Backend: Add fork information to CI_JOB_JWT for Vault Integration
Problem to solve
As a developer using Gitlab CI's JWT auth with Vault, I want to be able to access secrets in Vault based on information about which parent project mine is forked from.
Intended users
User experience goal
Users should be able to fork a project that is already configured to access secrets in Vault and be able to use that project without having to setup additional JWT roles for their namespace or forked project individually. It should be possible for anyone to fork a project and have access to a set of secrets.
Proposal
Include additional claims in the JWT so that fork projects are able to use the same JWT role without modification.
Further details
Currently, we can't easily fork a project and have the Vault integration just work. Once we fork we have to modify the job to use a different role since we can't base anything off of the parent project. This means we either have to use very broad claim validation, which as "project_path: */my-project" or something even more broad like "namespace: *". It would be beneficial to be able to be specify things like "is_fork: true", "fork_parent_path: my-namespace/my-project" or "fork_parent_namespace: my-namespace". Having these could allow us to specify one role for all forks instead of having to modify the job.
Another option would be to have claims that are the same for both upstream and fork so instead of having to have a role for a fork and a role for the upstream, only one role would be required.
Having this would improve security and easy of use when Vault integration with Gitlab CI is being used.
Permissions and Security
This shouldn't require any changes in permissions. It might have some security implications as it might make it easier for people to use JWT with Vault more securely instead of using broad claims to work around the issues.
Documentation
Would need updates to https://docs.gitlab.com/ee/ci/examples/authenticating-with-hashicorp-vault/
Availability & Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Core