Red Hat SummitConfiguring GitLab CI
Learn how to configure GitLab CI for secure CI/CD workflows.
Abstract
Preface
If you’re using GitLab CI for your application, pipeline runs may fail due to missing secrets. Without them, integrations with Quay, JFrog, and Red Hat Advanced Cluster Security (ACS) won’t work, breaking security tasks like vulnerability scanning, image signing, and SBOM generation for compliance.
To prevent this, you need to securely store secrets in GitLab CI. This guide walks you through the process, ensuring your pipelines run smoothly and securely.
Chapter 1. Adding secrets and variables to GitLab CI for integration with external tools
Prerequisites
Before you configure GitLab CI, ensure you have the following:
- Admin access to your GitLab repository and CI/CD settings.
- Container registry credentials for pulling container images from Quay.io, JFrog Artifactory, or Sonatype Nexus.
Authentication details for specific GitLab CI tasks:
For ACS security tasks:
- ROX Central server endpoint
- ROX API token
For SBOM and artifact signing tasks:
- Cosign signing key password, private key and public key
- Trustification API and issuer URL, client ID, client secret, and supported CycloneDX version
NoteThe credentials and other details are already Base64-encoded, so you do not need to encode them again. You can find these credentials in your
private.envfile, which you created during RHTAP installation.
1.1. Option 1: Adding secrets and variables to GitLab CI using UI
Procedure
This procedure add both required secrets and environment variables. Note that you need to mask values of secrets.
- Log in to GitLab and open your source repository.
- Expand the Setting menu and select CI/CD.
- In the Variables section, select Expand.
Select Add variable and in a pop-up window add the first secret:
- In the Key field, enter MY_GITLAB_TOKEN.
- In the Value field, enter the token associated with your GitLab account.
- Under Flags, select Mask variable to hide sensitive values.
- Select Add variable.
Repeat step 4 to add the required secrets and check the Mask variable flag for each of them:
Table 1.1. Image registry and GitOps secrets Variable Description QUAY_IO_CREDS_PSWPassword for accessing your Quay repository.
ARTIFACTORY_IO_CREDS_PSWPassword for accessing your JFrog Artifactory repository.
NEXUS_IO_CREDS_PSWPassword for accessing your Sonatype Nexus repository.
GITOPS_AUTH_PASSWORDThe token the system uses to update the GitOps repository for newly built images.
Table 1.2. Secrets required for ACS and SBOM tasks Variable Description ROX_API_TOKENAPI token for accessing the ROX server.
COSIGN_SECRET_PASSWORDPassword for Cosign signing key.
COSIGN_SECRET_KEYPrivate key for Cosign.
TRUSTIFICATION_OIDC_CLIENT_SECRETClient secret used alongside the client ID to authenticate to the Trustification Bombastic API.
Add regular environment variables:
- Select Add variable.
- In the Key field, enter the key, for example, QUAY_IO_CREDS_USR.
- In the Value field, enter the username for accessing your Quay repository.
- Under Flags, do not select Mask variable.
- Select Add variable.
Repeat step 6 to add the following variables:
Table 1.3. Image registry and GitOps variables Variable Description QUAY_IO_CREDS_USRUsername for accessing your Quay repository.
ARTIFACTORY_IO_CREDS_USRUsername for accessing your JFrog Artifactory repository.
NEXUS_IO_CREDS_USRUsername for accessing your Nexus repository.
GITOPS_AUTH_USERNAMEYour OpenShift GitOps username.
Table 1.4. Variables required for ACS and SBOM tasks Variable Description ROX_CENTRAL_ENDPOINTEndpoint for the ROX Central server.
COSIGN_PUBLIC_KEYPublic key for Cosign.
TRUSTIFICATION_BOMBASTIC_API_URLURL for Trustification Bombastic API used in SBOM generation.
TRUSTIFICATION_OIDC_ISSUER_URLOIDC issuer URL used for authentication when interacting with the Trustification Bombastic API.
TRUSTIFICATION_OIDC_CLIENT_IDClient ID for authenticating to the Trustification Bombastic API using OIDC.
TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSIONSpecifies the CycloneDX SBOM version that is supported and generated by the system.
Optional: Set the Rekor and TUF variables if your CI provider runners do not run on the same cluster as the RHTAP instance.
Table 1.5. Rekor and TUF variables Variable Description REKOR_HOSTURL of your Rekor server.
TUF_MIRRORURL of your TUF service.
Rerun the last pipeline run to verify the secrets are applied correctly.
- Alternatively, switch to you application’s source repository in GitLab, make a minor change, and commit it to trigger a new pipeline run.
1.2. Option 2: Adding secrets and variables to GitLab CI using CLI
Procedure
Create a project with two files in your preferred text editor, such as Visual Studio Code:
- env_vars.sh
- glab-set-vars
Update the
env_vars.shfile with the following environment variables:# env_vars.sh # GitLab credentials export MY_GITLAB_TOKEN="your_gitlab_token_here" export MY_GITLAB_USER="your_gitlab_username_here" export GITOPS_AUTH_PASSWORD="your_OpenShift_GitOps_password_here" export GITOPS_AUTH_USERNAME="your_OpenShift_GitOps_username_here" // Add credentials for an image repository that you use # Quay.io credentials export QUAY_IO_CREDS_USR="your_quay_username_here" export QUAY_IO_CREDS_PSW="your_quay_password_here" # or JFrog Artifactory credenditals export ARTIFACTORY_IO_CREDS_USR="your_artifactory_username_here" export ARTIFACTORY_IO_CREDS_PSW="your_artifactory_password_here" # or Sonatype Nexus credentials export NEXUS_IO_CREDS_USR="your_nexus_username_here" export NEXUS_IO_CREDS_PSW="your_nexus_password_here" // Variables required for ACS tasks # ROX variables export ROX_CENTRAL_ENDPOINT="your_rox_central_endpoint_here" export ROX_API_TOKEN="your_rox_api_token_here" // Variables required for SBOM tasks. # Cosign secrets export COSIGN_SECRET_PASSWORD="your_cosign_secret_password_here" export COSIGN_SECRET_KEY="your_cosign_secret_key_here" export COSIGN_PUBLIC_KEY="your_cosign_public_key_here" # Trustification credentials export TRUSTIFICATION_BOMBASTIC_API_URL="your__BOMBASTIC_API_URL_here" export TRUSTIFICATION_OIDC_ISSUER_URL="your_OIDC_ISSUER_URL_here" export TRUSTIFICATION_OIDC_CLIENT_ID="your_OIDC_CLIENT_ID_here" export TRUSTIFICATION_OIDC_CLIENT_SECRET="your_OIDC_CLIENT_SECRET_here" export TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION="your_SUPPORTED_CYCLONEDX_VERSION_here" // Set these variables if your CI provider runners do not run on the same cluster as the {ProductShortName} instance. # Rekor and TUF routes export REKOR_HOST="your rekor server url here" export TUF_MIRROR="your tuf service url here"Update the
glab-set-varsfile with the following information:#!/bin/bash SCRIPTDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)" if [ $# -ne 1 ]; then echo "Missing param, provide gitlab repo name" echo "Note: This script uses MY_GITLAB_TOKEN and MY_GITLAB_USER env vars" exit fi REPO=$1 HEADER="PRIVATE-TOKEN: $MY_GITLAB_TOKEN" URL=https://gitlab.com/api/v4/projects # Lookup the project id so we can use it below PID=$(curl -s -L --header "$HEADER" "$URL/$MY_GITLAB_USER%2F${REPO//.git/}" | jq ".id") function setVars() { NAME=$1 VALUE=$2 MASKED=${3:-true} echo "setting $NAME in https://gitlab.com/$MY_GITLAB_USER/$REPO" # Delete first because if the secret already exists then its value # won't be changed by the POST below curl -s --request DELETE --header "$HEADER" "$URL/$PID/variables/$NAME" # Set the new key/value curl -s --request POST --header "$HEADER" "$URL/$PID/variables" \ --form "key=$NAME" --form "value=$VALUE" --form "masked=$MASKED" | jq } setVars ROX_CENTRAL_ENDPOINT $ROX_CENTRAL_ENDPOINT false setVars ROX_API_TOKEN $ROX_API_TOKEN setVars GITOPS_AUTH_PASSWORD $MY_GITLAB_TOKEN setVars GITOPS_AUTH_USERNAME $MY_GITLAB_USER false # Depending on which image repository you use, set: setVars QUAY_IO_CREDS_USR $QUAY_IO_CREDS_USR false setVars QUAY_IO_CREDS_PSW $QUAY_IO_CREDS_PSW # or setVars ARTIFACTORY_IO_CREDS_USR "$ARTIFACTORY_IO_CREDS_USR" false setVars ARTIFACTORY_IO_CREDS_PSW "$ARTIFACTORY_IO_CREDS_PSW" # or setVars NEXUS_IO_CREDS_USR "$NEXUS_IO_CREDS_USR" false setVars NEXUS_IO_CREDS_PSW "$NEXUS_IO_CREDS_PSW" setVars COSIGN_SECRET_PASSWORD $COSIGN_SECRET_PASSWORD setVars COSIGN_SECRET_KEY $COSIGN_SECRET_KEY setVars COSIGN_PUBLIC_KEY $COSIGN_PUBLIC_KEY false setVars TRUSTIFICATION_BOMBASTIC_API_URL "$TRUSTIFICATION_BOMBASTIC_API_URL" false setVars TRUSTIFICATION_OIDC_ISSUER_URL "$TRUSTIFICATION_OIDC_ISSUER_URL" false setVars TRUSTIFICATION_OIDC_CLIENT_ID "$TRUSTIFICATION_OIDC_CLIENT_ID" false setVars TRUSTIFICATION_OIDC_CLIENT_SECRET "$TRUSTIFICATION_OIDC_CLIENT_SECRET" setVars TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION "$TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION" false # If you need to use the Rekor and TUF variables and you've added them # to env_vars.sh, set them here too: setVars REKOR_HOST "$REKOR_HOST" false setVars TUF_MIRROR "$TUF_MIRROR" false bash $SCRIPTDIR/glab-get-vars $1NoteBy default, the
setVarsfunction creates a variable as a secret, and this variable’s value won’t be displayed in the UI and logs. To create an unmasked variable, addfalseat the end of a line where you set it. For example:setVars COSIGN_PUBLIC_KEY $COSIGN_PUBLIC_KEY false
Load the environment variables into your current shell session:
source env_vars.sh
Make the
glab-set-varsscript executable, and run it with your repository name to set the variables in your GitLab repository.chmod +x glab-set-vars ./glab-set-vars your_repository_name
Rerun the last pipeline run to verify the secrets are applied correctly.
- Alternatively, switch to you application’s source repository in GitLab, make a minor change, and commit it to trigger a new pipeline run.
Revised on 2025-04-30 03:55:47 UTC
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}