Chapter 2. Adding secrets to GitLab CI for secure integration with external tools

Procedure

1. Log in and navigate to your source repository.
2. Expand the Setting menu and select CI/CD.
3. In the Variables section, select Expand, and then select Add variable.
4. Under Flags, select the Mask variable checkbox.
5. In the Key field, enter MY_GITLAB_TOKEN.
6. In the Value field, enter the token associated with your GitLab account.

7. Repeat steps 3-6 to add the required variables:

   Expand

   Variable	Description
   Variables required for all pipeline runs
   QUAY_IO_CREDS_USR	Username for accessing Quay.io credentials.
   QUAY_IO_CREDS_PSW	Password for accessing Quay.io credentials.
   REKOR_HOST	URL of your Rekor server.
   TUF_MIRROR	URL of your TUF service.
   Variable required for ACS tasks
   ROX_CENTRAL_ENDPOINT	Endpoint for the ROX Central server.
   ROX_API_TOKEN	API token for accessing the ROX server.
   Variables required for SBOM tasks
   COSIGN_SECRET_PASSWORD	Password for Cosign signing key.
   COSIGN_SECRET_KEY	Private key for Cosign.
   COSIGN_PUBLIC_KEY	Public key for Cosign.
   TRUSTIFICATION_BOMBASTIC_API_URL	URL for Trustification Bombastic API used in SBOM generation.
   TRUSTIFICATION_OIDC_ISSUER_URL	OIDC issuer URL used for authentication when interacting with the Trustification Bombastic API.
   TRUSTIFICATION_OIDC_CLIENT_ID	Client ID for authenticating to the Trustification Bombastic API using OIDC.
   TRUSTIFICATION_OIDC_CLIENT_SECRET	Client secret used alongside the client ID to authenticate to the Trustification Bombastic API.
   TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION	Specifies the CycloneDX SBOM version that is supported and generated by the system.

   Show more

8. Rerun the last pipeline run.

   1. Alternatively, switch to you application’s source repository in GitLab, make a minor change, and commit it to trigger a new pipeline run.

Procedure

1. Create a project with two files:

   • env_vars.sh
   • glab-set-vars

2. Update the env_vars.sh file with the following environment variables:

   # env_vars.sh
   
   # GitLab credentials
   export MY_GITLAB_TOKEN="your_gitlab_token_here"
   export MY_GITLAB_USER="your_gitlab_username_here"
   
   # ROX variables
   export ROX_CENTRAL_ENDPOINT="your_rox_central_endpoint_here"
   export ROX_API_TOKEN="your_rox_api_token_here"
   
   # Quay.io credentials
   export QUAY_IO_CREDS_USR="your_quay_username_here"
   export QUAY_IO_CREDS_PSW="your_quay_password_here"
   
   # Cosign secrets
   export COSIGN_SECRET_PASSWORD="your_cosign_secret_password_here"
   export COSIGN_SECRET_KEY="your_cosign_secret_key_here"
   export COSIGN_PUBLIC_KEY="your_cosign_public_key_here"
   
   # Rekor and TUF routes
   export REKOR_HOST="your rekor server url here"
   export TUF_MIRROR="your tuf service url here"

   Copy to Clipboard Toggle word wrap

3. Update the glab-set-vars file with the following information:

   #!/bin/bash
   SCRIPTDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)"
   
   if [ $# -ne 1 ]; then
       echo "Missing param, provide gitlab repo name"
       echo "Note: This script uses MY_GITLAB_TOKEN and MY_GITLAB_USER env vars"
       exit
   fi
   
   REPO=$1
   HEADER="PRIVATE-TOKEN: $MY_GITLAB_TOKEN"
   URL=https://gitlab.com/api/v4/projects
   
   # Look up the project ID so we can use it below
   PID=$(curl -s -L --header "$HEADER" "$URL/$MY_GITLAB_USER%2F$REPO" | jq ".id")
   
   function setVars() {
       NAME=$1
       VALUE=$2
       MASKED=${3:-true}
       echo "setting $NAME in https://gitlab.com/$MY_GITLAB_USER/$REPO"
   
       # Delete first because if the secret already exists then its value
       # won't be changed by the POST below
       curl -s --request DELETE --header "$HEADER" "$URL/$PID/variables/$NAME"
   
       # Set the new key/value
       curl -s --request POST --header "$HEADER" "$URL/$PID/variables" \
           --form "key=$NAME" --form "value=$VALUE" --form "masked=$MASKED" | jq
   }
   
   setVars ROX_CENTRAL_ENDPOINT $ROX_CENTRAL_ENDPOINT false
   setVars ROX_API_TOKEN $ROX_API_TOKEN
   
   setVars GITOPS_AUTH_PASSWORD $MY_GITLAB_TOKEN
   setVars GITOPS_AUTH_USERNAME $MY_GITLAB_USER false
   
   setVars QUAY_IO_CREDS_USR $QUAY_IO_CREDS_USR false
   setVars QUAY_IO_CREDS_PSW $QUAY_IO_CREDS_PSW
   
   setVars COSIGN_SECRET_PASSWORD $COSIGN_SECRET_PASSWORD
   setVars COSIGN_SECRET_KEY $COSIGN_SECRET_KEY
   setVars COSIGN_PUBLIC_KEY $COSIGN_PUBLIC_KEY false
   
   setVars TRUSTIFICATION_BOMBASTIC_API_URL "$TRUSTIFICATION_BOMBASTIC_API_URL" false
   setVars TRUSTIFICATION_OIDC_ISSUER_URL "$TRUSTIFICATION_OIDC_ISSUER_URL" false
   setVars TRUSTIFICATION_OIDC_CLIENT_ID "$TRUSTIFICATION_OIDC_CLIENT_ID" false
   setVars TRUSTIFICATION_OIDC_CLIENT_SECRET "$TRUSTIFICATION_OIDC_CLIENT_SECRET"
   setVars TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION "$TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION" false
   
   setVars REKOR_HOST $REKOR_HOST false
   setVars TUF_MIRROR $TUF_MIRROR false

   Copy to Clipboard Toggle word wrap

4. Load the environment variables into your current shell session:

   source env_vars.sh

   Copy to Clipboard Toggle word wrap

5. Make the glab-set-vars script executable, and run it with your repository name to set the variables in your GitLab repository.

   chmod +x glab-set-vars
   
   ./glab-set-vars your_repository_name

   Copy to Clipboard Toggle word wrap

6. Rerun the last pipeline run.

   1. Alternatively, switch to your application’s source repository in GitLab, make a minor change, and commit it to trigger a new pipeline run.