Commit 05c76158 authored by Krasimir Angelov's avatar Krasimir Angelov

Add column to ci_builds_metadata to store secrets

The new column is named `secrets` and is of type `jsonb`, there is also
json schema validation for what data can be stored in it.

Related to https://gitlab.com/gitlab-org/gitlab/-/issues/28321 and
https://gitlab.com/gitlab-org/gitlab/-/issues/218746.
parent 5b81f9dc
...@@ -83,3 +83,5 @@ module Ci ...@@ -83,3 +83,5 @@ module Ci
end end
end end
end end
Ci::BuildMetadata.prepend_if_ee('EE::Ci::BuildMetadata')
{
"description": "CI builds metadata secrets",
"type": "object",
"patternProperties": {
".*": {
"type": "object",
"patternProperties": {
"^vault$": {
"type": "object",
"required": ["path", "field", "engine"],
"properties": {
"path": { "type": "string" },
"field": { "type": "string" },
"engine": {
"type": "object",
"required": ["name", "path"],
"properties": {
"path": { "type": "string" },
"name": { "type": "string" }
},
"additionalProperties": false
}
},
"additionalProperties": false
}
},
"additionalProperties": false
}
}
}
---
title: Add ci_builds_metadata.secrets column
merge_request: 34480
author:
type: added
# frozen_string_literal: true
class AddSecretsToCiBuildsMetadata < ActiveRecord::Migration[6.0]
include Gitlab::Database::MigrationHelpers
DOWNTIME = false
def up
with_lock_retries do
add_column :ci_builds_metadata, :secrets, :jsonb, default: {}, null: false
end
end
def down
with_lock_retries do
remove_column :ci_builds_metadata, :secrets
end
end
end
...@@ -1075,7 +1075,8 @@ CREATE TABLE public.ci_builds_metadata ( ...@@ -1075,7 +1075,8 @@ CREATE TABLE public.ci_builds_metadata (
config_variables jsonb, config_variables jsonb,
has_exposed_artifacts boolean, has_exposed_artifacts boolean,
environment_auto_stop_in character varying(255), environment_auto_stop_in character varying(255),
expanded_environment_name character varying(255) expanded_environment_name character varying(255),
secrets jsonb DEFAULT '{}'::jsonb NOT NULL
); );
CREATE SEQUENCE public.ci_builds_metadata_id_seq CREATE SEQUENCE public.ci_builds_metadata_id_seq
...@@ -14047,6 +14048,7 @@ COPY "schema_migrations" (version) FROM STDIN; ...@@ -14047,6 +14048,7 @@ COPY "schema_migrations" (version) FROM STDIN;
20200602143020 20200602143020
20200603073101 20200603073101
20200603180338 20200603180338
20200604001128
20200604143628 20200604143628
20200604145731 20200604145731
20200604174544 20200604174544
......
# frozen_string_literal: true
module EE
module Ci
module BuildMetadata
extend ActiveSupport::Concern
prepended do
validates :secrets, json_schema: { filename: 'build_metadata_secrets' }
end
end
end
end
# frozen_string_literal: true
require 'spec_helper'
describe Ci::BuildMetadata do
describe 'validations' do
let(:metadata) { build(:ci_build).metadata }
context 'when attributes are valid' do
it 'returns no errors' do
metadata.secrets = {
DATABASE_PASSWORD: {
vault: {
engine: { name: 'kv-v2', path: 'kv-v2' },
path: 'production/db',
field: 'password'
}
}
}
expect(metadata).to be_valid
end
end
context 'when data is invalid' do
it 'returns errors' do
metadata.secrets = { DATABASE_PASSWORD: { vault: {} } }
aggregate_failures do
expect(metadata).to be_invalid
expect(metadata.errors.full_messages).to eq(["Secrets must be a valid json schema"])
end
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment