Gitlab Integration for Self-Hosted Runners on a VM
This section describes how to configure SPIRL to provide SPIFFE identities to a Gitlab Pipeline.
In this guide we are going to use a self-hosted Gitlab Runner using the Docker executor and run Gitlab on a Linux VM.
Setup Gitlab
Follow Official Gitlab Documentation to setup Gitlab for your Linux distribution.
Run a SPIRL Agent
First create a new CI/CD profile on SPIRL specifying the URL for your Gitlab deployment as the JWT issuer. For example, using SPIRL CLI:
spirlctl ci-cd profile create my-gitlab --type gitlab-self-hosted --issuer $GITLAB_URL
Then add a new node group to SPIRL-managed trust domain using the profile just created.
spirlctl ci-cd node-group add $NODE_GROUP_NAME --trust-domain $TRUST_DOMAIN_NAME --profile my-gitlab
Install the spirl-agent using the configuration file and key generated by the previous command. See the Debian/Ubuntu integration guide or the Docker integration guide
Setup a self-hosted Docker Gitlab Runner
-
From the Gitlab UI select
Admin>Instance Runners>...
and copy the registration token. -
Install the Gitlab Runner CLI.
-
Register a runner and note the path to the runner configuration file provided:
sudo gitlab-runner register \
--url "$GITLAB_URL" \
--registration-token "$RUNNER_TOKEN" \
--description "test-runner" \
--executor "docker" \
--docker-image ubuntu \
--docker-volumes '/var/run/spirl/sockets:/var/run/spirl/sockets' -
Run the registered runner using the configuration file created in the previous step:
sudo gitlab-runner run -c $CONFIG_FILE
Create a Gitlab Pipeline
Navigate to the Gitlab UI and setup a pipeline using the following steps:
- Create a new project.
- Create a new pipeline in the project.
- Configure the pipeline using the following
.gitlab-ci.yml
file:stages:
- authenticate
- run
authenticate:
stage: authenticate
image:
name: ghcr.io/spirl/spiffecli:v1.1.0
entrypoint: [""]
script:
- /ko-app/spiffecli get jwt-svid --spiffe-endpoint-socket unix:///var/run/spirl/sockets/agent.sock --audiences http://example.com --identity-exchange-token ${GITLAB_OIDC_TOKEN} --filename spiffe-jwt.json
id_tokens:
GITLAB_OIDC_TOKEN:
aud: https://spirl.com
artifacts:
paths:
- spiffe-jwt.json
run:
stage: run
image:
name: ubuntu
entrypoint: [""]
script:
- apt-get update && apt-get install -y jq
- cat spiffe-jwt.json | jq -R 'split(".") | .[1] | @base64d | fromjson'
dependencies:
- authenticate - Run the pipeline and see the SPIFFE ID for the job.