Duo Workflow: Update sequence diagram with auth

Why is this change being made?

This update clarifies the authentication mechanisms in use for each request.

Related discussion: gitlab-org&16549 (comment 2321842620)

Author and Reviewer Checklist

Please verify the check list and ensure to tick them off before the MR is merged.

• Provided a concise title for this Merge Request (MR)
• Added a description to this MR explaining the reasons for the proposed change, per say why, not just what
  • Copy/paste the Slack conversation to document it for later, or upload screenshots. Verify that no confidential data is added, and the content is SAFE
• Assign reviewers for this MR to the correct Directly Responsible Individual/s (DRI)
  • If the DRI for the page/s being updated isn’t immediately clear, then assign it to one of the people listed in the Maintained by section on the page being edited
  • If your manager does not have merge rights, please ask someone to merge it AFTER it has been approved by your manager in #mr-buddies
  • The when to get approval handbook section explains the workflow in more detail
• For transparency, share this MR with the audience that will be impacted.
  • Team: For changes that affect your direct team, share in your group Slack channel
  • Department: If the update affects your department, share the MR in your department Slack channel
  • Division: If the update affects your division, share the MR in your division Slack channel
  • Company: If the update affects all (or the majority of) GitLab team members, post an update in #whats-happening-at-gitlab linking to this MR
    • For high-priority company-wide announcements work with the internal communications team to post the update in #company-fyi and align on a plan to circulate in additional channels like the "While You Were Iterating" Newsletter

Commits

• Duo Workflow: Update sequence diagram with auth

• Follow up to conversation here: gitlab-org&16549 (comment 2321842620)

---

added HandbookContent label

assigned to @jessieay

added 1 commit

• 826c8361 - Duo Workflow: Update sequence diagram with auth

Compare with previous version

requested review from @DylanGriffith

	1 Message
	This merge request might require a review from a Coach Engineer.

Architecture Evolution Review

This merge request might require a review from a Coach Engineer.

The following files, which might require the additional review, have been changed:

• content/handbook/engineering/architecture/design-documents/duo_workflow/_index.md

If needed, you can retry the danger-review job that generated this comment.

Generated by Danger

Hey @DylanGriffith -

Here are the updates to the remote execution sequence diagram that we discussed.

One thing that making this diagram made me realize is that the scope of work I described in the composite identity epic was really about what is needed to replace regular OAuth tokens with Composite OAuth tokens for the "Local (IDE) execution" flow.

Questions for you:

1. I went through your proposed remote execution iteration plan and it was not clear to me if those plans mean that this sequence diagram is now out of date? If it is, can you help me update the request flow and I can update the corresponding auth mechanism for each piece?
2. You will notice that there is no mention of CI_JOB_TOKEN in here. My assumption is that somewhere in this flow an actual CI job will be spun up to execute the Workflow. Is that correct? If so, that CI Job would be owned by the service account. And, as a result, the CI_JOB_TOKEN for the job would be a composite (CI JWT) token. We don't really need this CI Job Token for anything, but I am not aware of a way for CI jobs to skip creating a CI_JOB_TOKEN. If there will be no job in play, then the whole topic of job tokens is irrelevant.

marked the checklist item Provided a concise title for this [Merge Request (MR)][mr] as completed

marked the checklist item Added a description to this MR explaining the reasons for the proposed change, per [say why, not just what][say-why-not-just-what] as completed

marked the checklist item Assign reviewers for this MR to the correct [Directly Responsible Individual/s (DRI)][dri] as completed

marked the checklist item For transparency, share this MR with the audience that will be impacted. as completed

mentioned in merge request !9350 (merged)

You will notice that there is no mention of CI_JOB_TOKEN in here. My assumption is that somewhere in this flow an actual CI job will be spun up to execute the Workflow. Is that correct? If so, that CI Job would be owned by the service account. And, as a result, the CI_JOB_TOKEN for the job would be a composite (CI JWT) token. We don't really need this CI Job Token for anything, but I am not aware of a way for CI jobs to skip creating a CI_JOB_TOKEN

@jessieay yes that's correct. The CI_JOB_TOKEN will exist and is necessary, at least, for cloning the repository at the start of the CI Job.

I went through your proposed remote execution iteration plan and it was not clear to me if those plans mean that this sequence diagram is now out of date?

@jessieay looking at the current handbook page https://handbook.gitlab.com/handbook/engineering/architecture/design-documents/duo_workflow/#with-remote-ci-pipeline-execution I think this diagram is out of date and so is the one under "With Local (IDE) execution".

I don't really remember why the diagrams look like that but what's wrong is that the Duo Workflow Executor never initiates the creation of any tokens. Instead it is passed all the tokens at startup. All of the token creation happens in Rails before we even start the executor. I'll have a go at correcting this.

requested changes

added 1 commit

• a7006135 - Update sequence diagrams to reflect reality

Compare with previous version

requested review from @DylanGriffith

approved this merge request

enabled automatic add to merge train when checks pass

resolved all threads

started a merge train

merged

mentioned in commit 5db6a274