Add `id_tokens` CI keyword (!103391) · Merge requests · GitLab.org / GitLab

Avielle Wolfe requested to merge 356986-add-id-tokens-keyword into master Nov 08, 2022

What does this MR do and why?

This MR is the 4th step for #356986 (closed).

Title	MR Link	Done?
Spike	!94403 (closed)	✅
Add `id_tokens` field to `ci_builds_metadata`	!94878 (merged)	✅
Pass first ID token to the runner	!95254 (merged)	✅
Add `id_tokens` keyword to `.gitlab-ci.yml`	!103391 (merged)	👋 YOU ARE HERE
Add `token` keyword to `.gitlab-ci.yml`	!103801 (merged)
Document new keywords

This MR adds an id_tokens keyword to both FOSS and EE that can be used to define JWTs for a CI job. The syntax looks like this:

job_with_id_tokens:
  id_tokens:
    FIRST_ID_TOKEN:
      aud: 'https://gitlab.com'
    SECOND_ID_TOKEN:
      aud:
        - 'https://test.com'
        - 'https://development.com'
  script:
    - echo $FIRST_ID_TOKEN
    - echo $SECOND_ID_TOKEN

These ID tokens can be used to authenticate with 3rd parties - the aud sub-keyword can be used to ensure that the token is only useable with the audience for which it is intended. aud can be defined either as a string (single audience token) or an array of strings (multiple audience token).

Screenshots or screen recordings

This configuration will fetch the test secret created when following the GDK Vault docs:

When that job runs, the output will look like this:

How to set up and validate locally

1. Prepare GDK

Make sure Gitlab::CurrentSettings.ci_jwt_signing_key is a private key (it should not be nil). If it is nil, run ApplicationSetting.current_without_cache.update!(ci_jwt_signing_key: OpenSSL::PKey::RSA.new(2048).to_pem)

2. Use HTTPS

The ID token JWTs use JWT V2, which requires HTTPS. You can configure your GDK to use HTTPS by following these instructions: https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/39f962013c8095565f36f3963e50153df44143ed/doc/howto/nginx.md#update-gdkyml-for-https-optional

3. Set up Hashicorp Vault

The easiest way set up and configure Vault is to use the vault:configure Rake task, which has not yet been merged: gitlab-development-kit!2766 (merged)

Follow the instructions in the GDK Vault docs from that MR.

4. Test this MR

You will need to use the same project that you configured with Vault to test this MR.

Enable use of ID tokens with secrets with Project.find(<project_id>).ci_cd_settings.update!(opt_in_jwt: true)

Update the project's .gitlab-ci.yml file to use the new keywords:

test_secrets:
  variables:
    VAULT_AUTH_PATH: gitlab
    VAULT_AUTH_ROLE: gitlab-test-role
    VAULT_SERVER_URL: <vault_server_url>
  id_tokens:
    TEST_ID_TOKEN:
      aud: '<gdk_url>'
  secrets:
    DATABASE_PASSWORD:
      vault: gitlab-test/db/password
  script:
    - echo $DATABASE_PASSWORD
    - cat $DATABASE_PASSWORD

Run a pipeline and see that the job echos the database password.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Nov 16, 2022 by Avielle Wolfe

Add `id_tokens` CI keyword