Deploy Aembit Edge with GitLab Jobs

Aembit provides many different deployment options you can use to deploy Aembit Edge Components in your environment. Each of these options provides similar features and functionality; however, the steps for each of these options are specific to the deployment option you select.

This page describes the process to use the Aembit Edge Agent in GitLab Jobs.

Configure a serverless Access Policy

To configure your Aembit Tenant to support GitLab Jobs as a Client Workload:

Configure your Client Workload to identify the Aembit Agent runtime environment with one or more of the following Client Identification options.
Note
Please keep the following in mind as you go through the steps:
- For Step 2 - Make sure to copy the provided Client ID and (where appropriate) Audience values for configuration of the Agent command line parameters.
- For Step 3 - You can use any Credential Provider type. Some may require specifying the --credential_names parameter when running the Aembit Agent.
- For Step 4 - You can use any Server Workload type. The --server_workload_host and --server_workload_port parameters must match the values specified.
Configure your Trust Provider type to Gitlab Job ID Token to identify and attest the Aembit Agent runtime environment.
Configure your Credential Provider to specify the credential values which you want to be available in the Serverless runtime environment.
Configure your Server Workload to specify the service endpoint host and port which you want to use in the Serverless runtime environment.
Configure your Access Policy and then click Save & Activate.

Configure a custom Resource Set

To configure a GitLab Job to work with a custom Resource Set:

Open your existing GitLab CI configuration file.
Go to your Aembit Tenant, click the Trust Providers link in the left sidebar and locate your GitLab Trust Provider in the custom Resource Set you are working with.
In your gitlab-ci.yml file, either:
- update the AEMBIT_CLIENT_ID and add the AEMBIT_RESOURCE_SET_ID environment variables if you moving to a custom Resource Set; or
- add both AEMBIT_CLIENT_ID and AEMBIT_RESOURCE_SET_ID environment variables if you are just getting started with enabling your workload to use Aembit.
In the following example, see the AEMBIT_CLIENT_ID and AEMBIT_RESOURCE_SET_ID environment variables in the variables section.
gitlab-ci.yml
```
    variables:
        AEMBIT_CLIENT_ID: aembit:stack:tenant:identity:gitlab_idtoken:uuid
        AEMBIT_RESOURCE_SET_ID: bd886157-ba1d-54x86-9f26-3095b0515278
```
Verify these environment variables match the values in your Resource Set and Trust Provider in your Aembit Tenant.
Commit your changes to the GitLab CI configuration file, .gitlab-ci.yml.

Deploy the Serverless Script

Retrieve the latest available Aembit Agent Releases.
Include Aembit Agent within your Serverless environment. You do this bundling it within an image or retrieving it dynamically as appropriate for your workload.

Configure your Serverless script to call Aembit Agent with the proper parameters. The following shows an example gitlab-ci.yml configuration for a GitLab Job:

sample:
    variables:
        # Copy the Client ID value from your Trust Provider to this value
        AEMBIT_CLIENT_ID: aembit:stack:tenant:identity:gitlab_idtoken:uuid
    id_tokens:
        GITLAB_OIDC_TOKEN:
            # Copy the Audience value from your Trust Provider to this value
            aud: https://tenant.id.stack.aembit.io
    script:
        # Following are samples for OAuth Client Credentials flow, API Key, and Username/Password Credential Provider Types
        # Please update the --server_workload_host and --server_workload_port values to match your target workloads
        - $(./aembit credentials get --client_id $AEMBIT_CLIENT_ID --id_token $GITLAB_OIDC_TOKEN --server_workload_host oauth.sample.com --server_workload_port 443)
        - echo OAuth Token $TOKEN
        - $(./aembit credentials get --client_id $AEMBIT_CLIENT_ID --id_token $GITLAB_OIDC_TOKEN --server_workload_host apikey.sample.com --server_workload_port 443 --credential_names APIKEY)
        - echo API Key Example $APIKEY
        - $(./aembit credentials get --client_id $AEMBIT_CLIENT_ID --id_token $GITLAB_OIDC_TOKEN --server_workload_host password.sample.com --server_workload_port 443 --credential_names USERNAME,PASSWORD)
        - echo Username Password Example $USERNAME -- $PASSWORD

Verify Aembit Agent

To verify the Aembit Agent release, follow these steps using the gpg and shasum commands. Select the tab that matches your operating system and architecture:

Linux - amd64
Linux - arm64

Download the Aembit Agent release version from the Aembit Agent Releases page along with the matching checksum files.
Alternatively, you can download these files using curl, swapping out the highlighted release version with the version you're verifying:
Terminal window
```
curl -O https://releases.aembit.io/agent/1.17.0/linux/amd64/aembit_1.17.0_linux_amd64.zip
curl -O https://releases.aembit.io/agent/1.17.0/aembit_1.17.0_SHA256SUMS
curl -O https://releases.aembit.io/agent/1.17.0/aembit_1.17.0_SHA256SUMS.sig
```
Import Aembit's public GPG key from Keybase into gpg:
Terminal window
```
curl "https://keybase.io/aembit/pgp_keys.asc" | gpg --import
```
Verify Aembit Agent's checksum integrity and authenticity with gpg:
Terminal window
```
gpg --verify aembit_1.17.0_SHA256SUMS.sig aembit_1.17.0_SHA256SUMS
```
If you don't have gpg installed, see Verifying Aembit binary release signatures prerequisites.
Your output should look similar to the following and include the highlighted line:
Terminal window
```
gpg --verify aembit_1.17.0_SHA256SUMS.sig aembit_1.17.0_SHA256SUMS
gpg: Signature made Wed Sep 18 10:13:57 2024 PDT
gpg:                using RSA key EA3D8D2FDAC6BD8137163D00D655E64729BC67D7
gpg: Good signature from "Aembit, Inc. <keybase@aembit.io>" [unknown]
...
```
As long as you see Good signature..., you know that the checksum files are valid and authentic.
Warnings explained
- "[unknown]" means you haven't explicitly told GPG to trust this particular signing key.
- "WARNING: This key is not certified with a trusted signature!" is GPG being cautious. GPG can verify the signature is cryptographically valid, but it doesn't know if you trust that this key actually belongs to Aembit.
Verify the integrity of the Aembit Agent file you downloaded using shasum:
Terminal window
```
grep $(shasum -a 256 aembit_1.17.0_linux_amd64.zip) aembit_1.17.0_SHA256SUMS
```
If shasum returns a match, you know the file is intact and matches Aembit's original. The long hex string is the SHA256 hash that both your file and the checksums file agree on. No output would mean the checksums don't match.

Download the Aembit Agent release version from the Aembit Agent Releases page along with the matching checksum files.
Alternatively, you can download these files using curl, swapping out the highlighted release version with the version you're verifying:
Terminal window
```
curl -O https://releases.aembit.io/agent/1.17.0/linux/arm64/aembit_1.17.0_linux_arm64.zip
curl -O https://releases.aembit.io/agent/1.17.0/aembit_1.17.0_SHA256SUMS
curl -O https://releases.aembit.io/agent/1.17.0/aembit_1.17.0_SHA256SUMS.sig
```
Import Aembit's public GPG key from Keybase into gpg:
Terminal window
```
curl "https://keybase.io/aembit/pgp_keys.asc" | gpg --import
```
Verify Aembit Agent's checksum integrity and authenticity with gpg:
Terminal window
```
gpg --verify aembit_1.17.0_SHA256SUMS.sig aembit_1.17.0_SHA256SUMS
```
If you don't have gpg installed, see Verifying Aembit binary release signatures prerequisites.
Your output should look similar to the following and include the highlighted line:
Terminal window
```
gpg --verify aembit_1.17.0_SHA256SUMS.sig aembit_1.17.0_SHA256SUMS
gpg: Signature made Wed Sep 18 10:13:57 2024 PDT
gpg:                using RSA key EA3D8D2FDAC6BD8137163D00D655E64729BC67D7
gpg: Good signature from "Aembit, Inc. <keybase@aembit.io>" [unknown]
...
```
As long as you see Good signature..., you know that the checksum files are valid and authentic.
Warnings explained
- "[unknown]" means you haven't explicitly told GPG to trust this particular signing key.
- "WARNING: This key is not certified with a trusted signature!" is GPG being cautious. GPG can verify the signature is cryptographically valid, but it doesn't know if you trust that this key actually belongs to Aembit.
Verify the integrity of the Aembit Agent file you downloaded using shasum:
Terminal window
```
grep $(shasum -a 256 aembit_1.17.0_linux_arm64.zip) aembit_1.17.0_SHA256SUMS
```
If shasum returns a match, you know the file is intact and matches Aembit's original. The long hex string is the SHA256 hash that both your file and the checksums file agree on. No output would mean the checksums don't match.