Merge branch 'vault_namespaces' into 'master'

Support Vault EE namespaces See merge request gitlab-org/gitlab!80590

Merge branch 'vault_namespaces' into 'master'
Support Vault EE namespaces See merge request gitlab-org/gitlab!80590
30d600ef · Furkan Ayhan · edc7cdc6 · 86894deb · 30d600ef · 30d600ef
Commit 30d600ef authored Mar 09, 2022 by Furkan Ayhan
4 changed files
--- a/doc/ci/secrets/index.md
+++ b/doc/ci/secrets/index.md
@@ -9,6 +9,7 @@ type: concepts, howto

 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/218746) in GitLab 13.4 and GitLab Runner 13.4.
 > - `file` setting [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/250695) in GitLab 14.1 and GitLab Runner 14.1.
+> - `VAULT_NAMESPACE` setting [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/255619) in GitLab 14.9 and GitLab Runner 14.9.

 Secrets represent sensitive information your CI job needs to complete work. This
 sensitive information can be items like API tokens, database credentials, or private keys.
@@ -90,6 +91,9 @@ To configure your Vault server:
     If no role is specified, Vault uses the [default role](https://www.vaultproject.io/api/auth/jwt#default_role)
     specified when the authentication method was configured.
   - `VAULT_AUTH_PATH` - Optional. The path where the authentication method is mounted, default is `jwt`.
+   - `VAULT_NAMESPACE` - Optional. The [Vault Enterprise namespace](https://www.vaultproject.io/docs/enterprise/namespaces) to use for reading secrets and authentication.
+     If no namespace is specified, Vault uses the `root` ("`/`") namespace. 
+     The setting is ignored by Vault Open Source. 

   NOTE:
   Support for providing these values in the user interface [is tracked in this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/218677).

--- a/ee/app/presenters/ee/ci/build_runner_presenter.rb
+++ b/ee/app/presenters/ee/ci/build_runner_presenter.rb
@@ -17,6 +17,7 @@ module EE
      def vault_server
        @vault_server ||= {
          'url' => variable_value('VAULT_SERVER_URL'),
+          'namespace' => variable_value('VAULT_NAMESPACE'),
          'auth' => {
            'name' => 'jwt',
            'path' => variable_value('VAULT_AUTH_PATH', 'jwt'),

--- a/ee/spec/presenters/ci/build_runner_presenter_spec.rb
+++ b/ee/spec/presenters/ci/build_runner_presenter_spec.rb
@@ -83,6 +83,24 @@ RSpec.describe Ci::BuildRunnerPresenter do
        end
      end

+      context 'Vault namespace' do
+        let(:vault_server) { presenter.secrets_configuration.dig('DATABASE_PASSWORD', 'vault', 'server') }
+
+        context 'VAULT_NAMESPACE CI variable is present' do
+          it 'contains user defined namespace' do
+            create(:ci_variable, project: ci_build.project, key: 'VAULT_NAMESPACE', value: 'custom_namespace')
+
+            expect(vault_server.fetch('namespace')).to eq('custom_namespace')
+          end
+        end
+
+        context 'VAULT_NAMESPACE CI variable is not present' do
+          it 'returns nil' do
+            expect(vault_server.fetch('namespace')).to be_nil
+          end
+        end
+      end
+
      context 'File variable configuration' do
        subject { presenter.secrets_configuration.dig('DATABASE_PASSWORD') }


--- a/ee/spec/requests/api/ci/runner_spec.rb
+++ b/ee/spec/requests/api/ci/runner_spec.rb
@@ -59,6 +59,7 @@ RSpec.describe API::Ci::Runner do
                      'vault' => {
                        'server' => {
                          'url' => 'https://vault.example.com',
+                          'namespace' => nil,
                          'auth' => {
                            'name' => 'jwt',
                            'path' => 'jwt',