Class: GDK::Vault

Inherits:

Object

• Object
• GDK::Vault

Defined in:

lib/gdk/vault.rb

Overview

This class configures a Vault dev server to allow the project with the given ID to fetch secrets using the ‘gitlab.ci.yml` `secrets` keyword

Instance Method Summary

• #configure_test_auth(project_id) ⇒ Object
• #create_test_policy ⇒ Object
• #create_test_secret ⇒ Object
• #print_example_ci_config ⇒ Object

Instance Method Details

#configure_test_auth(project_id) ⇒ Object

# File 'lib/gdk/vault.rb', line 27

def configure_test_auth(project_id)
  enable_jwt_auth_cmd = 'vault auth enable -path=gitlab jwt'

  vault_write_auth_cmd = <<~VAULT_AUTH
    vault write auth/gitlab/config \
      jwks_url="#{GDK.config.__uri}/-/jwks" \
      bound_issuer="#{GDK.config.__uri}"
  VAULT_AUTH

  shellout(enable_jwt_auth_cmd)
  shellout(vault_write_auth_cmd)
  shellout(vault_role_cmd(project_id))
end

#create_test_policy ⇒ Object

# File 'lib/gdk/vault.rb', line 15

def create_test_policy
  vault_policy_cmd = <<~VAULT_POLICY
    vault policy write gitlab-test-policy - <<EOF
    path "kv-v2/data/gitlab-test/*" {
      capabilities = [ "read" ]
    }
    EOF
  VAULT_POLICY

  shellout(vault_policy_cmd)
end

#create_test_secret ⇒ Object

# File 'lib/gdk/vault.rb', line 7

def create_test_secret
  enable_secrets_engine_cmd = 'vault secrets enable -path=kv-v2 kv-v2'
  add_secret_cmd = 'vault kv put kv-v2/gitlab-test/db password=db-password-goes-here'

  shellout(enable_secrets_engine_cmd)
  shellout(add_secret_cmd)
end

#print_example_ci_config ⇒ Object

# File 'lib/gdk/vault.rb', line 41

def print_example_ci_config
  GDK::Output.notice(
    <<~VAULT_CI_EXAMPLE
      \n\nYou can now fetch a secret from Vault with the following CI job:

      test_secrets:
        variables:
          VAULT_AUTH_PATH: gitlab
          VAULT_AUTH_ROLE: gitlab-test-role
          VAULT_SERVER_URL: #{vault_address}
        id_tokens:
          TEST_ID_TOKEN:
            aud: #{GDK.config.__uri}
        secrets:
          DATABASE_PASSWORD:
            vault: gitlab-test/db/password
        script:
          - echo $DATABASE_PASSWORD
          - cat $DATABASE_PASSWORD
    VAULT_CI_EXAMPLE
  )
end