Skip to content

Token prefixes: Add support for cluster agent tokens

Nicholas Wittstruckrequested to merge
gitlab-community/gitlab-org/gitlab:388379-nwittstruck-token-prefixes-cluster-agent-tokens into master

What does this MR do and why?

This MR adds support for instance wide token prefixes to cluster agent tokens.

Instance wide token prefixes have been added with !179852 (merged)

The new prefix format is: #{instance_prefix}-#{token_type_prefix}. E.g. for Cluster agent tokens, we'd get: #{instance_prefix}-glagent-. By default, this is the current token prefix glagent-. However, we can now customize the instance prefix to create a new prefix: mycompanyname-glagent-.

With this custom prefix, it is easier to identify leaked tokens, because we can now skip all leaked tokens that start with glagent. Now, we only need to look at tokens starting with mycompanyname-glagent-.

🛠️ with ❤️ at Siemens

References

How to set up and validate locally

  1. Enable feature flag via rails c:
Feature.enable(:custom_prefix_for_all_token_types)
  1. Create a new cluster agent token.
  • If you have configured the GDK with gitlab_k8s_agent enabled, you can create a new cluster token at Any Project > Kubernetes clusters > Connect a cluster. You can now register a new agent.
  • You can also create a new token with rails c. This assumes there is at least project. This example uses the first project, feel free to choose any other project:
  agent = Clusters::Agent.new(name: 'test-agent', project: Project.first)
  agent.save

  token = Clusters::AgentToken.new(name: 'test-agent-token', agent: agent)
  # this will print the token:
  token.ensure_token
  1. Now, change the instance wide token prefix: Admin area > General > Account and limit > Instance token prefix, e.g. to mycustomprefix
  2. Now create a new token - you should now see the prefix in the token.

MR acceptance checklist

MR Checklist ( @nwittstruck)

Related to #388379

Edited by Nicholas Wittstruck

Merge request reports