example-pipeline-with-vault.yaml

---
############ GLOBAL ############
#
include:
  - local: "/templates/helm-ci-deploy-simple.template.yml"

.global_rules_reference:
  - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    changes:
      - $HELM_VALUES/$RELEASE_NAME.values.yaml
    when: on_success
  - if: $CI_COMMIT_BRANCH == "master"
    when: on_success
  - if: $CI_COMMIT_BRANCH != "master"
    when: manual
  - when: never
#
############ GLOBAL ############

############ JOBS ############
### Helm releases ###
example-job:
  variables:
    RELEASE_NAMESPACE: "example"
    RELEASE_NAME: "example"
    HELM_CHART_VERSION: 1.0.0
    HELM_EXTRA_ARGS: >-
      --set-file global.secret.data=secret.vault.yaml
    VAULT_SECRET_PATH: "example/secret"
    VAULT_ROLE_NAME: "vault-gitlab-charts-role"
  extends:
    - .deploy:helm-release
  before_script:
    - !reference [.vault_secrets]
  rules:
    - !reference [.global_rules_reference]

template-jobs.yaml

# Read secrets from vault #
.vault_secrets:
  - |
    # Reading secrets from vault
    export VAULT_TOKEN=$(vault write -field=token auth/jwt/login role=${VAULT_ROLE_NAME} jwt=$CI_JOB_JWT)
    vault kv get -format=yaml -field=data ${VAULT_SECRET_PATH} > secret.vault.yaml


# Install helm release #
.helm_install_release:
  - |
    # Installing helm release
    helm upgrade --install \
      ${RELEASE_NAME} \
      ${HELM_CHART_PATH} \
    --version ^${HELM_CHART_VERSION} \
    --namespace=${RELEASE_NAMESPACE} \
    --values ${HELM_RELEASE_VALUES_FILE} \
    ${HELM_EXTRA_ARGS}