Table of contents
The integration principle of Jihu GitLab CI and Vault
Two ways to integrate Jihu GitLab CI with Vault
"A embankment of a thousand miles breaks in an ant nest." Key management is to the entire life cycle of software development what an ant nest is to a long embankment. Key leakage has become an important factor in causing enterprises to be attacked by blackmail. Security and compliance management keys can not only effectively prevent enterprises from suffering major economic losses, but also create a good corporate security culture, helping enterprises to accelerate software delivery while ensuring security compliance.
Key management needs to cover the entire life cycle of software development. For example, it is necessary to avoid hard-coding keys during the coding phase, to prevent keys from being printed in the build log during the building phase, and to scan whether the changed code (or history) is needed during the testing phase. Contains key information, etc. GitLab itself has mature key management functions. For example, in the CI/CD Pipeline stage, CI environment variables can be used to store keys, and security scanning methods for key detection can also be embedded into the CI/CD Pipeline to detect problems in time. Change the key information in the code to avoid leakage. For information about Jihu GitLab CI, for key management, you can view the article Jihu GitLab CI/CD SSHKEY Mask . For articles about Jihu GitLab key security scanning, you can view 1 line of code to enable "key detection" to provide sensitive information. Data plus protection lock .
This article will demonstrate the integration of Jihu GitLab CI and Vault for security and compliance management of keys.
About Vault
Vault is an open source, identity-based key and encryption management system launched by Hashorp. Use the principle of Default deny all to manage keys such as API key, username and password (password), access token (token) and certificates (certificates). For more information about Vault, please view the Vault official website .
The integration principle of Jihu GitLab CI and Vault
-
Configure the key on the vault (either UI, CLI, or API);
-
Generate JWT for use by CI Job;
-
Runner connects with Hashicorp and uses JWT for authentication;
-
Vault validates JWT;
-
Vault checks the bound claim and the corresponding vault policy;
-
Vault returns the access token;
-
Runner reads key information from Vault for use.
Two ways to integrate Jihu GitLab CI with Vault
You can use secrets
keywords or CLI to use Vault in GitLab CI.
secrets:vault
Use of keywords
secrets
It is the keyword used in GitLab CI to read keys from external key management tools. You can use it secrets:vault
to read the key information stored in the vault server.
For example, kv engine (v2) is used in vault to store the user name and password of the container image warehouse:
# 写入用户名和密码
$ vault kv put jh/docker-registry/credentials username=jh-gitlab password=passw0rd
# 读取用户名和密码
vault read -format=json jh/data/docker-registry/credentials | jq -r '.data.data'
{
"password": "passw0rd",
"username": "jh-gitlab"
}
Store vault-related environment variables in GitLab CI variables:
-
VAULT_SERVER_URL:vault
server address; -
VAULT_AUTH_ROLE
: The role created on the vault is used to bind to the corresponding policy to achieve refined management and control of storage keys; -
VAULT_AUTH_PATH
: The mounting path of the authentication method in vault auth, the default isjwt
.
.gitlab-ci.yml
The contents of the file are as follows:
stages:
- vault
get_credentials:
stage: vault
tags:
- vault
image:
name: vault:1.13.3
secrets:
DATABASE_PASSWORD:
vault: docker-registry/credentials/password@jh
script:
- echo $DATABASE_PASSWORD
View CI/CD Pipeline build results:
You can see that Jihu GitLab CI successfully reads the vault information and saves it to DATABASE_PASSWORD
the file named. The path is as shown in the red box screenshot.
CLI mode
Just like accessing valut locally through the CLI, you can use various commands of the vault to add, delete, modify, and query keys. Still taking the previously written key information as an example to demonstrate the use of CLI in GitLab CI.
.gitlab-ci.yml
The contents of the file are as follows:
get_credentials:
stage: vault
tags:
- vault
image: vault:1.13.3
script:
# vault 服务器的地址
- export VAULT_ADDR=http://163.228.231.126:8200
# vault 认证授权所用的 token
- export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=jh jwt=$CI_JOB_JWT)"
# 从 vault 读取密钥信息
- export PASSWORD="$(vault kv get -field=password jh/docker-registry/credentials)"
# 打印密钥信息
- echo $PASSWORD
View CI/CD Pipeline build results:
You can see that Jihu GitLab CI successfully reads the vault information.
Note that the key information read directly using the CLI method can
echo
be printed out using the command. You need to avoid printing the key information during the CI/CD Pipeline build or take the first method to avoid causing the key information to be printed out during the CI/CD Pipeline build. Leakage during the process.
reference: