Chapter 2. Configuring GitLab CI for external integration by using the CLI

Procedure

1. Create a project with two files in your preferred text editor, such as Visual Studio Code:

   • env_vars.sh
   • glab-set-vars

2. Update the env_vars.sh file with the following environment variables:

   # env_vars.sh
   # GitLab credentials
   export MY_GITLAB_TOKEN="your_gitlab_token_here"
   export MY_GITLAB_USER="your_gitlab_username_here"
   
   
   // Add credentials for an image repository that you use
   # Quay.io credentials
   export QUAY_IO_CREDS_USR="your_quay_username_here"
   export QUAY_IO_CREDS_PSW="your_quay_password_here"
   
   # or JFrog Artifactory credenditals
   export ARTIFACTORY_IO_CREDS_USR="your_artifactory_username_here"
   export ARTIFACTORY_IO_CREDS_PSW="your_artifactory_password_here"
   
   # or Sonatype Nexus credentials
   export NEXUS_IO_CREDS_USR="your_nexus_username_here"
   export NEXUS_IO_CREDS_PSW="your_nexus_password_here"
   
   // Variables required for ACS tasks
   # ROX variables
   export ROX_CENTRAL_ENDPOINT="your_rox_central_endpoint_here"
   export ROX_API_TOKEN="your_rox_api_token_here"
   
   // Variables required for SBOM tasks.
   # Cosign secrets
   export COSIGN_SECRET_PASSWORD="your_cosign_secret_password_here"
   export COSIGN_SECRET_KEY="your_cosign_secret_key_here"
   export COSIGN_PUBLIC_KEY="your_cosign_public_key_here"
   
   # Trustification credentials
   export TRUSTIFICATION_BOMBASTIC_API_URL="your__BOMBASTIC_API_URL_here"
   export TRUSTIFICATION_OIDC_ISSUER_URL="your_OIDC_ISSUER_URL_here"
   export TRUSTIFICATION_OIDC_CLIENT_ID="your_OIDC_CLIENT_ID_here"
   export TRUSTIFICATION_OIDC_CLIENT_SECRET="your_OIDC_CLIENT_SECRET_here"
   export TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION="your_SUPPORTED_CYCLONEDX_VERSION_here"
   
   // Set these variables if your CI provider runners do not run
   on the same cluster as the {ProductShortName} instance.
   # Rekor and TUF routes
   export REKOR_HOST="your rekor server url here"
   export TUF_MIRROR="your tuf service url here"

3. Update the glab-set-vars file with the following information:

   #!/bin/bash
   
   if [ $# -ne 1 ]; then
       echo "Missing param, provide gitlab repo name"
       echo "Note: This script uses MY_GITLAB_TOKEN and MY_GITLAB_USER env vars"
       exit
   fi
   
   REPO=$1
   HEADER="PRIVATE-TOKEN: $MY_GITLAB_TOKEN"
   URL=https://gitlab.com/api/v4/projects
   
   # Lookup the project id so we can use it below
   PID=$(curl -s -L --header "$HEADER" "$URL/$MY_GITLAB_USER%2F${REPO//.git/}" | jq ".id")
   
   function setVars() {
       NAME=$1
       VALUE=$2
       MASKED=${3:-true}
       echo "setting $NAME in https://gitlab.com/$MY_GITLAB_USER/$REPO"
   
       # Delete first because if the secret already exists then its value
       # won't be changed by the POST below
       curl -s --request DELETE --header "$HEADER" "$URL/$PID/variables/$NAME"
   
       # Set the new key/value
       curl -s --request POST --header "$HEADER" "$URL/$PID/variables" \
           --form "key=$NAME" --form "value=$VALUE" --form "masked=$MASKED" | jq
   }
   
   setVars ROX_CENTRAL_ENDPOINT $ROX_CENTRAL_ENDPOINT false
   setVars ROX_API_TOKEN $ROX_API_TOKEN
   
   setVars GITOPS_AUTH_PASSWORD $MY_GITLAB_TOKEN
   setVars GITOPS_AUTH_USERNAME $MY_GITLAB_USER false
   
   # Depending on which image repository you use, set:
   setVars QUAY_IO_CREDS_USR $QUAY_IO_CREDS_USR false
   setVars QUAY_IO_CREDS_PSW $QUAY_IO_CREDS_PSW
   # or
   setVars ARTIFACTORY_IO_CREDS_USR "$ARTIFACTORY_IO_CREDS_USR" false
   setVars ARTIFACTORY_IO_CREDS_PSW "$ARTIFACTORY_IO_CREDS_PSW"
   # or
   setVars NEXUS_IO_CREDS_USR "$NEXUS_IO_CREDS_USR" false
   setVars NEXUS_IO_CREDS_PSW "$NEXUS_IO_CREDS_PSW"
   
   setVars COSIGN_SECRET_PASSWORD $COSIGN_SECRET_PASSWORD
   setVars COSIGN_SECRET_KEY $COSIGN_SECRET_KEY
   setVars COSIGN_PUBLIC_KEY $COSIGN_PUBLIC_KEY false
   
   setVars TRUSTIFICATION_BOMBASTIC_API_URL "$TRUSTIFICATION_BOMBASTIC_API_URL" false
   setVars TRUSTIFICATION_OIDC_ISSUER_URL "$TRUSTIFICATION_OIDC_ISSUER_URL" false
   setVars TRUSTIFICATION_OIDC_CLIENT_ID "$TRUSTIFICATION_OIDC_CLIENT_ID" false
   setVars TRUSTIFICATION_OIDC_CLIENT_SECRET "$TRUSTIFICATION_OIDC_CLIENT_SECRET"
   setVars TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION "$TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION" false
   
   # If you need to use the Rekor and TUF variables and you've added them
   # to env_vars.sh, set them here too:
   
   setVars REKOR_HOST "$REKOR_HOST" false
   setVars TUF_MIRROR "$TUF_MIRROR" false
   
   bash $SCRIPTDIR/glab-get-vars $1

   Note

   By default, the setVars function creates a variable as a secret, and this variable’s value won’t be displayed in the UI and logs. To create an unmasked variable, add false at the end of a line where you set it. For example:

   $ setVars COSIGN_PUBLIC_KEY $COSIGN_PUBLIC_KEY false

4. Load the environment variables into your current shell session:

   $ source env_vars.sh

5. Make the glab-set-vars script executable, and run it with your repository name to set the variables in your GitLab repository.

   $ chmod +x glab-set-vars

   ./glab-set-vars your_repository_name

6. Rerun the last pipeline run to verify the secrets are applied correctly. Alternatively, switch to you application’s source repository in GitLab, make a minor change, and commit it to trigger a new pipeline run.