https://docs.cyberark.com/AAM-DAP/Latest/en/Content/Integrations/gitlab.htm
This project creates a Docker image that includes a Go binary that can be used to authenticate a JWT token against Conjur Secrets Manager and retrieve a secret value. Ubuntu, Alpine, and UBI-FIPS versions are available. The secret value is returned to STDOUT and can be used in a GitLab CI pipeline.
- Docker GitLab Runner
- Conjur Secrets Manager
- Conjur Policies for authentication & authorization (authn & authz)
- authn-jwt Conjur Policy with GitLab Service ID
- Conjur Policy to create identity for GitLab Repository
- Conjur Policy to grant GitLab Repository identity to use synchronized secrets from CyberArk Vault
- Conjur Policy to grant GitLab Repository identity ability to authenticate using authn-jwt/gitlab web service
- Choose your GitLab Runner Docker container image based on your desired OS. The following images are available:
- nfmsjoeg/authn-jwt-gitlab:ubuntu
- nfmsjoeg/authn-jwt-gitlab:alpine
- nfmsjoeg/authn-jwt-gitlab:ubi-fips
- Once a GitLab Runner Docker container is decided upon, include it in your GitLab CI Pipeline file. The following example is for the nfmsjoeg/authn-jwt-gitlab:ubuntu image:
ubuntu:
stage: test
tags:
- docker
image: nfmsjoeg/authn-jwt-gitlab:ubuntu- Be sure to properly tag the job in the GitLab CI Pipeline file with the proper tag to run the job on the GitLab Runner Docker container. This is done in the above example using the
tagskey. - Variables must be set in the GitLab CI Pipeline file for the GitLab Runner Docker container to consume. Those environment variables are:
CONJUR_APPLIANCE_URLCONJUR_ACCOUNTCONJUR_AUTHN_JWT_SERVICE_IDCONJUR_AUTHN_JWT_TOKENCONJUR_SECRET_ID
- To use the binary in a job executing on the GitLab Runner Docker container, review the example GitLab CI Pipeline script in this repository.
variables:
CONJUR_APPLIANCE_URL: "https://conjur.joegarcia.dev"
CONJUR_ACCOUNT: "cyberarkdemo"
CONJUR_AUTHN_JWT_SERVICE_ID: "gitlab"
CONJUR_AUTHN_JWT_TOKEN: "${CI_JOB_JWT}"
ubuntu:
tags:
- docker
image: nfmsjoeg/authn-jwt-gitlab:ubuntu-dev
script:
- export TEST_USERNAME=$(CONJUR_SECRET_ID="SyncVault/LOB_CI/DemoSafe/DemoSafe-testuser4890/username" /authn-jwt-gitlab)
- export TEST_PASSWORD=$(CONJUR_SECRET_ID="SyncVault/LOB_CI/DemoSafe/DemoSafe-testuser4890/password" /authn-jwt-gitlab)
- env | grep TEST_
alpine:
tags:
- docker
image: nfmsjoeg/authn-jwt-gitlab:alpine-dev
script:
- export TEST_USERNAME=$(CONJUR_SECRET_ID="SyncVault/LOB_CI/DemoSafe/DemoSafe-testuser4890/username" /authn-jwt-gitlab)
- export TEST_PASSWORD=$(CONJUR_SECRET_ID="SyncVault/LOB_CI/DemoSafe/DemoSafe-testuser4890/password" /authn-jwt-gitlab)
- env | grep TEST_
ubi-fips:
stage: test
tags:
- docker
image: nfmsjoeg/authn-jwt-gitlab:ubi-fips-dev
script:
- export TEST_USERNAME=$(CONJUR_SECRET_ID="SyncVault/LOB_CI/DemoSafe/DemoSafe-testuser4890/username" /authn-jwt-gitlab)
- export TEST_PASSWORD=$(CONJUR_SECRET_ID="SyncVault/LOB_CI/DemoSafe/DemoSafe-testuser4890/password" /authn-jwt-gitlab)
- env | grep TEST_This is a community supported project. For support, please file an issue in this repository.
If you would like to contribute to this project, please review the CONTRIBUTING.md file.
This project is licensed under MIT - see the LICENSE file for details.