Skip to content

GitLab Variables

GitLab Variables

External Secrets Operator integrates with GitLab to sync GitLab Project Variables API and/or GitLab Group Variables API to secrets held on the Kubernetes cluster.

Configuring GitLab

The GitLab API requires an access token, project ID and/or groupIDs.

To create a new access token, go to your user settings and select 'access tokens'. Give your token a name, expiration date, and select the permissions required (Note 'api' is required).

token-details

Click 'Create personal access token', and your token will be generated and displayed on screen. Copy or save this token since you can't access it again. token-created

Access Token secret

Create a secret containing your access token:

apiVersion: v1
kind: Secret
metadata:
  name: gitlab-secret
  labels: 
    type: gitlab
type: Opaque 
stringData:
  token: "**access token goes here**"

Configuring the secret store

Be sure the gitlab provider is listed in the Kind=SecretStore and the ProjectID is set. If you are not using https://gitlab.com, you must set the url field as well.

In order to sync group variables inheritFromGroups must be true or groupIDs have to be defined.

In case you have defined multiple environments in Gitlab, the secret store should be constrained to a specific environment_scope.

Environment Scope Fallback Behavior

The GitLab provider implements an intelligent fallback mechanism for environment scopes:

  1. Primary lookup: When you configure a specific environment in your SecretStore (example: environment: "production"), the provider first tries to find variables with that exact environment scope.
  2. Automatic fallback: If no variable is found with the specific environment scope, the provider automatically falls back to variables with "All environments" scope (* wildcard).
  3. Priority order: Variables with specific environment scopes take precedence over wildcard variables when both exist.

Example: If your SecretStore has environment: "production" but your GitLab variable is set to "All environments", the variable will still be successfully retrieved through the fallback mechanism.

Implementation Note: This fallback behavior is implemented in the getVariables function where the provider automatically retries with EnvironmentScope: "*" when the initial lookup with the specific environment scope returns a 404 Not Found response.

apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  name: gitlab-secret-store
spec:
  provider:
    # provider type: gitlab
    gitlab:
      # url: https://gitlab.mydomain.com/
      auth:
        SecretRef:
          accessToken:
            name: gitlab-secret
            key: token
      projectID: "**project ID goes here**"
      groupIDs: "**groupID(s) go here**"
      inheritFromGroups: "**automatically looks for variables in parent groups**"
      environment: "**environment scope goes here**"
NOTE: In case of a ClusterSecretStore, Be sure to provide namespace in accessToken with the namespace where the secret resides.

Your project ID can be found on your project's page. projectID

Creating external secret

To sync a GitLab variable to a secret on the Kubernetes cluster, a Kind=ExternalSecret is needed.

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: gitlab-external-secret-example
spec:
  refreshInterval: 1h

  secretStoreRef:
    kind: SecretStore
    name: gitlab-secret-store # Must match SecretStore on the cluster

  target:
    name: gitlab-secret-to-create # Name for the secret to be created on the cluster
    creationPolicy: Owner

  data:
    - secretKey: secretKey # Key given to the secret to be created on the cluster
      remoteRef: 
        key: myGitlabVariable # Key of the variable on Gitlab

Using DataFrom

DataFrom can be used to get a variable as a JSON string and attempt to parse it.

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: gitlab-external-secret-example
spec:
  refreshInterval: 1h

  secretStoreRef:
    kind: SecretStore
    name: gitlab-secret-store # Must match SecretStore on the cluster

  target:
    name: gitlab-secret-to-create # Name for the secret to be created on the cluster
    creationPolicy: Owner

  # each secret name in the KV will be used as the secret key in the SECRET k8s target object
  dataFrom:
  - extract:
      key: "myJsonVariable" # Key of the variable on Gitlab

Getting the Kubernetes secret

The operator will fetch the project variable and inject it as a Kind=Secret. 

kubectl get secret gitlab-secret-to-create -o jsonpath='{.data.secretKey}' | base64 -d