Gitlab Variables
Gitlab Variables
External Secrets Operator integrates with Gitlab to sync Gitlab Project Variables API and/or Gitlab Group Variables API to secrets held on the Kubernetes cluster.
Configuring Gitlab
The Gitlab API requires an access token, project ID and/or groupIDs.
To create a new access token, go to your user settings and select 'access tokens'. Give your token a name, expiration date, and select the permissions required (Note 'api' is required).
Click 'Create personal access token', and your token will be generated and displayed on screen. Copy or save this token since you can't access it again.
Access Token secret
Create a secret containing your access token:
apiVersion: v1
kind: Secret
metadata:
name: gitlab-secret
labels:
type: gitlab
type: Opaque
stringData:
token: "**access token goes here**"
Configuring the secret store
Be sure the gitlab
provider is listed in the Kind=SecretStore
and the ProjectID is set. If you are not using https://gitlab.com
, you must set the url
field as well.
In order to sync group variables inheritFromGroups
must be true or groupIDs
have to be defined.
In case you have defined multiple environments in Gitlab, the secret store should be constrained to a specific environment_scope
.
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: gitlab-secret-store
spec:
provider:
# provider type: gitlab
gitlab:
# url: https://gitlab.mydomain.com/
auth:
SecretRef:
accessToken:
name: gitlab-secret
key: token
projectID: "**project ID goes here**"
groupIDs: "**groupID(s) go here**"
inheritFromGroups: "**automatically looks for variables in parent groups**"
environment: "**environment scope goes here**"
ClusterSecretStore
, Be sure to provide namespace
in accessToken
with the namespace where the secret resides.
Your project ID can be found on your project's page.
Creating external secret
To sync a Gitlab variable to a secret on the Kubernetes cluster, a Kind=ExternalSecret
is needed.
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: gitlab-external-secret-example
spec:
refreshInterval: 1h
secretStoreRef:
kind: SecretStore
name: gitlab-secret-store # Must match SecretStore on the cluster
target:
name: gitlab-secret-to-create # Name for the secret to be created on the cluster
creationPolicy: Owner
data:
- secretKey: secretKey # Key given to the secret to be created on the cluster
remoteRef:
key: myGitlabVariable # Key of the variable on Gitlab
Using DataFrom
DataFrom can be used to get a variable as a JSON string and attempt to parse it.
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: gitlab-external-secret-example
spec:
refreshInterval: 1h
secretStoreRef:
kind: SecretStore
name: gitlab-secret-store # Must match SecretStore on the cluster
target:
name: gitlab-secret-to-create # Name for the secret to be created on the cluster
creationPolicy: Owner
# each secret name in the KV will be used as the secret key in the SECRET k8s target object
dataFrom:
- extract:
key: "myJsonVariable" # Key of the variable on Gitlab
Getting the Kubernetes secret
The operator will fetch the project variable and inject it as a Kind=Secret
.
kubectl get secret gitlab-secret-to-create -o jsonpath='{.data.secretKey}' | base64 -d