JWT or OIDC auth to pull secrets into GitLab-CI

At the end of the day I want to be able to pull secrets from Vault into GitLab as part of my GitLab runners. This seems be done plenty of times by plenty of people. There are lots of examples online. It all seems to come down to picking the right combinations of syntax based on the GitLab and Vault versions.

GitLab and Vault are both running in the same k8s namespace. Vault will be in its own namespace, but I’m keeping them together right now to ensure there aren’t other networking or k8s issues.
GitLab version: 15.11.13-ee
Kubernetes version: 1.26.13
Vault version: 1.15.6

I’m following this guide from GitLab (notice that it’s for 15.11 because things change in 16.x): Vault Authentication with GitLab OpenID Connect | GitLab
I’m also following this example from Vault: JWT/OIDC - Auth Methods | Vault | HashiCorp Developer
Another great example from Medium: How To Use HashiCorp Vault In Gitlab-CI/CD | by tarun mittal | Medium

Everything seems to be fine in the examples until I attempt to set the configuration:

vault write auth/jwt/config \
   oidc_discovery_url="https://MYDOMAIN.eu.auth0.com/" \
   oidc_client_id="" \
   oidc_client_secret="" \

OR for JWT

vault write auth/jwt/config jwks_url="https://gitlab.example.com/-/jwks" bound_issuer="gitlab.example.com"

I’ve tried several combinations. I get the same result.

Error writing data to auth/oidc/config: Error making API request.

Code: 400. Errors:

  • error checking oidc discovery_URL

Here are my callback settings in GitLab, which I shouldn’t need for the jwt integration.

Other information:

  1. I noticed that to integrate OIDC (according to JWT/OIDC - Auth Methods | Vault | HashiCorp Developer), I should use port 8250. None of my k8s services are using port 8250.

Can anyone point me in the right direction?

Hi, I have many runner, and my configuration in Vault is very simple:

I don’t use OIDC.
My bound issuer start with https:// (it depends on Gitlab version)

In my runner:

VAULT_TOKEN="$(vault write -field=token auth/jwt-gitlab/login role=gitlab-packer-master jwt=$GITLAB_TOKEN)"