Put groups_direct field in CI JWT tokens behind feature flag
What does this MR do and why?
In GitLab 16.11
!146881 (merged)
introduced the groups_direct fields for CI JWT tokens used in the
Vault integration. However, since JWT tokens are often sent in the
Authorization HTTP header, the addition of the groups_direct field
can cause the header to exceed the maximum allowed header size of
Web/proxy servers.
To avoid this issue, put this groups_direct field behind a
ci_jwt_groups_direct feature flag while we figure out the best way
to handle this.
Relates to #467253 (closed)
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
| Before | After |
|---|---|
How to set up and validate locally
- Define a CI job (https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html) with the
id_tokenskeyword:
job_with_id_tokens:
id_tokens:
FIRST_ID_TOKEN:
aud: https://first.service.com
script:
- |
apt update && apt install -y jq
export HEADER=$(echo $FIRST_ID_TOKEN | cut -d "." -f1 | base64 -d 2>/dev/null | jq .)
export PAYLOAD=$(echo $FIRST_ID_TOKEN | cut -d "." -f2 | base64 -d 2>/dev/null | jq .)
echo "Header: $HEADER"
echo "Payload: $PAYLOAD"
image: ubuntu:20.04- Ensure
groups_directisn't available. - Enable the
ci_jwt_groups_directfeature flag and rerun the pipeline. - Verify
groups_directis present.