Skip to content

Commit

Permalink
Fix vault pipeline
Browse files Browse the repository at this point in the history
  • Loading branch information
daniele committed May 3, 2024
1 parent d147958 commit 04545a5
Show file tree
Hide file tree
Showing 5 changed files with 21 additions and 15 deletions.
28 changes: 18 additions & 10 deletions {{cookiecutter.project_dirname}}/.gitlab-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -68,14 +68,16 @@ cache:
stage: .pre
image: docker:20
services:
- docker:20-dind
- docker:20-dind{% if cookiecutter.use_vault == "true" %}
id_tokens:
VAULT_ID_TOKEN:
aud: ${VAULT_ADDR}{% endif %}
script:
- >
docker run --rm
-v ${PWD}:${PWD}
-w ${PWD}
-e CI_ENVIRONMENT_NAME{% if cookiecutter.use_vault == "true" %}
-e CI_JOB_JWT_V2
-e ENV_NAME=${CI_ENVIRONMENT_NAME}{% endif %}
-e PROJECT_DIR=${CI_PROJECT_DIR}
-e PROJECT_SLUG
Expand All @@ -88,6 +90,7 @@ cache:
-e SENTRY_URL{% if cookiecutter.use_vault == "true" %}
-e SERVICE_SLUG={{ cookiecutter.service_slug }}
-e VAULT_ADDR
-e VAULT_ID_TOKEN
-e VAULT_ROLE{% endif %}
-e VERSION_REF
--entrypoint=""
Expand Down Expand Up @@ -163,19 +166,22 @@ test:
image:
name: docker:20
services:
- docker:20-dind
- docker:20-dind{% if cookiecutter.use_vault == "true" %}
id_tokens:
VAULT_ID_TOKEN:
aud: ${VAULT_ADDR}{% endif %}
script:
- >
docker run --rm
-v ${PWD}:${PWD}
-w ${PWD}{% if cookiecutter.use_vault == "true" %}
-e CI_JOB_JWT_V2
-e ENV_SLUG{% else %}
-e PACT_BROKER_BASE_URL
-e PACT_BROKER_PASSWORD
-e PACT_BROKER_USERNAME{% endif %}
-e PROJECT_SLUG{% if cookiecutter.use_vault == "true" %}
-e VAULT_ADDR{% endif %}
-e VAULT_ADDR
-e VAULT_ID_TOKEN{% endif %}
--entrypoint=""
pactfoundation/pact-cli:latest-node14 ./scripts/ci_pact.sh ${PACT_CMD}
Expand Down Expand Up @@ -378,7 +384,10 @@ e2e_manual:
image:
name: docker:20
services:
- docker:20-dind
- docker:20-dind{% if cookiecutter.use_vault == "true" %}
id_tokens:
VAULT_ID_TOKEN:
aud: ${VAULT_ADDR}{% endif %}
variables:
TF_ROOT: ${CI_PROJECT_DIR}/terraform/{{ cookiecutter.deployment_type }}
before_script:
Expand All @@ -391,16 +400,14 @@ e2e_manual:
-w ${PWD}{% if cookiecutter.terraform_backend == "gitlab" %}
-e CI_API_V4_URL
-e CI_COMMIT_SHA
-e CI_JOB_ID{% if cookiecutter.use_vault == "true" %}
-e CI_JOB_JWT_V2{% endif %}
-e CI_JOB_ID
-e CI_JOB_STAGE
-e CI_JOB_TOKEN
-e CI_PROJECT_ID
-e CI_PROJECT_NAME
-e CI_PROJECT_NAMESPACE
-e CI_PROJECT_PATH
-e CI_PROJECT_URL{% elif cookiecutter.use_vault == "true" %}
-e CI_JOB_JWT_V2{% endif %}
-e CI_PROJECT_URL
-e ENV_SLUG
-e PROJECT_DIR=${CI_PROJECT_DIR}
-e PROJECT_SLUG
Expand All @@ -422,6 +429,7 @@ e2e_manual:
-e TF_WORKSPACE="{{ cookiecutter.project_slug }}_{{ cookiecutter.service_slug }}_environment_${ENV_SLUG}"{% endif %}{% if cookiecutter.terraform_backend == "terraform-cloud" and not cookiecutter.use_vault %}
-e TFC_TOKEN{% endif %}{% if cookiecutter.use_vault == "true" %}
-e VAULT_ADDR
-e VAULT_ID_TOKEN
-e VAULT_ROLE
-e VAULT_SECRETS="digitalocean k8s {{ cookiecutter.service_slug }}/extra {{ cookiecutter.service_slug }}/sentry"
-e VAULT_SECRETS_PREFIX="envs/${CI_ENVIRONMENT_NAME}"
Expand Down
2 changes: 0 additions & 2 deletions {{cookiecutter.project_dirname}}/docker-compose.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
version: "3.9"

services:
consumer:
container_name: ${SERVICE_CONTAINER_NAME:-{{ cookiecutter.project_slug }}-consumer}
Expand Down
2 changes: 1 addition & 1 deletion {{cookiecutter.project_dirname}}/scripts/ci_pact.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ set -e
if [ "${VAULT_ADDR}" != "" ]; then
apk update && apk add curl jq

vault_token=$(curl --silent --request POST --data "role=pact" --data "jwt=${CI_JOB_JWT_V2}" "${VAULT_ADDR%/}"/v1/auth/gitlab-jwt/login | jq -r .auth.client_token)
vault_token=$(curl --silent --request POST --data "role=pact" --data "jwt=${VAULT_ID_TOKEN}" "${VAULT_ADDR%/}"/v1/auth/gitlab-jwt/login | jq -r .auth.client_token)

pact_secrets=$(curl --silent --header "X-Vault-Token: ${vault_token}" "${VAULT_ADDR%/}"/v1/"${PROJECT_SLUG}"/pact | jq -r .data)

Expand Down
2 changes: 1 addition & 1 deletion {{cookiecutter.project_dirname}}/scripts/ci_sentry.sh
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ git config --global --add safe.directory "${PROJECT_DIR}"
if [ "${VAULT_ADDR}" != "" ]; then
apk add curl jq

vault_token=$(curl --silent --request POST --data "role=${VAULT_ROLE}" --data "jwt=${CI_JOB_JWT_V2}" "${VAULT_ADDR%/}"/v1/auth/gitlab-jwt/login | jq -r .auth.client_token)
vault_token=$(curl --silent --request POST --data "role=${VAULT_ROLE}" --data "jwt=${VAULT_ID_TOKEN}" "${VAULT_ADDR%/}"/v1/auth/gitlab-jwt/login | jq -r .auth.client_token)

SENTRY_AUTH_TOKEN=$(curl --silent --header "X-Vault-Token: ${vault_token}" "${VAULT_ADDR%/}"/v1/"${PROJECT_SLUG}"/envs/"${ENV_NAME}"/sentry | jq -r .data.sentry_auth_token)
SENTRY_DSN=$(curl --silent --header "X-Vault-Token: ${vault_token}" "${VAULT_ADDR%/}"/v1/"${PROJECT_SLUG}"/envs/"${ENV_NAME}"/"${SERVICE_SLUG}"/sentry | jq -r .data.sentry_dsn)
Expand Down
2 changes: 1 addition & 1 deletion {{cookiecutter.project_dirname}}/scripts/deploy/vault.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

set -e

vault_token=$(curl --silent --request POST --data "role=${VAULT_ROLE}" --data "jwt=${CI_JOB_JWT_V2}" "${VAULT_ADDR%/}"/v1/auth/gitlab-jwt/login | jq -r .auth.client_token)
vault_token=$(curl --silent --request POST --data "role=${VAULT_ROLE}" --data "jwt=${VAULT_ID_TOKEN}" "${VAULT_ADDR%/}"/v1/auth/gitlab-jwt/login | jq -r .auth.client_token)

secrets_data="{}"

Expand Down

0 comments on commit 04545a5

Please sign in to comment.