests:integration-configs/dsv-gitlab":
dsv policy create \
--path "secrets:${secretpath}" \
--actions 'read' \
--effect 'allow' \
--subjects "roles:$rolename" \
--desc "${desc}" \
--resources "secrets:${secretpath}:<.*>"
```

## Usage

See [integration.yml](examples/.gitlab-ci.yml) for an example of how to use this to retrieve secrets and use outputs on other tasks.

### Retrieve 2 Values from Same Secret

The json expects an array, so just add a new line.

```yaml
retrieve: |
[
{"secretPath": "ci:tests:dsv-github-action:secret-01", "secretKey": "value1", "outputVariable": "RETURN_VALUE_1"},
{"secretPath": "ci:tests:dsv-github-action:secret-01", "secretKey": "value2", "outputVariable": "RETURN_VALUE_2"}
]
```

### Retrieve 2 Values from Different Secrets

> Note: Make sure your generated client credentials are associated a policy that has rights to read the different secrets.

```yaml
retrieve: |
[
{"secretPath": "ci:tests:dsv-github-action:secret-01", "secretKey": "value1", "outputVariable": "RETURN_VALUE_1"},
{"secretPath": "ci:tests:dsv-github-action:secret-02", "secretKey": "value1", "outputVariable": "RETURN_VALUE_2"}
]
```

## Contributors ✨

Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):



Mariia
Mariia

💻
sheldonhull
sheldonhull

💻
andrii-zakurenyi
andrii-zakurenyi

💻
gg-delinea
gg-delinea

📓


This project follows the [all-contributors](https://github.com/all-contributors/all-contributors) specification. Contributions of any kind welcome!