Gitlab JWT Setup
Clone Docker Toolkit (Optional)
If not already done clone the docker toolkit repo
git clone https://gitlab.com/D3vbd/docker-toolkit.git ~/docker-toolkit
This will setup the toolkit in the folder ~/docker-toolkit
.
We will be using the vault
folder.
~/docker-toolkit/vault
Setup Vars
Set the following vars
# Vault address
export VAULT_ADDR="https://vault.localhost:8200"
# root token from startup, or a token if you have enabled a different auth method
export VAULT_TOKEN=""
# Name/Path for jwt auth method
export GITLABCI_JWT_PATH="gitlab-jwt"
JWT Auth Method
Enable the Auth Method at the path specified in $GITLABCI_JWT_PATH
vault auth enable -path=$GITLABCI_JWT_PATH jwt
Now we are going to configure this with the public gitlab info and have a default role of deployer
(will create later).
vault write auth/$GITLABCI_JWT_PATH/config \
bound_issuer="https://gitlab.com" \
jwks_url="https://gitlab.com/oauth/discovery/keys" \
default_role="deployer"
JWT Auth Role
Now that we have a new auth mount we can use with gitlab jwt, we can make roles for it to use. We refereneced a deployer
role as the default. Lets Create that...
This Role will only exist on the auth method we created
Policy
We are going to make a policy called deployer. This will define what the user will have access to. In this example they will have access to the mounts
- kv
- ci
# vault write sys/policy/deployer [email protected]
vault write sys/policy/deployer policy=- <<EOF
path "kv/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "ci/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
EOF
Role
We are now going to create the role and bind policies to the role.
Lets create the deployer
role and add the deployer policy
.
Bound Claims
: This is how the token will be used. the claims must match and glob operators are enabled.
The default is set to my D3vbd
gitlab group and allows all project thats exists in that group. You can restrict it more and even to a single project ID. Look at the gitlab docs for more info on thier jwt claims used on the ID Tokens.
export GITLAB_GROUP_NAME="D3vbd"
vault write auth/$GITLABCI_JWT_PATH/role/deployer - <<EOF
{
"role_type": "jwt",
"policies": ["deployer","default"],
"token_explicit_max_ttl": "1h",
"user_claim": "user_email",
"bound_claims_type": "glob",
"bound_claims": {
"namespace_path": "$GITLAB_GROUP_NAME/*"
}
}
EOF
The Auth method is now setup with the deployer role.