Add bound claims and claim mappings to manager role

Alex Scheelrequested to merge
synchronize-config into main

What does this MR do?

Synchronize configuration with Runway container

      // Rails affixes a custom claim which indicates the scope of the
      // request.
      bound_claims = {
        secrets_manager_scope = "privileged"
      }

      // Claim mappings allow us to audit requests: these claims are affixed
      // by Rails and are passed through to the token metadata (including on
      // inline authentication non-persistent tokens), allowing us to.
      claim_mappings = {
        correlation_id = "correlation_id"
        project_id = "project_id"
        group_id = "group_id"
        namespace_id = "namespace_id"
        user_id = "user_id"
      }

This sets various JWT role properties we now require on the global privileged mount.

Because initialization logic only takes affect on new instances (or requires existing data to be reset prior to using), I've bumped the minor version for the chart.

Signed-off-by: Alexander Scheel <ascheel@gitlab.com>

Author's Checklist

For anything in this list which will not be completed, please provide a reason in the MR discussion.

Required

  • Ensure a release milestone is set.
  • MR title and description are up to date, accurate, and descriptive.
  • MR targeting the appropriate branch.
  • MR has a green pipeline on GitLab.com.
  • When ready for review, MR is labeled workflowready for review per the MR workflow.

Expected

  • Test plan indicating conditions for success has been posted and passes.
  • Documentation is created or updated.
  • Tests are added.

Related issues

Related: https://gitlab.com/gitlab-org/gitlab/-/issues/576434

Edited by Fabien Catteau

Merge request reports