1.0 Introduction
The objective of this article is to facilitate a secure and efficient secret management process. It outlines the steps required for generating and importing secrets, as well as for using existing secrets from Fortanix DSM within GitLab build environments.
Follow the instructions to implement this integration effectively, enhancing data security and optimizing CI/CD pipelines.
1.1 Prerequisites
Ensure that you must have the following:
- Access to a Fortanix DSM account with appropriate administrative privileges. For more information, refer to Getting Started with Fortanix Data Security Manager.
- A GitLab account with access to the project where you intend to set up the integration. For more information, refer to Getting Started with GitLab.
- Knowledge about the process of saving secrets in Fortanix DSM, including generating and importing the secret.
- Access to necessary permissions in Fortanix DSM and GitLab for group, application, plugin, variable, and secret management.
2.0 Procedure
Perform the following steps are involved in managing the secrets in a GitLab pipeline through Fortanix DSM:
- Authentication within Fortanix DSM.
- Configuring Fortanix DSM, which includes creating groups and applications.
- Storing secrets securely within Fortanix DSM.
- Accessing and retrieving secrets from Fortanix DSM for utilization within the GitLab pipeline.
3.0 Integration Use Cases
Fortanix DSM offers two integration methods to connect with GitLab. You can choose the one that aligns with your specific requirements and preferences.
3.1 Use Case 1: Generating & Importing a Secret
Perform the following steps for generating and importing a secret into Fortanix DSM using a plugin:
- Log in to your Fortanix DSM account using your credentials and appropriate administrative privileges.
- Within Fortanix DSM, create a new group and an application. For more information, refer to User's Guide: Getting Started with Fortanix Data Security Manager - UI.
- Configure the API Key as the authentication method for the application. For more information, refer to User’s Guide: Authentication.
- Use the following code to generate a new plugin in Fortanix DSM :
For more information, refer to User’s Guide: Plugin Library.
numericAlphabet = "0123456789"
alphanumericAlphabet = numericAlphabet .. "abcdefghijklmnopqrstuvwxyz"
alphanumericCapsAlphabet = alphanumericAlphabet .. "ABCDEFGHIJKLMNOPQRSTUVWXYZ"alphanumericCapsSymbolsAlphabets = alphanumericCapsAlphabet .. "!@#$&*_%="
function genPass(alphabet, len, name, import)
local alphabetSize = #alphabet
local password = ''
for i = 1, len, 1 do
local random_char = math.random(alphabetSize)
password = password .. string.sub(alphabet, random_char, random_char)
end
local pass = Blob.from_bytes(password)
if import == "yes" then
local sobject = assert(Sobject.import { name = name, obj_type = "SECRET", value = pass, key_ops = {'APPMANAGEABLE', 'EXPORT'} })
return password
end
return password;
end
function run(input)
if input.type == "numeric" then
return genPass(numericAlphabet, input.length, input.name, input.import)
end
if input.type == "alphanumeric" then
return genPass(alphanumericAlphabet, input.length, input.name, input.import)
end
if input.type == "alphanumeric_caps" then
return genPass(alphanumericCapsAlphabet, input.length, input.name, input.import)
end
if input.type == "alphanumeric_caps_symbols" then
return genPass(alphanumericCapsSymbolsAlphabets, input.length, input.name, input.import)
end
end- Set the import option to yes if you want to store the secret in Fortanix DSM.
{
"type": "alphanumeric_caps",
"length": 64,
"name": "GitLab-Secret",
"import": "yes"
} - Set the import option to no if you only want a new value generated for rotation.
{
"type": "numeric",
"length": 64,
"name": "GitLab-Secret",
"import": "no"
}
- Set the import option to yes if you want to store the secret in Fortanix DSM.
- Navigate to GitLab and select the project where you want to set up the integration.
- In GitLab, go to Settings → CI/CD → Variables, and add the following new variables:
FORTANIX_API_ENDPOINT
FORTANIX_API_KEY
FORTANIX_PLUGIN_ID
- Under the top level of your GitLab project, locate the
.gitlab-ci.yaml
configuration file and edit this file as following to define the CI/CD pipeline for the integration:
stages: - build build: stage: build image: ubuntu script: - apt-get update - apt install jq -y - apt install curl -y - jq --version - curl -V - secret=$(curl -s -X POST -H "Authorization:Basic ${FORTANIX_API_KEY}" ${FORTANIX_API_ENDPOINT}/sys/v1/plugins/${FORTANIX_PLUGIN_ID} -d "{\"type\":\"alphanumeric_caps\", \"name\":\"$CI_PIPELINE_ID\",\"import\":\"yes\", \"length\":\"48\"}" | jq -r) - echo $CI_PIPELINE_ID - echo $secret - nsecret=$(curl -s -X POST -H "Authorization:Basic ${FORTANIX_API_KEY}" ${FORTANIX_API_ENDPOINT}/sys/v1/plugins/${FORTANIX_PLUGIN_ID} -d "{\"type\":\"alphanumeric_caps\", \"import\":\"no\", \"length\":\"48\"}" | jq -r) - echo $nsecret - encodesecret=$(echo $nsecret | base64) - rotate=$(curl -s -X POST -H "Authorization:Basic ${FORTANIX_API_KEY}" ${FORTANIX_API_ENDPOINT}/crypto/v1/keys/rekey -d "{\"name\":\"$CI_PIPELINE_ID\", \"value\":\"$encodesecret\"}" | jq -r .kid) - echo $rotate
.gitlab-ci.yaml
file.
If not, select Build → Pipelines → Run pipeline to initiate the process. - On Gitlab UI, navigate to Build → Jobs from the left navigation bar to review the latest output.
3.2 Use Case 2: Using an Existing Secret from Fortanix DSM
Ensure you have a secret in Fortanix DSM that you want to use in the integration and this secret is marked as exportable within Fortanix DSM.
Perform the following steps to utilize an existing secret from Fortanix DSM in your integration with GitLab:
- Navigate to your GitLab project where you want to set up the integration.
- In GitLab, go to Settings → CI/CD → Variables and add the following new variables:
FORTANIX_API_ENDPOINT
FORTANIX_API_KEY
FORTANIX_SECRET_NAME
- Under the top level of your GitLab project, locate the
.gitlab-ci.yaml
configuration file and edit this file as following to define the CI/CD pipeline for the integration:
stages: - build build: stage: build image: ubuntu script: - apt-get update - apt install jq -y - apt install curl -y - jq --version - curl -V - secret=$(curl -s -X POST -H "Authorization:Basic ${FORTANIX_API_KEY}" ${FORTANIX_API_ENDPOINT}/crypto/v1/keys/export -d "{\"name\":\"${FORTANIX_SECRET_NAME}\"}" | jq -r .value) - echo $CI_PIPELINE_ID - echo $secret
.gitlab-ci.yaml
file.
If not, select Build → Pipelines → Run pipeline to initiate the integration process. - On GitLab UI, navigate to Build → Jobs from the left navigation bar to review the latest output.
Comments
Please sign in to leave a comment.