Implement .gitlab-ci.yml configuration support (identity and gcp entries)
Implement the identity_provider
config entry required to define the alias in the configuration below, as shown in https://gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/-/issues/15:
my-job:
identity_provider:
gcp: my-wlif-alias-1
UPDATE: given how the WLIF credentials will be stored (in a project integration), we decided to drop the alias. So the syntax is:
my-job:
identity_provider: google_cloud
This will act as syntactic sugar by defining (roughly) the following elements implicitly:
my-job:
id_tokens:
GITLAB_WLIF_TOKEN: # This token goes into a config.json file on the runner side
aud: //iam.googleapis.com/projects/123/locations/global/workloadIdentityPools/gitlab-gcp-demo/providers/gitlab-prod-gitlab-org # Retrieved from database (`gcp_identity_provider_audience_uri` column) based on alias specified in identity/gcp
variables:
GOOGLE_APPLICATION_CREDENTIALS: config.json # config.json containing GITLAB_WLIF_TOKEN
CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: config.json
An alternative that we'll want to move towards to is (once we have support to implement custom arbitrary claims):
my-job:
id_tokens:
GITLAB_WLIF_TOKEN:
aud: https://auth.gcp.gitlab.com
wlif: wlif_url_from_settings
We should expose two variables that point to a config.json
file. This avoids users having to specify --cred-file=$GITLAB_GCP_OIDC_CONFIG_PATH
whenever they invoke gcloud
in their scripts. The variables are:
-
CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE
(for gcloud CLI) -
GOOGLE_APPLICATION_CREDENTIALS
(for client libraries)
The config.json
file looks like the following:
{
"type": "external_account",
"audience": "//iam.googleapis.com/projects/<GCP_PROJECT_ID>/locations/global/workloadIdentityPools/...",
"subject_token_type": "urn:ietf:params:oauth:token-type:id_token",
"token_url": "https://sts.googleapis.com/v1/token",
"credential_source": {
"url": "https://auth.gcp.gitlab.com/token",
"headers": { "Authorization": "Bearer <Rails-side-JWT>" },
"format": { "type": "json", "subject_token_field_name": "token" }
}
}
Closes https://gitlab.com/gitlab-org/architecture/gitlab-gcp-integration/glgo/-/issues/15
Proposal
- Add an
identity_provider
YAML element that saves its contents toci_builds_metadata
(gated on a FF an a SaaS feature). - Generate
config.json
and inject it as file type variablesCLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE
andGOOGLE_APPLICATION_CREDENTIALS
inCi::Build
if build metadata indicates it.- Read WLIF schemeless-URI from project integration (initially from the GAR integration, until we create a separate WLIF integration, context).
- If WLIF alias is present in integration, gate the functionality on having a matching alias (TBC).
Requirements
- The
identity_provider
entity should be guarded behind aci_yaml_support_for_identity_provider
feature flag (FF rollout issue), and agoogle_identity_provider_on_ci_job
SaaS feature. - The YAML should not validate if the FF is not enabled.
- Only
gcp
should be allowed as a child ofidentity_provider
. - ...
Similar MR: !103391 (merged)