Spike: Investigate support of reverse workload identity federation in GitLab
Topic to Evaluate
With the GitLab <> GCP integration, we used Workload Identity Federation (WLIF) from GitLab into Google to avoid exchanging tokens.
We would like to explore supporting WLIF into GitLab so that customers do not have to use tokens to exchange data with us.
In this doc, the GCP team has proposed what they'd like to see out of GitLab building out WLIF support. The goal of the spike is to identify a scalable design based on the above proposal.
Tasks prior to evaluation
-
Clearly document the topic to evaluated in this issue description -
Determine specific scope including time-bounds for investigation
This spike is weighted at 3 and the goal is to complete the spike within
Tasks to Evaluate
-
Determine feasibility of the feature (in particular the feasibility of making this a general implementation VS GCP specific) -
Document the approach and technical design on engineering handbook -
Any POC tasks that need to occur before the customer facing MVC is begun -
Create issues for implementation or update existing implementation issue description with implementation proposal -
Set initial weights on implementation issues -
If weight is greater than 5, break issue into smaller issues
Risks and Implementation Considerations
As this spike is evaluated, the feasibility and outcome should be reviewed with UX/PM. Consider not only the implementation design, but also how it will be rolled out, licensing considerations and backward compatibility.
Resources
https://cloud.google.com/iam/docs/workload-identity-federation