At the end of the day I want to be able to pull secrets from Vault into GitLab as part of my GitLab runners. This seems be done plenty of times by plenty of people. There are lots of examples online. It all seems to come down to picking the right combinations of syntax based on the GitLab and Vault versions.
Background:
GitLab and Vault are both running in the same k8s namespace. Vault will be in its own namespace, but I’m keeping them together right now to ensure there aren’t other networking or k8s issues.
GitLab version: 15.11.13-ee
Kubernetes version: 1.26.13
Vault version: 1.15.6
I’m following this guide from GitLab (notice that it’s for 15.11 because things change in 16.x): Vault Authentication with GitLab OpenID Connect | GitLab
I’m also following this example from Vault: JWT/OIDC - Auth Methods | Vault | HashiCorp Developer
Another great example from Medium: How To Use HashiCorp Vault In Gitlab-CI/CD | by tarun mittal | Medium
Everything seems to be fine in the examples until I attempt to set the configuration:
vault write auth/jwt/config \
oidc_discovery_url="https://MYDOMAIN.eu.auth0.com/" \
oidc_client_id="" \
oidc_client_secret="" \
OR for JWT
vault write auth/jwt/config jwks_url="https://gitlab.example.com/-/jwks" bound_issuer="gitlab.example.com"
I’ve tried several combinations. I get the same result.
Error writing data to auth/oidc/config: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/auth/oidc/config
Code: 400. Errors:
- error checking oidc discovery_URL
Here are my callback settings in GitLab, which I shouldn’t need for the jwt integration.
Other information:
- I noticed that to integrate OIDC (according to JWT/OIDC - Auth Methods | Vault | HashiCorp Developer), I should use port 8250. None of my k8s services are using port 8250.
Can anyone point me in the right direction?