Main Menu

Wednesday, February 21, 2024

GitLab CI/CD methods to define variables that can be securely stored and accessed during pipeline execution

 1. Use GitLab CI/CD Variables

GitLab CI/CD allows you to define variables that can be securely stored and accessed during pipeline execution. Here's how you can define variables for your username and password:

  1. Go to your GitLab project's settings.

  2. Navigate to CI/CD > Variables.

  3. Add new variables for your username and password.

    Variable Key: USERNAME Variable Value: your_username Variable Key: PASSWORD Variable Value: your_password

Now, these variables are securely stored in GitLab and can be accessed within your CI/CD pipeline scripts.

2. Encrypt Sensitive Data

You can encrypt sensitive data like passwords using openssl and then store the encrypted value in GitLab CI/CD variables. Here's how you can encrypt your password:

echo "your_password" | openssl aes-256-cbc -k "your_secret_key" -base64

Replace "your_secret_key" with your own secret key. This command will output the encrypted password which you can then store as a GitLab CI/CD variable.

3. Use Secret Management Tools

If you're using external secret management tools like HashiCorp Vault or AWS Secrets Manager, you can integrate them into your CI/CD pipeline. This typically involves setting up authentication to these services and then fetching the required credentials securely during runtime.

4. Mask Output

GitLab allows you to mask certain strings in the pipeline output, preventing them from being exposed. You can use this feature to mask sensitive information like passwords. Here's how you can define a masked variable in your .gitlab-ci.yml:

variables: USERNAME: "your_username" PASSWORD: mask: "your_password"

Now, when the pipeline runs, the value of the PASSWORD variable will be masked in the pipeline logs.

5. Limit Access

Ensure that access to your GitLab repository and CI/CD pipelines is restricted only to authorized personnel. You can manage access permissions in the GitLab project settings.

6. Use HTTPS with Git Credentials

When using Git credentials for authentication, prefer using HTTPS URLs for your Git repositories instead of SSH. HTTPS allows you to pass credentials securely over the network without exposing them in the pipeline scripts.

By following these steps, you can securely manage usernames and passwords in your GitLab CI/CD pipelines while ensuring the confidentiality of sensitive information.



GitLab CI/CD and provide a step-by-step guide with an example Python code.

  1. Environment Variables: Environment variables are variables that are set outside of the program but can be accessed by the program. In the context of GitLab CI/CD, environment variables can be used to store sensitive information like API keys, passwords, etc., which can then be accessed during the CI/CD pipeline execution.


  2. Cached Dependencies: Cached dependencies refer to storing dependencies (like libraries, packages, etc.) that are required for your CI/CD pipeline in a cache. This helps in speeding up the pipeline by not having to reinstall dependencies every time the pipeline runs.


  3. Triggers: Triggers in GitLab CI/CD are events that can start a pipeline. This could be a commit to a specific branch, a tag, a merge request, etc.


  4. Parameters: Parameters in GitLab CI/CD allow you to define custom variables that can be used within your CI/CD pipeline. These parameters can be set when triggering the pipeline and can be used to customize the pipeline behavior.

Now, let's create a step-by-step guide with an example Python code:

Step-by-Step Guide:

1. Set up your Python project:

  • Create a Python project with a requirements.txt file containing the project dependencies.

2. Create a GitLab CI/CD configuration file:

  • Create a file named .gitlab-ci.yml in the root of your project.

3. Define stages, jobs, and scripts:

stages: - build - test - deploy variables: ENVIRONMENT: "production" API_KEY: "$API_KEY" cache: paths: - .venv/ build: stage: build script: - python -m venv .venv - source .venv/bin/activate - pip install -r requirements.txt test: stage: test script: - source .venv/bin/activate - python -m pytest deploy: stage: deploy script: - source .venv/bin/activate - python deploy_script.py environment: name: $ENVIRONMENT only: - master

Sample requirements.txt:

Flask==2.0.2 requests==2.26.0

Sample deploy_script.py:

import requests def deploy(): # Your deployment logic here api_key = get_api_key() environment = get_environment() # Example usage print("Deploying to:", environment) response = requests.post("https://api.example.com/deploy", headers={"Authorization": f"Bearer {api_key}"}) if response.status_code == 200: print("Deployment successful!") else: print("Deployment failed!") def get_api_key(): # Retrieve API_KEY from environment variable return os.getenv("API_KEY") def get_environment(): # Retrieve ENVIRONMENT from environment variable return os.getenv("ENVIRONMENT") if __name__ == "__main__": deploy()

4. Explanation of the .gitlab-ci.yml file:

  • stages: Define the different stages of the CI/CD pipeline.
  • variables: Set environment variables. Here, API_KEY is set as an environment variable.
  • cache: Define caching to speed up dependency installation.
  • build: Install project dependencies.
  • test: Run tests using pytest.
  • deploy: Deploy the application. It's triggered only on commits to the master branch.
  • environment: Define the deployment environment.

5. Commit and push your changes:

  • Commit the .gitlab-ci.yml file and push it to your GitLab repository.

6. Set up environment variables in GitLab:

  • In your GitLab project settings, go to CI/CD > Variables and add your API_KEY as a protected variable.

7. Trigger the pipeline:

  • Make a commit to the master branch to trigger the pipeline. This will build, test, and deploy your Python application according to the defined pipeline stages.

Steps to Define API_KEY and ENVIRONMENT in GitLab:

1. Go to your GitLab project.

2. Navigate to Settings > CI/CD.

3. Expand the Variables section.

4. Add a variable named API_KEY with your actual API key as the value.

5. Add a variable named ENVIRONMENT with your desired environment name as the value.

Make sure to mark these variables as protected if they contain sensitive information. This ensures they are only available to protected branches and tags, enhancing security.

With these configurations, your GitLab CI/CD pipeline will use the specified environment variables securely during the deployment stage.


This example demonstrates how to use environment variables, cached dependencies, triggers, and parameters in GitLab CI/CD with a Python project.



GitLab provides several predefined variables that you can use in your .gitlab-ci.yml file. Here's a list of some commonly used predefined variables along with their descriptions:

  1. CI_PIPELINE_ID: The unique ID of the pipeline.
  2. CI_PIPELINE_IID: The unique internal ID of the pipeline.
  3. CI_PIPELINE_SOURCE: Source of the pipeline (e.g., push, schedule, web, etc.).
  4. CI_COMMIT_SHA: The commit SHA being built.
  5. CI_COMMIT_REF_NAME: The branch or tag name being built.
  6. CI_COMMIT_TAG: The tag name if the pipeline is for a tag.
  7. CI_COMMIT_BRANCH: The branch name if the pipeline is for a branch.
  8. CI_COMMIT_MESSAGE: The commit message.
  9. CI_COMMIT_TITLE: The title of the commit.
  10. CI_COMMIT_DESCRIPTION: The description of the commit.
  11. CI_COMMIT_REF_SLUG: The sanitized version of the branch or tag name suitable for inclusion in URLs.
  12. CI_COMMIT_SHORT_SHA: The shortened commit SHA (first 8 characters).
  13. CI_COMMIT_BEFORE_SHA: The commit SHA before the current commit.
  14. CI_PIPELINE_TRIGGERED: Indicates whether the pipeline was triggered or not.
  15. CI_PROJECT_ID: The ID of the project.
  16. CI_PROJECT_NAME: The name of the project.
  17. CI_PROJECT_TITLE: The title of the project.
  18. CI_PROJECT_PATH: The namespace with project name.
  19. CI_PROJECT_PATH_SLUG: The namespace with project name suitable for inclusion in URLs.
  20. CI_PROJECT_NAMESPACE: The namespace (group) name.
  21. CI_PROJECT_VISIBILITY: The visibility level of the project (public, private, or internal).
  22. CI_PROJECT_REPOSITORY_LANGUAGES: The programming languages detected in the repository.
  23. CI_PROJECT_URL: The URL to the project.
  24. CI_REGISTRY: The address of the GitLab Container Registry.
  25. CI_REGISTRY_IMAGE: The address of the Docker image registry.
  26. CI_REGISTRY_USER: The username for accessing the container registry.
  27. CI_REGISTRY_PASSWORD: The password for accessing the container registry.
  28. CI_RUNNER_DESCRIPTION: The description of the runner.
  29. CI_RUNNER_ID: The ID of the runner.
  30. CI_RUNNER_TAGS: The tags associated with the runner.
  31. CI_RUNNER_VERSION: The version of the runner.
  32. CI_SERVER: Always set to yes, indicates that this is running in GitLab CI.
  33. CI_SERVER_NAME: The name of the GitLab server.
  34. CI_SERVER_VERSION: The version of the GitLab server.
  35. CI_SERVER_REVISION: The revision of the GitLab server.
  36. CI_SERVER_URL: The URL of the GitLab server.
  37. CI_JOB_ID: The ID of the current job.
  38. CI_JOB_NAME: The name of the current job.
  39. CI_JOB_STAGE: The stage of the current job.
  40. CI_JOB_MANUAL: Indicates if the job is manual or not.
  41. CI_JOB_TOKEN: The token used to authenticate with the GitLab Container Registry for multi-project pipelines.

These are just some of the commonly used predefined variables in GitLab CI. There are more available, and you can always check the official GitLab documentation for the most up-to-date list and descriptions.

No comments:

Post a Comment