Verify JWT audience in internal Kubernetes Agent API endpoint

GitLab Kubernetes Agent Server sends JWT-signed requests to the internal API exposed by the monolith. As part of token validation, check that the audience of the token is gitlab. See gitlab-org/cluster-integration/gitlab-agent!114 (merged)

added to epic &3329

added devopsconfigure [DEPRECATED] groupconfigure [DEPRECATED] sectionops typemaintenance labels

added typefeature label

mentioned in merge request gitlab-org/cluster-integration/gitlab-agent!114 (merged)

In the simplest form of rolling this out, kas must be upgraded before gitlab, right?

@hfyngvason Excellent observation, yes.

Hm, we already send the aud claim, so rollout order doesn't matter.

mentioned in issue gitlab-org/quality/triage-reports#548 (closed)

mentioned in issue gitlab-org/quality/triage-reports#624 (closed)

mentioned in issue gitlab-org/quality/triage-reports#689 (closed)

mentioned in issue gitlab-org/quality/triage-reports#722 (closed)

mentioned in issue gitlab-org/quality/triage-reports#812 (closed)

mentioned in issue gitlab-org/quality/triage-reports#867 (closed)

mentioned in issue gitlab-org/quality/triage-reports#911 (closed)

mentioned in issue gitlab-org/quality/triage-reports#1044 (closed)

mentioned in issue gitlab-org/quality/triage-reports#1095 (closed)

mentioned in issue gitlab-org/quality/triage-reports#1205 (closed)

mentioned in issue gitlab-org/quality/triage-reports#1252 (closed)

mentioned in issue gitlab-org/quality/triage-reports#1334 (closed)

mentioned in issue gitlab-org/quality/triage-reports#2400 (closed)

mentioned in issue gitlab-org/quality/triage-reports#2466 (closed)

mentioned in issue gitlab-org/quality/triage-reports#2547 (closed)

changed milestone to %Backlog

added environmentsbacklog label

added [deprecated] Accepting merge requests label

mentioned in issue gitlab-org/cluster-integration/gitlab-agent#144 (closed)

removed typefeature label

added groupenvironments label and removed groupconfigure [DEPRECATED] label

added devopsdeploy label and removed devopsconfigure [DEPRECATED] label

removed [deprecated] Accepting merge requests label

added quick win label

added featureenhancement typefeature labels and removed typemaintenance label

set weight to 1

added ruby workflowready for development labels

removed ruby label

added workflowplanning breakdown label and removed workflowready for development label

added sectioncd label and removed sectionops label

mentioned in issue gitlab-org/ci-cd/deploy-stage/environments-group/general#32 (closed)

added workflowready for development label and removed workflowplanning breakdown label

changed milestone to %16.3

assigned to @timofurrer

created branch 267958-verify-jwt-audience-in-internal-kubernetes-agent-api-endpoint to address this issue

mentioned in merge request !126695 (merged)

mentioned in commit 5562067b

mentioned in commit e96622e4

mentioned in commit 0bdf44ec

mentioned in commit 66f01716

mentioned in commit 6f42a6c7

mentioned in commit 02ebb4a5

mentioned in commit 621c6cdd

added workflowin review label and removed workflowready for development label

closed

added workflowcomplete label and removed workflowin review label

mentioned in commit 7cb7b02e

mentioned in issue gitlab-org/ci-cd/deploy-stage/environments-group/general#34 (closed)