Using Fortanix Data Security Manager with GitLab

1.0 Introduction

The objective of this article is to facilitate a secure and efficient secret management process. It outlines the steps required for generating and importing secrets, as well as for using existing secrets from Fortanix DSM within GitLab build environments.

Follow the instructions to implement this integration effectively, enhancing data security and optimizing CI/CD pipelines.

1.1 Prerequisites

Ensure that you must have the following:

• Access to a Fortanix DSM account with appropriate administrative privileges. For more information, refer to Getting Started with Fortanix Data Security Manager.
• A GitLab account with access to the project where you intend to set up the integration. For more information, refer to Getting Started with GitLab.
• Knowledge about the process of saving secrets in Fortanix DSM, including generating and importing the secret.
• Access to necessary permissions in Fortanix DSM and GitLab for group, application, plugin, variable, and secret management.

2.0 Procedure

Perform the following steps are involved in managing the secrets in a GitLab pipeline through Fortanix DSM:

1. Authentication within Fortanix DSM.
2. Configuring Fortanix DSM, which includes creating groups and applications.
3. Storing secrets securely within Fortanix DSM.
4. Accessing and retrieving secrets from Fortanix DSM for utilization within the GitLab pipeline.

3.0 Integration Use Cases

Fortanix DSM offers two integration methods to connect with GitLab. You can choose the one that aligns with your specific requirements and preferences.

3.1 Use Case 1: Generating & Importing a Secret

Perform the following steps for generating and importing a secret into Fortanix DSM using a plugin:

1. Log in to your Fortanix DSM account using your credentials and appropriate administrative privileges.
2. Within Fortanix DSM, create a new group and an application. For more information, refer to User's Guide: Getting Started with Fortanix Data Security Manager - UI.
3. Configure the API Key as the authentication method for the application. For more information, refer to User’s Guide: Authentication.
4. Use the following code to generate a new plugin in Fortanix DSM :
   For more information, refer to User’s Guide: Plugin Library.
   

   numericAlphabet
   = "0123456789"
   alphanumericAlphabet
   = numericAlphabet .. "abcdefghijklmnopqrstuvwxyz"
   alphanumericCapsAlphabet
   = alphanumericAlphabet .. "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
   alphanumericCapsSymbolsAlphabets
   = alphanumericCapsAlphabet .. "!@#$&*_%="
   function
   genPass(alphabet, len, name, import)
       local alphabetSize = #alphabet
       local password = ''
       for i = 1, len, 1 do
           local random_char =
   math.random(alphabetSize)
           password = password ..
   string.sub(alphabet, random_char, random_char)
       end
       local pass = Blob.from_bytes(password)
       if import == "yes" then
           local sobject = assert(Sobject.import {
   name = name, obj_type = "SECRET", value = pass, key_ops =
   {'APPMANAGEABLE', 'EXPORT'} })
           return password
       end
       return password;
   end
   function
   run(input)
       if input.type == "numeric" then
           return genPass(numericAlphabet,
   input.length, input.name, input.import)
       end
       if input.type == "alphanumeric"
   then
           return genPass(alphanumericAlphabet, input.length,
   input.name, input.import)
       end  
       if input.type ==
   "alphanumeric_caps" then
           return
   genPass(alphanumericCapsAlphabet, input.length, input.name, input.import)
       end  
       if input.type ==
   "alphanumeric_caps_symbols" then
           return
   genPass(alphanumericCapsSymbolsAlphabets, input.length, input.name,
   input.import)      
       end
   end

   • Set the import option to yes if you want to store the secret in Fortanix DSM.
     

     {
         "type": "alphanumeric_caps",
         "length": 64,
         "name": "GitLab-Secret",
         "import": "yes"
     }
     

   • Set the import option to no if you only want a new value generated for rotation.
     

     {
         "type": "numeric",
         "length": 64,
         "name": "GitLab-Secret",
         "import": "no"
     }

5. Navigate to GitLab and select the project where you want to set up the integration.
6. In GitLab, go to Settings → CI/CD → Variables, and add the following new variables:
   
   • FORTANIX_API_ENDPOINT
   • FORTANIX_API_KEY
   • FORTANIX_PLUGIN_ID
7. Under the top level of your GitLab project, locate the .gitlab-ci.yaml configuration file and edit this file as following to define the CI/CD pipeline for the integration:
   

   stages:
     - build
   
   build:
     stage: build
     image: ubuntu
     script:
     - apt-get update
     - apt install jq -y
     - apt install curl -y
     - jq --version
     - curl -V
     - secret=$(curl -s -X POST -H "Authorization:Basic ${FORTANIX_API_KEY}" ${FORTANIX_API_ENDPOINT}/sys/v1/plugins/${FORTANIX_PLUGIN_ID} -d "{\"type\":\"alphanumeric_caps\", \"name\":\"$CI_PIPELINE_ID\",\"import\":\"yes\", \"length\":\"48\"}" | jq -r)
     - echo $CI_PIPELINE_ID
     - echo $secret
     - nsecret=$(curl -s -X POST -H "Authorization:Basic ${FORTANIX_API_KEY}" ${FORTANIX_API_ENDPOINT}/sys/v1/plugins/${FORTANIX_PLUGIN_ID} -d "{\"type\":\"alphanumeric_caps\", \"import\":\"no\", \"length\":\"48\"}" | jq -r)
     - echo $nsecret
     - encodesecret=$(echo $nsecret | base64)
     - rotate=$(curl -s -X POST -H "Authorization:Basic ${FORTANIX_API_KEY}" ${FORTANIX_API_ENDPOINT}/crypto/v1/keys/rekey -d "{\"name\":\"$CI_PIPELINE_ID\", \"value\":\"$encodesecret\"}" | jq -r .kid)
     - echo $rotate

   The pipeline must automatically run after editing the .gitlab-ci.yaml file.
   If not, select Build → Pipelines → Run pipeline to initiate the process.
   
8. On Gitlab UI, navigate to Build → Jobs from the left navigation bar to review the latest output.

3.2 Use Case 2: Using an Existing Secret from Fortanix DSM

Ensure you have a secret in Fortanix DSM that you want to use in the integration and this secret is marked as exportable within Fortanix DSM.

Perform the following steps to utilize an existing secret from Fortanix DSM in your integration with GitLab:

1. Navigate to your GitLab project where you want to set up the integration.
2. In GitLab, go to Settings → CI/CD → Variables and add the following new variables:
   
   • FORTANIX_API_ENDPOINT
   • FORTANIX_API_KEY
   • FORTANIX_SECRET_NAME
3. Under the top level of your GitLab project, locate the .gitlab-ci.yaml configuration file and edit this file as following to define the CI/CD pipeline for the integration:
   

   stages:
     - build
   
   build:
     stage: build
     image: ubuntu
     script:
     - apt-get update
     - apt install jq -y
     - apt install curl -y
     - jq --version
     - curl -V
     - secret=$(curl -s -X POST -H "Authorization:Basic ${FORTANIX_API_KEY}" ${FORTANIX_API_ENDPOINT}/crypto/v1/keys/export -d "{\"name\":\"${FORTANIX_SECRET_NAME}\"}" | jq -r .value)
     - echo $CI_PIPELINE_ID
     - echo $secret
   

   The pipeline must automatically run after editing the .gitlab-ci.yaml file.
   If not, select Build → Pipelines → Run pipeline to initiate the integration process.
   
4. On GitLab UI, navigate to Build → Jobs from the left navigation bar to review the latest output.