Perform validation on `identity` job config prerequisites
What does this MR do and why?
The current behavior when the prerequisites are not in place is for the identity
keyword to be ignored, and let the job fail if the authentication is required. This MR changes that behavior to perform validation when a pipeline is created, so that we show appropriate and helpful messages to the user.
EE: true
Closes #442741 (closed)
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Scenario | Screenshot |
---|---|
FF disabled | |
Integration not present | |
Integration configured but disabled |
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
SaaS scenario
This describes the blue sky scenario where all validations will pass. Once you have this running, you can try disabling the FF/disabling SaaS/etc. and creating a new pipeline to see the validations kicking in:
-
Ensure you have an Ultimate license applied to your GDK.
-
export GITLAB_SIMULATE_SAAS=1
-
Run
Feature.enable(:ci_yaml_support_for_identity_provider)
to enable the functionality. -
It is only possible to test the validity of the JWT token on .com (or with membership to a demo GCP project and some magic steps), which would have the correct token required for the
glgo
token exchange service, but we can test theconfig.json
generation locally with the following job:test_job: stage: build identity: google_cloud script: - cat $CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE | jq
Non SaaS scenario
- Simulate a FOSS instance
- Run the job. It should complain that the feature is not available.