From 2eb9a9e12f2af258e629551338e134d1d0772752 Mon Sep 17 00:00:00 2001 From: Avielle Wolfe Date: Fri, 11 Nov 2022 17:23:40 +0100 Subject: [PATCH 01/11] Add `token` sub-keyword to CI config `token` is a new sub-keyword for `secrets` entries that specifies which JWT should be used to authenticate with Vault to fetch the secret. EE: true Changelog: added --- ee/lib/gitlab/ci/config/entry/secret.rb | 9 ++++++++- ee/spec/lib/gitlab/ci/config/entry/secret_spec.rb | 15 +++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/ee/lib/gitlab/ci/config/entry/secret.rb b/ee/lib/gitlab/ci/config/entry/secret.rb index d0f595f2a1d632..3fe514af4e176c 100644 --- a/ee/lib/gitlab/ci/config/entry/secret.rb +++ b/ee/lib/gitlab/ci/config/entry/secret.rb @@ -12,7 +12,7 @@ class Secret < ::Gitlab::Config::Entry::Node include ::Gitlab::Config::Entry::Attributable REQUIRED_KEYS = %i[vault].freeze - ALLOWED_KEYS = (REQUIRED_KEYS + %i[file]).freeze + ALLOWED_KEYS = (REQUIRED_KEYS + %i[file token]).freeze attributes ALLOWED_KEYS @@ -21,6 +21,13 @@ class Secret < ::Gitlab::Config::Entry::Node validations do validates :config, allowed_keys: ALLOWED_KEYS, required_keys: REQUIRED_KEYS + validates :token, type: String, allow_nil: true + end + + def value + return super unless token.present? + + super.merge(token: token) end end end diff --git a/ee/spec/lib/gitlab/ci/config/entry/secret_spec.rb b/ee/spec/lib/gitlab/ci/config/entry/secret_spec.rb index a7c63059b7fa70..c112f0ebba5286 100644 --- a/ee/spec/lib/gitlab/ci/config/entry/secret_spec.rb +++ b/ee/spec/lib/gitlab/ci/config/entry/secret_spec.rb @@ -53,6 +53,21 @@ it_behaves_like 'configures secrets' end + + context 'when `token` is defined' do + let(:config) do + { + vault: { + engine: { name: 'kv-v2', path: 'kv-v2' }, + path: 'production/db', + field: 'password' + }, + token: 'TEST_ID_TOKEN' + } + end + + it_behaves_like 'configures secrets' + end end end -- GitLab From 58c4abda9fd91bf5a5468d196c06e6732eeee939 Mon Sep 17 00:00:00 2001 From: Avielle Wolfe Date: Fri, 11 Nov 2022 17:30:30 +0100 Subject: [PATCH 02/11] Add `token` to CI JSON schema This commit also updates and improves the schema for `secrets`. --- app/assets/javascripts/editor/schema/ci.json | 99 +++++++++++--------- 1 file changed, 55 insertions(+), 44 deletions(-) diff --git a/app/assets/javascripts/editor/schema/ci.json b/app/assets/javascripts/editor/schema/ci.json index 21c50acbf5d934..e547546fa8ba34 100644 --- a/app/assets/javascripts/editor/schema/ci.json +++ b/app/assets/javascripts/editor/schema/ci.json @@ -607,53 +607,64 @@ "secrets": { "type": "object", "markdownDescription": "Defines secrets to be injected as environment variables. [Learn More](https://docs.gitlab.com/ee/ci/yaml/#secrets).", - "additionalProperties": { - "type": "object", - "description": "Environment variable name", - "properties": { - "vault": { - "oneOf": [ - { - "type": "string", - "description": "The secret to be fetched from Vault (e.g. 'production/db/password@ops' translates to secret 'ops/data/production/db', field `password`)" - }, - { - "type": "object", - "properties": { - "engine": { - "type": "object", - "properties": { - "name": { - "type": "string" + "patternProperties": { + ".*": { + "type": "object", + "properties": { + "vault": { + "oneOf": [ + { + "type": "string", + "description": "The secret to be fetched from Vault (e.g. 'production/db/password@ops' translates to secret 'ops/data/production/db', field `password`)" + }, + { + "type": "object", + "properties": { + "engine": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "path": { + "type": "string" + } }, - "path": { - "type": "string" - } + "required": [ + "name", + "path" + ] }, - "required": [ - "name", - "path" - ] - }, - "path": { - "type": "string" + "path": { + "type": "string" + }, + "field": { + "type": "string" + } }, - "field": { - "type": "string" - } - }, - "required": [ - "engine", - "path", - "field" - ] - } - ] - } - }, - "required": [ - "vault" - ] + "required": [ + "engine", + "path", + "field" + ] + } + ] + }, + "file": { + "type": "boolean", + "default": true, + "description": "Configures the secret to be stored as either a file or variable type CI/CD variable." + }, + "token": { + "type": "string", + "description": "Specifies the JWT variable that should be used to authenticate with Hashicorp Vault." + } + }, + "required": [ + "vault" + ], + "additionalProperties": false + } } }, "before_script": { -- GitLab From b3c7454f85b6f07c8c1214b7455bd060256dbd8a Mon Sep 17 00:00:00 2001 From: Avielle Wolfe Date: Mon, 21 Nov 2022 16:44:00 +0100 Subject: [PATCH 03/11] WIP --- ee/app/presenters/ee/ci/build_runner_presenter.rb | 2 +- ee/spec/presenters/ci/build_runner_presenter_spec.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ee/app/presenters/ee/ci/build_runner_presenter.rb b/ee/app/presenters/ee/ci/build_runner_presenter.rb index 254913e97be021..69ade280586fc2 100644 --- a/ee/app/presenters/ee/ci/build_runner_presenter.rb +++ b/ee/app/presenters/ee/ci/build_runner_presenter.rb @@ -40,7 +40,7 @@ def vault_jwt(secret) def id_token_var(secret) return unless id_tokens? - token = secret['token'] || id_tokens.each_key.first + token = secret.fetch('token', '')[1..] || id_tokens.each_key.first "${#{token}}" end diff --git a/ee/spec/presenters/ci/build_runner_presenter_spec.rb b/ee/spec/presenters/ci/build_runner_presenter_spec.rb index a20ed9ab8e0af0..36a583b13d4c4d 100644 --- a/ee/spec/presenters/ci/build_runner_presenter_spec.rb +++ b/ee/spec/presenters/ci/build_runner_presenter_spec.rb @@ -135,7 +135,7 @@ { DATABASE_PASSWORD: { file: true, - token: 'VAULT_ID_TOKEN_2', + token: '$VAULT_ID_TOKEN_2', vault: { engine: { name: 'kv-v2', path: 'kv-v2' }, path: 'production/db', -- GitLab From 52136c9b3fce71b5a1276275b5dbd3042d3af7a8 Mon Sep 17 00:00:00 2001 From: Avielle Wolfe Date: Mon, 28 Nov 2022 10:48:26 +0100 Subject: [PATCH 04/11] Require `token` to begin with `$` This clarifies to the user that any variable can be interpolated there --- ee/lib/gitlab/ci/config/entry/secret.rb | 6 ++- .../lib/gitlab/ci/config/entry/secret_spec.rb | 40 ++++++++++++++++++- 2 files changed, 43 insertions(+), 3 deletions(-) diff --git a/ee/lib/gitlab/ci/config/entry/secret.rb b/ee/lib/gitlab/ci/config/entry/secret.rb index 3fe514af4e176c..2444c1255d0374 100644 --- a/ee/lib/gitlab/ci/config/entry/secret.rb +++ b/ee/lib/gitlab/ci/config/entry/secret.rb @@ -22,12 +22,16 @@ class Secret < ::Gitlab::Config::Entry::Node validations do validates :config, allowed_keys: ALLOWED_KEYS, required_keys: REQUIRED_KEYS validates :token, type: String, allow_nil: true + + validate do + errors.add(:token, 'must begin with `$`') if token.present? && !token.start_with?('$') + end end def value return super unless token.present? - super.merge(token: token) + super.merge(token: token[1..]) end end end diff --git a/ee/spec/lib/gitlab/ci/config/entry/secret_spec.rb b/ee/spec/lib/gitlab/ci/config/entry/secret_spec.rb index c112f0ebba5286..bc4cc18ba24cb2 100644 --- a/ee/spec/lib/gitlab/ci/config/entry/secret_spec.rb +++ b/ee/spec/lib/gitlab/ci/config/entry/secret_spec.rb @@ -62,11 +62,30 @@ path: 'production/db', field: 'password' }, - token: 'TEST_ID_TOKEN' + token: '$TEST_ID_TOKEN' } end - it_behaves_like 'configures secrets' + describe '#value' do + it 'returns secret configuration' do + expect(entry.value).to eq( + { + vault: { + engine: { name: 'kv-v2', path: 'kv-v2' }, + path: 'production/db', + field: 'password' + }, + token: 'TEST_ID_TOKEN' + } + ) + end + end + + describe '#valid?' do + it 'is valid' do + expect(entry).to be_valid + end + end end end end @@ -90,6 +109,23 @@ .to include 'secret config missing required keys: vault' end end + + context 'when the token keyword does not use the variable reference syntax' do + let(:config) do + { + vault: { + engine: { name: 'kv-v2', path: 'kv-v2' }, + path: 'production/db', + field: 'password' + }, + token: 'TEST_ID_TOKEN' + } + end + + it 'reports that the value of `token` must begin with a `$`' do + expect(entry.errors).to include 'secret token must begin with `$`' + end + end end end end -- GitLab From 0e333a56f21cbcff581efc8355b5327ec6114c22 Mon Sep 17 00:00:00 2001 From: Avielle Wolfe Date: Mon, 28 Nov 2022 10:51:26 +0100 Subject: [PATCH 05/11] Add `token` to `CreatePipelineService` spec --- ee/spec/services/ci/create_pipeline_service_spec.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ee/spec/services/ci/create_pipeline_service_spec.rb b/ee/spec/services/ci/create_pipeline_service_spec.rb index 78c4d39245422e..ad5b077e5a52c7 100644 --- a/ee/spec/services/ci/create_pipeline_service_spec.rb +++ b/ee/spec/services/ci/create_pipeline_service_spec.rb @@ -155,6 +155,7 @@ secrets: DATABASE_PASSWORD: vault: production/db/password + token: $ID_TOKEN YAML end @@ -172,7 +173,8 @@ 'engine' => { 'name' => 'kv-v2', 'path' => 'kv-v2' }, 'path' => 'production/db', 'field' => 'password' - } + }, + 'token' => 'ID_TOKEN' } }) end -- GitLab From 6261e8ff1fad8d1377759fb627791c7e1eca2b8e Mon Sep 17 00:00:00 2001 From: Avielle Wolfe Date: Mon, 28 Nov 2022 16:22:48 +0100 Subject: [PATCH 06/11] Stop modifying `token` in `BuildRunnerPresenter` I've decided to modify it in the entry class instead, since it's primarily an indicator to the user and serves no technical purpose --- ee/app/presenters/ee/ci/build_runner_presenter.rb | 2 +- ee/spec/presenters/ci/build_runner_presenter_spec.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ee/app/presenters/ee/ci/build_runner_presenter.rb b/ee/app/presenters/ee/ci/build_runner_presenter.rb index 69ade280586fc2..254913e97be021 100644 --- a/ee/app/presenters/ee/ci/build_runner_presenter.rb +++ b/ee/app/presenters/ee/ci/build_runner_presenter.rb @@ -40,7 +40,7 @@ def vault_jwt(secret) def id_token_var(secret) return unless id_tokens? - token = secret.fetch('token', '')[1..] || id_tokens.each_key.first + token = secret['token'] || id_tokens.each_key.first "${#{token}}" end diff --git a/ee/spec/presenters/ci/build_runner_presenter_spec.rb b/ee/spec/presenters/ci/build_runner_presenter_spec.rb index 36a583b13d4c4d..a20ed9ab8e0af0 100644 --- a/ee/spec/presenters/ci/build_runner_presenter_spec.rb +++ b/ee/spec/presenters/ci/build_runner_presenter_spec.rb @@ -135,7 +135,7 @@ { DATABASE_PASSWORD: { file: true, - token: '$VAULT_ID_TOKEN_2', + token: 'VAULT_ID_TOKEN_2', vault: { engine: { name: 'kv-v2', path: 'kv-v2' }, path: 'production/db', -- GitLab From 2c01d35ac18dd54e7d63f4a79f60255438ce80e4 Mon Sep 17 00:00:00 2001 From: Avielle Wolfe Date: Mon, 28 Nov 2022 16:37:55 +0100 Subject: [PATCH 07/11] Add CI schema tests for `secrets` Adds both positive and negative tests for the `secrets` CI schema --- .../editor/schema/ci/ci_schema_spec.js | 4 +++ .../ci/yaml_tests/negative_tests/secrets.yml | 14 ++++++++++ .../ci/yaml_tests/positive_tests/secrets.yml | 28 +++++++++++++++++++ 3 files changed, 46 insertions(+) create mode 100644 spec/frontend/editor/schema/ci/yaml_tests/negative_tests/secrets.yml create mode 100644 spec/frontend/editor/schema/ci/yaml_tests/positive_tests/secrets.yml diff --git a/spec/frontend/editor/schema/ci/ci_schema_spec.js b/spec/frontend/editor/schema/ci/ci_schema_spec.js index a06f81e4d1c9f2..b2680eb72f1dad 100644 --- a/spec/frontend/editor/schema/ci/ci_schema_spec.js +++ b/spec/frontend/editor/schema/ci/ci_schema_spec.js @@ -32,6 +32,7 @@ import VariablesYaml from './yaml_tests/positive_tests/variables.yml'; import JobWhenYaml from './yaml_tests/positive_tests/job_when.yml'; import IdTokensYaml from './yaml_tests/positive_tests/id_tokens.yml'; import HooksYaml from './yaml_tests/positive_tests/hooks.yml'; +import SecretsYaml from './yaml_tests/positive_tests/secrets.yml'; // YAML NEGATIVE TEST import ArtifactsNegativeYaml from './yaml_tests/negative_tests/artifacts.yml'; @@ -49,6 +50,7 @@ import VariablesInvalidSyntaxDescYaml from './yaml_tests/negative_tests/variable import VariablesWrongSyntaxUsageExpand from './yaml_tests/negative_tests/variables/wrong_syntax_usage_expand.yml'; import IdTokensNegativeYaml from './yaml_tests/negative_tests/id_tokens.yml'; import HooksNegative from './yaml_tests/negative_tests/hooks.yml'; +import SecretsNegativeYaml from './yaml_tests/negative_tests/secrets.yml'; const ajv = new Ajv({ strictTypes: false, @@ -86,6 +88,7 @@ describe('positive tests', () => { VariablesYaml, ProjectPathYaml, IdTokensYaml, + SecretsYaml, }), )('schema validates %s', (_, input) => { // We construct a new "JSON" from each main key that is inside a @@ -120,6 +123,7 @@ describe('negative tests', () => { ProjectPathIncludeLeadSlashYaml, ProjectPathIncludeNoSlashYaml, ProjectPathIncludeTailSlashYaml, + SecretsNegativeYaml, TriggerNegative, HooksNegative, }), diff --git a/spec/frontend/editor/schema/ci/yaml_tests/negative_tests/secrets.yml b/spec/frontend/editor/schema/ci/yaml_tests/negative_tests/secrets.yml new file mode 100644 index 00000000000000..d04ffd910c08e5 --- /dev/null +++ b/spec/frontend/editor/schema/ci/yaml_tests/negative_tests/secrets.yml @@ -0,0 +1,14 @@ +job_with_secrets_without_vault: + script: + - echo $TEST_DB_PASSWORD + secrets: + TEST_DB_PASSWORD: + token: $TEST_TOKEN + +job_with_secrets_with_extra_properties: + script: + - echo $TEST_DB_PASSWORD + secrets: + TEST_DB_PASSWORD: + vault: test/db/password + extra_prop: TEST diff --git a/spec/frontend/editor/schema/ci/yaml_tests/positive_tests/secrets.yml b/spec/frontend/editor/schema/ci/yaml_tests/positive_tests/secrets.yml new file mode 100644 index 00000000000000..083cb4348ed7db --- /dev/null +++ b/spec/frontend/editor/schema/ci/yaml_tests/positive_tests/secrets.yml @@ -0,0 +1,28 @@ +valid_job_with_secrets: + script: + - echo $TEST_DB_PASSWORD + secrets: + TEST_DB_PASSWORD: + vault: test/db/password + +valid_job_with_secrets_and_token: + script: + - echo $TEST_DB_PASSWORD + secrets: + TEST_DB_PASSWORD: + vault: test/db/password + token: $TEST_TOKEN + +valid_job_with_secrets_with_every_vault_keyword: + script: + - echo $TEST_DB_PASSWORD + secrets: + TEST_DB_PASSWORD: + vault: + engine: + name: test-engine + path: test + path: test/db + field: password + file: true + token: $TEST_TOKEN -- GitLab From 65d71cb4f20555549d3389c25371c5daf561cec3 Mon Sep 17 00:00:00 2001 From: Avielle Wolfe Date: Tue, 29 Nov 2022 19:39:58 +0100 Subject: [PATCH 08/11] Add more negative secrets CI schema specs This improves our coverage of invalid `secrets` --- .../ci/yaml_tests/negative_tests/secrets.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/spec/frontend/editor/schema/ci/yaml_tests/negative_tests/secrets.yml b/spec/frontend/editor/schema/ci/yaml_tests/negative_tests/secrets.yml index d04ffd910c08e5..14ba930b394c11 100644 --- a/spec/frontend/editor/schema/ci/yaml_tests/negative_tests/secrets.yml +++ b/spec/frontend/editor/schema/ci/yaml_tests/negative_tests/secrets.yml @@ -12,3 +12,28 @@ job_with_secrets_with_extra_properties: TEST_DB_PASSWORD: vault: test/db/password extra_prop: TEST + +job_with_secrets_with_invalid_vault_property: + script: + - echo $TEST_DB_PASSWORD + secrets: + TEST_DB_PASSWORD: + vault: + invalid: TEST + +job_with_secrets_with_missing_required_vault_property: + script: + - echo $TEST_DB_PASSWORD + secrets: + TEST_DB_PASSWORD: + vault: + path: gitlab + +job_with_secrets_with_missing_required_engine_property: + script: + - echo $TEST_DB_PASSWORD + secrets: + TEST_DB_PASSWORD: + vault: + engine: + path: kv -- GitLab From 3f941ede717f697d5a9559c6eb4bb1632573b97a Mon Sep 17 00:00:00 2001 From: Mireya Andres Date: Tue, 29 Nov 2022 18:41:54 +0000 Subject: [PATCH 09/11] Improve CI schema --- app/assets/javascripts/editor/schema/ci.json | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/app/assets/javascripts/editor/schema/ci.json b/app/assets/javascripts/editor/schema/ci.json index e547546fa8ba34..9147f60fe9ac9f 100644 --- a/app/assets/javascripts/editor/schema/ci.json +++ b/app/assets/javascripts/editor/schema/ci.json @@ -615,7 +615,7 @@ "oneOf": [ { "type": "string", - "description": "The secret to be fetched from Vault (e.g. 'production/db/password@ops' translates to secret 'ops/data/production/db', field `password`)" + "markdownDescription": "The secret to be fetched from Vault (e.g. 'production/db/password@ops' translates to secret 'ops/data/production/db', field `password`). [Learn More](https://docs.gitlab.com/ee/ci/yaml/#secretsvault)" }, { "type": "object", @@ -646,14 +646,15 @@ "engine", "path", "field" - ] + ], + "additionalProperties": false } ] }, "file": { "type": "boolean", "default": true, - "description": "Configures the secret to be stored as either a file or variable type CI/CD variable." + "markdownDescription": "Configures the secret to be stored as either a file or variable type CI/CD variable. [Learn More](https://docs.gitlab.com/ee/ci/yaml/#secretsfile)" }, "token": { "type": "string", -- GitLab From ffb8a20600606e6318682f6104525e3fdc7a64f1 Mon Sep 17 00:00:00 2001 From: Avielle Wolfe Date: Wed, 30 Nov 2022 18:34:00 +0100 Subject: [PATCH 10/11] Pass `token` directly to Runner We've decided that it's best to pass the `token` value directly to the runner, since gives users flexibility over how the token value is defined, which might be necessary on Windows runners where variables are defined with `%` --- .../ee/ci/build_runner_presenter.rb | 4 +--- ee/lib/gitlab/ci/config/entry/secret.rb | 6 +----- .../lib/gitlab/ci/config/entry/secret_spec.rb | 19 +------------------ .../ci/build_runner_presenter_spec.rb | 6 +++--- .../ci/create_pipeline_service_spec.rb | 2 +- 5 files changed, 7 insertions(+), 30 deletions(-) diff --git a/ee/app/presenters/ee/ci/build_runner_presenter.rb b/ee/app/presenters/ee/ci/build_runner_presenter.rb index 254913e97be021..bbbd647d07e316 100644 --- a/ee/app/presenters/ee/ci/build_runner_presenter.rb +++ b/ee/app/presenters/ee/ci/build_runner_presenter.rb @@ -40,9 +40,7 @@ def vault_jwt(secret) def id_token_var(secret) return unless id_tokens? - token = secret['token'] || id_tokens.each_key.first - - "${#{token}}" + secret['token'] || "$#{id_tokens.each_key.first}" end end end diff --git a/ee/lib/gitlab/ci/config/entry/secret.rb b/ee/lib/gitlab/ci/config/entry/secret.rb index 2444c1255d0374..3fe514af4e176c 100644 --- a/ee/lib/gitlab/ci/config/entry/secret.rb +++ b/ee/lib/gitlab/ci/config/entry/secret.rb @@ -22,16 +22,12 @@ class Secret < ::Gitlab::Config::Entry::Node validations do validates :config, allowed_keys: ALLOWED_KEYS, required_keys: REQUIRED_KEYS validates :token, type: String, allow_nil: true - - validate do - errors.add(:token, 'must begin with `$`') if token.present? && !token.start_with?('$') - end end def value return super unless token.present? - super.merge(token: token[1..]) + super.merge(token: token) end end end diff --git a/ee/spec/lib/gitlab/ci/config/entry/secret_spec.rb b/ee/spec/lib/gitlab/ci/config/entry/secret_spec.rb index bc4cc18ba24cb2..023cfbde9b618d 100644 --- a/ee/spec/lib/gitlab/ci/config/entry/secret_spec.rb +++ b/ee/spec/lib/gitlab/ci/config/entry/secret_spec.rb @@ -75,7 +75,7 @@ path: 'production/db', field: 'password' }, - token: 'TEST_ID_TOKEN' + token: '$TEST_ID_TOKEN' } ) end @@ -109,23 +109,6 @@ .to include 'secret config missing required keys: vault' end end - - context 'when the token keyword does not use the variable reference syntax' do - let(:config) do - { - vault: { - engine: { name: 'kv-v2', path: 'kv-v2' }, - path: 'production/db', - field: 'password' - }, - token: 'TEST_ID_TOKEN' - } - end - - it 'reports that the value of `token` must begin with a `$`' do - expect(entry.errors).to include 'secret token must begin with `$`' - end - end end end end diff --git a/ee/spec/presenters/ci/build_runner_presenter_spec.rb b/ee/spec/presenters/ci/build_runner_presenter_spec.rb index a20ed9ab8e0af0..9a1ed90d981007 100644 --- a/ee/spec/presenters/ci/build_runner_presenter_spec.rb +++ b/ee/spec/presenters/ci/build_runner_presenter_spec.rb @@ -127,7 +127,7 @@ it 'adds the first ID token to the Vault server payload' do jwt = presenter.secrets_configuration.dig('DATABASE_PASSWORD', 'vault', 'server', 'auth', 'data', 'jwt') - expect(jwt).to eq('${VAULT_ID_TOKEN_1}') + expect(jwt).to eq('$VAULT_ID_TOKEN_1') end context 'when the token variable is specified for the vault secret' do @@ -135,7 +135,7 @@ { DATABASE_PASSWORD: { file: true, - token: 'VAULT_ID_TOKEN_2', + token: '$VAULT_ID_TOKEN_2', vault: { engine: { name: 'kv-v2', path: 'kv-v2' }, path: 'production/db', @@ -148,7 +148,7 @@ it 'uses the specified token variable' do jwt = presenter.secrets_configuration.dig('DATABASE_PASSWORD', 'vault', 'server', 'auth', 'data', 'jwt') - expect(jwt).to eq('${VAULT_ID_TOKEN_2}') + expect(jwt).to eq('$VAULT_ID_TOKEN_2') end end end diff --git a/ee/spec/services/ci/create_pipeline_service_spec.rb b/ee/spec/services/ci/create_pipeline_service_spec.rb index ad5b077e5a52c7..b0302e456b00e7 100644 --- a/ee/spec/services/ci/create_pipeline_service_spec.rb +++ b/ee/spec/services/ci/create_pipeline_service_spec.rb @@ -174,7 +174,7 @@ 'path' => 'production/db', 'field' => 'password' }, - 'token' => 'ID_TOKEN' + 'token' => '$ID_TOKEN' } }) end -- GitLab From cc2d386e8d802e3bc4aa1afc46e4bf870a351845 Mon Sep 17 00:00:00 2001 From: Furkan Ayhan Date: Thu, 1 Dec 2022 14:31:51 +0000 Subject: [PATCH 11/11] Match existing Entry class pattern --- app/assets/javascripts/editor/schema/ci.json | 2 +- ee/lib/gitlab/ci/config/entry/secret.rb | 8 +++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/app/assets/javascripts/editor/schema/ci.json b/app/assets/javascripts/editor/schema/ci.json index 9147f60fe9ac9f..2e0d3a86388b18 100644 --- a/app/assets/javascripts/editor/schema/ci.json +++ b/app/assets/javascripts/editor/schema/ci.json @@ -1934,4 +1934,4 @@ "additionalProperties": false } } -} +} \ No newline at end of file diff --git a/ee/lib/gitlab/ci/config/entry/secret.rb b/ee/lib/gitlab/ci/config/entry/secret.rb index 3fe514af4e176c..2914c7133cd66d 100644 --- a/ee/lib/gitlab/ci/config/entry/secret.rb +++ b/ee/lib/gitlab/ci/config/entry/secret.rb @@ -25,9 +25,11 @@ class Secret < ::Gitlab::Config::Entry::Node end def value - return super unless token.present? - - super.merge(token: token) + { + vault: vault_value, + file: file_value, + token: token + }.compact end end end -- GitLab