Save secrets config in DB when processing CI yaml

Update CI YAML processor to fetch secrets configuration from CI config and store it the database. Related to https://gitlab.com/gitlab-org/gitlab/-/issues/28321 and https://gitlab.com/gitlab-org/gitlab/-/issues/218746.

Save secrets config in DB when processing CI yaml
Update CI YAML processor to fetch secrets configuration from CI config and store it the database. Related to https://gitlab.com/gitlab-org/gitlab/-/issues/28321 and https://gitlab.com/gitlab-org/gitlab/-/issues/218746.
bff477ad · Krasimir Angelov · 661d1ff7 · bff477ad · bff477ad · bff477ad
Commit bff477ad authored Jun 18, 2020 by Krasimir Angelov
3 changed files
--- a/ee/spec/lib/gitlab/ci/yaml_processor_spec.rb
+++ b/ee/spec/lib/gitlab/ci/yaml_processor_spec.rb
@@ -204,4 +204,32 @@ RSpec.describe Gitlab::Ci::YamlProcessor do
      end
    end
  end
+
+  describe 'Secrets' do
+    let(:secrets) do
+      {
+        DATABASE_PASSWORD: {
+          vault: 'production/db/password'
+        }
+      }
+    end
+
+    let(:config) { { deploy_to_production: { stage: 'deploy', script: ['echo'], secrets: secrets } } }
+
+    subject(:processor) { described_class.new(YAML.dump(config)) }
+
+    it "returns secrets info" do
+      secrets = processor.stage_builds_attributes('deploy').first.fetch(:secrets)
+
+      expect(secrets).to eq({
+        DATABASE_PASSWORD: {
+          vault: {
+            engine: { name: 'kv-v2', path: 'kv-v2' },
+            path: 'production/db',
+            field: 'password'
+          }
+        }
+      })
+    end
+  end
 end
--- a/ee/spec/services/ci/create_pipeline_service_spec.rb
+++ b/ee/spec/services/ci/create_pipeline_service_spec.rb
@@ -142,6 +142,37 @@ RSpec.describe Ci::CreatePipelineService, '#execute' do
    end
  end

+  describe 'job with secrets' do
+    before do
+      stub_ci_pipeline_yaml_file <<~YAML
+        deploy:
+          script:
+            - echo
+          secrets:
+            DATABASE_PASSWORD:
+              vault: production/db/password
+      YAML
+    end
+
+    it 'persists secrets as job metadata' do
+      pipeline = create_pipeline!
+
+      expect(pipeline).to be_persisted
+
+      build = Ci::Build.find(pipeline.builds.first.id)
+
+      expect(build.metadata.secrets).to eq({
+        'DATABASE_PASSWORD' => {
+          'vault' => {
+            'engine' => { 'name' => 'kv-v2', 'path' => 'kv-v2' },
+            'path' => 'production/db',
+            'field' => 'password'
+          }
+        }
+      })
+    end
+  end
+
  def create_pipeline!
    service.execute(:push)
  end

--- a/lib/gitlab/ci/yaml_processor.rb
+++ b/lib/gitlab/ci/yaml_processor.rb
@@ -92,6 +92,7 @@ module Gitlab
          cache: job[:cache],
          resource_group_key: job[:resource_group],
          scheduling_type: job[:scheduling_type],
+          secrets: job[:secrets],
          options: {
            image: job[:image],
            services: job[:services],