maintenance: Encrypt missed ci_runner plain tokens

Narendranrequested to merge
narendran-kannan/410315/migrate-runner-token-to-encrypted into master

What does this MR do and why?

maintenance: Encrypt missed ci_runner plain tokens

  • Added a post-deployment migration to queue EncryptCiRunnerTokens BBM
  • Added EncryptCiRunnerTokens - a batched background migration

Steps involved in removing the token column in the ci_runners table:

  • We observed that still we have token is not null and encrypted_token is null -> this means, as per this code, we still use plain token.
  • So we can't remove the column without migrating missed encrypted tokens - This is what this PR does.
  • Then we will finalise this BBM in the next milestone.
  • Add encryption: :required in Ci::Runner model file.
  • Add ignore_column :token Reference: this doc.
  • In %18.4 token column will be removed in a post-deployment migration

Changelog: other

References

Remove unencrypted runner tokens from database (#410315 - closed)

How to set up and validate locally

  • Run the migration using:
be rake db:migrate:up:ci VERSION=20250630163722
  • Verify the migration added an entry in ci database:
gitlabhq_development_ci.public> select * from public.batched_background_migrations where job_class_name = 'EncryptMissedCiRunnerTokens';
  • Verify the bbm queued a job in batched_background_migration_jobs:
-- replace the `batched_background_migration_id`
gitlabhq_development_ci.public> select * from batched_background_migration_jobs where batched_background_migration_id = 10;
  • Make sure all the data is encrypted:
gitlabhq_development_ci.public> select count(*) from ci_runners where token_encrypted is null and token is not null

-- should return 0

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Narendran

Merge request reports