Rename ci_jwt_signing_key to ci_id_tokens_signing_key
Background
GitLab OIDC has different signing keysets for different features. This helps us keep a separation between the features and reduce the "blast radius" if one keyset leaks.
The ci_jwt_signing_key
could be renamed to ci_id_tokens_signing_key
to be more specific about what the signing key is used for. This would help inform others to not use the signing key for something other ID tokens.
Proposal
Rename ci_jwt_signing_key
to ci_id_tokens_signing_key
This is at least to discourage use of generic keys for any new feature that may need a new one, and would hint that a separate key for the new subject would be needed.
And then just keep Gitlab::Ci::JwtV2
CI specific for now but make signing_key
as a parameter, or else it will be weird that it will be hardcoded to just always use ci_id_tokens_signing_key
.
This would make all calls to Gitlab::Ci::JwtV2.for_build
to require the signing_key
parameter.
Currently, here are the ones affected:
- https://gitlab.com/gitlab-org/gitlab/-/blob/dcd2d86e47b8525e242b219450fe743a8e379fc6/app/models/ci/build.rb#L1175 (This is CI_JOB_JWT related so this will eventually be removed)
- https://gitlab.com/gitlab-org/gitlab/-/blob/dcd2d86e47b8525e242b219450fe743a8e379fc6/app/models/ci/build.rb#L1189 (id_tokens_variables)
- https://gitlab.com/gitlab-org/gitlab/-/blob/dcd2d86e47b8525e242b219450fe743a8e379fc6/ee/lib/gitlab/ci/google_cloud/generate_build_environment_variables_service.rb#L31 (ID tokens related but for GCP, introduced in #438420 (closed))