Skip to content

Implement .gitlab-ci.yml configuration support (identity and gcp entries)

Implement the identity_provider config entry required to define the alias in the configuration below, as shown in gitlab-org/architecture/gitlab-gcp-integration/glgo#15:

my-job:
  identity_provider:
    gcp: my-wlif-alias-1

UPDATE: given how the WLIF credentials will be stored (in a project integration), we decided to drop the alias. So the syntax is:

my-job:
  identity_provider: google_cloud

This will act as syntactic sugar by defining (roughly) the following elements implicitly:

my-job:
  id_tokens:
    GITLAB_WLIF_TOKEN: # This token goes into a config.json file on the runner side
      aud: //iam.googleapis.com/projects/123/locations/global/workloadIdentityPools/gitlab-gcp-demo/providers/gitlab-prod-gitlab-org # Retrieved from database (`gcp_identity_provider_audience_uri` column) based on alias specified in identity/gcp
  variables:
    GOOGLE_APPLICATION_CREDENTIALS: config.json # config.json containing GITLAB_WLIF_TOKEN
    CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: config.json

An alternative that we'll want to move towards to is (once we have support to implement custom arbitrary claims):

my-job:
  id_tokens:
    GITLAB_WLIF_TOKEN:
      aud: https://auth.gcp.gitlab.com
      wlif: wlif_url_from_settings

We should expose two variables that point to a config.json file. This avoids users having to specify --cred-file=$GITLAB_GCP_OIDC_CONFIG_PATH whenever they invoke gcloud in their scripts. The variables are:

  • CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE (for gcloud CLI)
  • GOOGLE_APPLICATION_CREDENTIALS (for client libraries)

The config.json file looks like the following:

{
  "type": "external_account",
  "audience": "//iam.googleapis.com/projects/<GCP_PROJECT_ID>/locations/global/workloadIdentityPools/...",
  "subject_token_type": "urn:ietf:params:oauth:token-type:id_token",
  "token_url": "https://sts.googleapis.com/v1/token",
  "credential_source": {
    "url": "https://auth.gcp.gitlab.com/token",
    "headers": { "Authorization": "Bearer <Rails-side-JWT>" },
    "format": { "type": "json", "subject_token_field_name": "token" }
  }
}

Closes gitlab-org/architecture/gitlab-gcp-integration/glgo#15

Proposal

  • Add an identity_provider YAML element that saves its contents to ci_builds_metadata (gated on a FF an a SaaS feature).
  • Generate config.json and inject it as file type variables CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE and GOOGLE_APPLICATION_CREDENTIALS in Ci::Build if build metadata indicates it.
    • Read WLIF schemeless-URI from project integration (initially from the GAR integration, until we create a separate WLIF integration, context).
    • If WLIF alias is present in integration, gate the functionality on having a matching alias (TBC).

Requirements

  • The identity_provider entity should be guarded behind a ci_yaml_support_for_identity_provider feature flag (FF rollout issue), and a google_identity_provider_on_ci_job SaaS feature.
  • The YAML should not validate if the FF is not enabled.
  • Only gcp should be allowed as a child of identity_provider.
  • ...

Similar MR: !103391 (merged)

Edited by Pedro Pombeiro - OOO from Oct 13-24