Use dedicated signing key for CI_JOB_JWT (Vault Integration)

Release notes

At GitLab, we value making our features secure and best-in-class, which is why have introduced a dedicated signing key for HashiCorp Vault JSON Web Token (JWT) authentication method. You can rest assured knowing that the JWT cannot be used to impersonate another user through OpenID Connect.

Problem to solve

We should use dedicated signing key to sign Ci_JOB_JWT tokens to avoid any possible risks as pointed in #214607 (comment 325522240).

Proposal

Add new encrypted attribute to application_settings to store the dedicated CI JWT signing key.
Implement the JWKS endpoint instead of delegating to doorkeeper_openid_connect. Make it return both keys.
Start using this new key to sign CI_JOB_JWT
In next release, remove OIDC signing key from the JWKS endpoint - https://gitlab.com/gitlab-org/gitlab/-/issues

The following discussion from !28063 (merged) should be addressed:

@ayufan started a discussion: (+7 comments)

Is this OK to re-use OpenID Signing Key? Is that expected? If we ever gonna want to use CI_JOB_JWT_TOKEN for our own purpose will that cause an issues, for example we will want to rotate this secret for various unrelated reasons, what will happen then?

Edited Oct 13, 2020 by Krasimir Angelov