GitLab Jobs

Aembit provides several different deployment options you can use to deploy Aembit Edge components in your environment. Each of these options provides similar features and functionality; however, the steps for each of these options are specific to the deployment option you select.

This page describes the process to utilize the Aembit Edge Agent in GitLab Jobs.

Configure a Serverless Access Policy

To configure your Aembit Tenant to support GitLab Jobs as a Client Workload:

1. Configure your Client Workload to identify the Aembit Agent runtime environment with one or more of the following Client Identification options.
   • GitLab ID Token Namespace Path
   • GitLab ID Token Project Path
   • GitLab ID Token Ref Path
   • GitLab ID Token Subject

Note

Please keep the following in mind as you go through the steps:

• For Step 2: Make sure to copy the provided Client ID and (where appropriate) Audience values for configuration of the Agent command line parameters.
• For Step 3: Any Credential Provider type can be used. Some may require specifying the --credential_names parameter when running the Aembit Agent.
• For Step 4: Any Server Workload type can be used. The --server_workload_host and --server_workload_port parameters will need to match the values specified.

2. Configure your Trust Provider type to Gitlab Job ID Token to identify and attest the Aembit Agent runtime environment.

3. Configure your Credential Provider to specify the credential values which you want to be available in the Serverless runtime environment.

4. Configure your Server Workload to specify the service endpoint host and port which you want to utilize in the Serverless runtime environment.

5. Configure your Access Policy and then click Save & Activate.

Configure for use with a Custom Resource Set

To configure a GitLab Job to work with a Custom Resource Set:

1. Open your existing GitLab CI configuration file.

2. Go to your Aembit tenant, click on the Trust Providers link in the left navigation pane and locate your GitLab Trust Provider in the Custom Resource Set you are working with.

3. In your gitlab-ci.yml file, either:

• update the AEMBIT_CLIENT_ID and add the AEMBIT_RESOURCE_SET_ID environment variables if you moving to a custom Resource Set; or
• add both AEMBIT_CLIENT_ID and AEMBIT_RESOURCE_SET_ID environment variables if you are just getting started with enabling your workload to use Aembit.

In the example below, you see the AEMBIT_CLIENT_ID and AEMBIT_RESOURCE_SET_ID environment variables have been added to the variables section.

    variables:
        AEMBIT_CLIENT_ID: aembit:stack:tenant:identity:gitlab_idtoken:uuid
        AEMBIT_RESOURCE_SET_ID: bd886157-ba1d-54x86-9f26-3095b0515278

4. Verify these environment variables match the values in your Resource Set and Trust Provider in your Aembit tenant.

5. Commit your changes to the GitLab CI configuration file, .gitlab-ci.yml.

Deploy the Serverless Script

1. Retrieve the latest available Aembit Agent release. The latest release can be found on the Agent Releases page.

2. Include the Aembit Agent within your Serverless environment. This can be accomplished by bundling it within an image or retrieving it dynamically as appropriate for your workload.

3. Configure your Serverless script to call the Aembit Agent with the proper parameters. The example below show configuration for GitLab Jobs.

   sample:
       variables:
           # Copy the Client ID value from your Trust Provider to this value
           AEMBIT_CLIENT_ID: aembit:stack:tenant:identity:gitlab_idtoken:uuid
       id_tokens:
           GITLAB_OIDC_TOKEN:
               # Copy the Audience value from your Trust Provider to this value
               aud: https://tenant.id.stack.aembit.io
       script:
           # Following are samples for OAuth Client Credentials flow, API Key, and Username/Password Credential Provider Types
           # Please update the --server_workload_host and --server_workload_port values to match your target workloads
           - $(./aembit credentials get --client_id $AEMBIT_CLIENT_ID --id_token $GITLAB_OIDC_TOKEN --server_workload_host oauth.sample.com --server_workload_port 443)
           - echo OAuth Token $TOKEN
           - $(./aembit credentials get --client_id $AEMBIT_CLIENT_ID --id_token $GITLAB_OIDC_TOKEN --server_workload_host apikey.sample.com --server_workload_port 443 --credential_names APIKEY)
           - echo API Key Example $APIKEY
           - $(./aembit credentials get --client_id $AEMBIT_CLIENT_ID --id_token $GITLAB_OIDC_TOKEN --server_workload_host password.sample.com --server_workload_port 443 --credential_names USERNAME,PASSWORD)
           - echo Username Password Example $USERNAME -- $PASSWORD

:warning: Update the configuration file as follows:

• Replace the AEMBIT CLIENT ID and aud placeholders with the values of Client ID and Audience generated on your Trust Provider.
• Set the Server Workload Host and Server Workload Port values to your desired values.

Verify Aembit Agent

To verify the Aembit Agent:

1. When downloading the Aembit Agent from the Agent Releases page, also download the matching SHA256SUMS and SHA256SUMS.sig file.

2. Use the gpg and shasum commands (or similar) to perform a signature/hash verification against the Aembit Keybase Key. For example:

   curl https://keybase.io/aembit/pgp_keys.asc | gpg --import
   gpg --verify aembit_1.13.0_SHA256SUMS.sig aembit_1.13.0_SHA256SUMS
   grep $(shasum -a 256 aembit_1.13.0_linux_amd64.zip) aembit_1.13.0_SHA256SUMS