Add `id_tokens` CI keyword
What does this MR do and why?
This MR is the 4th step for #356986 (closed).
Title | MR Link | Done? |
---|---|---|
Spike | !94403 (closed) | |
Add id_tokens field to ci_builds_metadata
|
!94878 (merged) | |
Pass first ID token to the runner | !95254 (merged) | |
Add id_tokens keyword to .gitlab-ci.yml
|
!103391 (merged) |
|
Add token keyword to .gitlab-ci.yml
|
!103801 (merged) | |
Document new keywords |
This MR adds an id_tokens
keyword to both FOSS and EE that can be used to define JWTs for a CI job. The syntax looks like this:
job_with_id_tokens:
id_tokens:
FIRST_ID_TOKEN:
aud: 'https://gitlab.com'
SECOND_ID_TOKEN:
aud:
- 'https://test.com'
- 'https://development.com'
script:
- echo $FIRST_ID_TOKEN
- echo $SECOND_ID_TOKEN
These ID tokens can be used to authenticate with 3rd parties - the aud
sub-keyword can be used to ensure that the token is only useable with the audience for which it is intended. aud
can be defined either as a string (single audience token) or an array of strings (multiple audience token).
Screenshots or screen recordings
This configuration will fetch the test secret created when following the GDK Vault docs:
When that job runs, the output will look like this:
How to set up and validate locally
1. Prepare GDK
Make sure Gitlab::CurrentSettings.ci_jwt_signing_key
is a private key (it should not be nil
). If it is nil
, run ApplicationSetting.current_without_cache.update!(ci_jwt_signing_key: OpenSSL::PKey::RSA.new(2048).to_pem)
2. Use HTTPS
The ID token JWTs use JWT V2, which requires HTTPS. You can configure your GDK to use HTTPS by following these instructions: https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/39f962013c8095565f36f3963e50153df44143ed/doc/howto/nginx.md#update-gdkyml-for-https-optional
3. Set up Hashicorp Vault
The easiest way set up and configure Vault is to use the vault:configure
Rake task, which has not yet been merged: gitlab-development-kit!2766 (merged)
Follow the instructions in the GDK Vault docs from that MR.
4. Test this MR
You will need to use the same project that you configured with Vault to test this MR.
Enable use of ID tokens with secrets
with Project.find(<project_id>).ci_cd_settings.update!(opt_in_jwt: true)
Update the project's .gitlab-ci.yml
file to use the new keywords:
test_secrets:
variables:
VAULT_AUTH_PATH: gitlab
VAULT_AUTH_ROLE: gitlab-test-role
VAULT_SERVER_URL: <vault_server_url>
id_tokens:
TEST_ID_TOKEN:
aud: '<gdk_url>'
secrets:
DATABASE_PASSWORD:
vault: gitlab-test/db/password
script:
- echo $DATABASE_PASSWORD
- cat $DATABASE_PASSWORD
Run a pipeline and see that the job echos the database password.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.