Skip to content

Token prefixes: Add support for CI/CD Job Tokens

Nicholas Wittstruckrequested to merge
gitlab-community/gitlab-org/gitlab:388379-nwittstruck-token-prefixes-ci-job-tokens into master

What does this MR do and why?

This MR adds support for CI/CD Job Tokens to the instance wide token prefix feature. It only supports JWT tokens, as the previous type will be deprecated.

Instance wide token prefix have been added with !179852 (merged)

The new prefix format is: #{instance_prefix}#{token_type_prefix}. E.g. for CI/CD Job tokens, we'd get: #{instance_prefix}-glcbt-. By default, the prefix is empty. However, we can now customize the instance prefix to create a new prefix: mycompanyname-glcbt-.

🛠️ with ❤️ at Siemens

References

How to set up and validate locally

  1. Enable feature flag via rails c:
Feature.enable(:custom_prefix_for_all_token_types)
  1. Change the instance wide token prefix: Admin area > General > Account and limit > Instance token prefix, e.g. to mycustomprefix
  2. You can add a small .gitlab-ci.yml that echoes the beginning of the token and clones another repository, that the Job Token has access to. You can find a description for the fine grained permissions here. The following script will intentionally leak the beginning of the token, so don't use it outside of testing:
build:
  script:
    - echo "Full token - should be masked:"  + ${CI_JOB_TOKEN}
    - echo "Short token:"  + ${CI_JOB_TOKEN:0:12}
    - git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gdk.test:3443/<example-repository>
  1. You should see that the full token is masked, the short token starts with your instance prefix and git clone has been successful.

MR acceptance checklist

checklist

Related to #388379

Edited by Nicholas Wittstruck

Merge request reports