pod01

Lab Task 2 - Secret management with Vault

In the area of Continuous Integration and Deployment (CI/CD), security and efficient handling of sensitive data are important. This is where integrating HashiCorp Vault into GitLab CI/CD pipelines becomes crucial. Vault stands out for its ability to securely store and tightly control access to tokens, passwords, certificates, and other secrets crucial for modern automated workflows. By leveraging Vault in GitLab CI/CD pipelines, organizations gain:

  • Enhanced Security: Vault’s secure storage and dynamic secret generation minimize risks associated with static secrets.
  • Fine-Grained Access Control: Policies in Vault govern who can access what secrets, adding an extra layer of security.
  • Audit Trails: Vault’s logging capabilities enable monitoring and auditing of secret usage, crucial for compliance.
  • Automated Secret Management: Integration with GitLab CI/CD automates secret distribution, ensuring a secure and efficient pipeline.

Incorporating Vault with GitLab CI/CD pipelines not only fortifies the security posture but also streamlines the management of sensitive data, making it a strategic choice for robust and secure software development practices.

Integration with Vault in GitLab is typically available only in GitLab EE with a Premium license. However, there are also ways to achieve this in GitLab CE, though it may be less convenient.

More details are available in a Blog post, which can help save time during setup.

Step 1: Create secrets

In this step, you will validate if all the credentials that are created. The upcoming tasks in this lab Are heavily reliant on these variables; otherwise, the pipeline will not function properly. Each domain will be stored under a separate path. 

Log in to the Vault UI with your POD credentials. Select your POD secret engine. The following paths should already exist. Please explore for yourself how these variables are created and look. 

Nothing to do here: For your reference

The following YAML files have already been imported for your convenience:

yaml
POD01
1Catalyst Center:
2{
3  "DEVICE_PASSWORD": "Cisco123!",
4  "DEVICE_SNMP_COMMUNITY": "Cisco123!",
5  "DEVICE_USER": "admin",
6  "DNAC_HOST": "198.18.129.100",
7  "DNAC_PASSWORD": "Cisco123!",
8  "DNAC_USERNAME": "pod01",
9  "DNAC_VERIFY": "false"
10}
yaml
POD01
1Security Cloud Control:
2{
3  "api_token": "eyJraWQiOiIwIiwidHlwIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOiIwIiwicm9sZXMiOlsiUk9MRV9BRE1JTiJdLCJpc3MiOiJpdGQiLCJjbHVzdGVySWQiOiIzIiwic3ViamVjdFR5cGUiOiJ1c2VyIiwiY2xpZW50X2lkIjoiYXBpLWNsaWVudCIsInBhcmVudElkIjoiYWEwM2ZlNDctMDM5OS00N2FjLThlNGMtZTY5YmM0NDU1YjEyIiwic2NvcGUiOlsidHJ1c3QiLCJyZWFkIiwiYWEwM2ZlNDctMDM5OS00N2FjLThlNGMtZTY5YmM0NDU1YjEyIiwid3JpdGUiXSwiaWQiOiJjZWRkMTI1NS1jY2Y1LTQ1MjAtYWIxNy03NjM2NTlmZjliYmYiLCJleHAiOjM5MDk5MjgzNTQsInJlZ2lvbiI6InByb2RldSIsImlhdCI6MTc2MjQ0NDc2NywianRpIjoiYmU5M2Q5MDAtMDRiMS00ZjI2LWE0NDMtM2VlOWFlZmQ2YmQ1In0.Lf3sz7w1mUNqVlrkOjKFlt3GzBYl5qg6_qBKaLLrz8CfyJwg7ctUiFWbJUHRTWW-_djLdC-g6XIqNw7KjJltJD3-tRu_6giCDnhMZSgPI5eeK7rw-N67yTZDrg8InpkvQ-VFspsFrw4v1mryzXxIpJdGxtwZjKvhLHmcrPgPcWzHwmiMeYoWsIfSKU2-ufxNngfVHl4-T9_dkmVP8b306Bk2PH2y7HRxetoAE5XyeVaPBzfLf9FdjktVhy37AKZpM6Zgo801sLVgA8q3FzK4IRoImJf1ytkWRJjdN8cDqNJWX2SicYz2kjPGuU9N9ckVuXnucLPkCmWAtKHR1cciDQ",
4  "cdo_host": "cisco-cbeye--sc6nui.app.eu.cdo.cisco.com"
5}
yaml
POD01
1NDFC:
2{
3  "DEVICE_PASSWORD": "Cisco123!",
4  "DEVICE_USER": "admin",
5  "ansible_password": "Cisco123!",
6  "ansible_user": "pod01"
7}
yaml
POD01
1Netbox:
2{
3  "api_token": "0dcf112f42d92e0718ce9c1d7f09ea6c3099cb51"
4}
Nothing to do here: Variables in GitLab

The following variables have already been created for you. This is just to let you know how the integration works.

During the lab, you will see that each job uses Vault to retrieve the credentials.