How to start with gitlab ci/cd?

[botkero]

Hello

I am a total beginner when it comes to this topic and maybe I am totally wrong here.

I currently use CI variables within my GitLab projects/groups.
But GitLab also offers to define secrets. Unfortunately, I do not understand the process from the GitLab documentation.

The questions I have are:

• Isn't my Vault running as a demaon on an external machine?
  • Why do I have to specify a path? path: production/db (I would have expected an IP address or something similar)
• Do I need to do something else to use OpenBao to use the Vault feature?

Also, I saw an example setup in another discussion, but unfortunately it wasn't really clearer to me there.

On this documentation page, authentication with JWT tokens is also considered deprecated.
Does this have any influence on how I have to use OpenBao?

If the question goes beyond the scope of the detailed answer, I can understand that. If you could at least point me in the right direction with further links etc., I would be very grateful.

[cipherboy]

\o Hello @botkero -- several things here!

Vault is running externally. You'll define a few variables for the runner to connect to it:

• VAULT_SERVER_URL -- this is the server address
• VAULT_AUTH_ROLE and VAULT_AUTH_PATH are the JWT auth role and JWT auth mount path respectively, without the address.

In the example you linked, path: is the path to the secret, including the KVv2 secret mount point, specified after the @. For instance, if you had a secret like https://openbao.example.com/v1/some/path/to/mount/data/DB_PROD, with an entry with data=some_secret_value you'd put a path like path: DB_PROD@some/path/to/mount and set VAULT_SERVER_URL=https://openbao.example.com.

The old $CI_JOB_JWT is deprecated. However, the OIDC tokens replace this. You'll reference these via an id_tokens: + VAULT_ID_TOKEN clause. See the bottom of the Example section on your linked page (where the .gitlab-ci.yml file is described). You can also see more information about OIDC tokens and the fields they contain: https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html (Yes, it is a little confusing as the OIDC tokens are still JWTs, but the OIDC token format is not deprecated, just the global $CI_JOB_JWT format).

re:

Do I need to do something else to use OpenBao to use the Vault feature?

I don't believe so, but do note that it is a GitLab Premium and Ultimate tier feature, so I encourage you to contact support (where I'll be able to help you more!) if you have any questions.