Add IAM Service configuration and FF for JWT authentication

Daniele Braccianirequested to merge
db/580758/new-auth-stack-iam-integration-ff-and-config into master

What does this MR do and why?

Add IAM Service configuration for JWT authentication

Introduce IAM Service settings to support external JWT-based authentication:

  • Add configuration in gitlab.yml.example (url, issuer, audience, jwt_secret)
  • Initialize settings with defaults in 1_settings.rb
  • Add validation for required fields and security checks
  • Add iam_svc_oauth feature flag (WIP) for RS256 JWT authentication

Enables GitLab to accept JWTs from external IAM service as alternative to OAuth tokens for API and Git authentication.

Related to: #580758
Changelog: added

References

Feature: #580758
Rollout issue: #582963
Design and main information: https://gitlab.com/gitlab-org/architecture/auth-architecture/design-doc/-/blob/main/proposals/005-oauth_protocells.md

Screenshots or screen recordings

Before After

How to set up and validate locally

Add in gitlab.yml the following configuration before gitlab_kas:

  iam_service:
    enabled: true

    url: http://localhost:8084
    issuer: http://localhost:8084
    audience: gitlab
  1. Verify in rails console they are loaded correctly, for instance with Gitlab.config.iam_service.url
  2. Verify the validator catches errors in the configuration, for example by updating 'issuer' as '' -> gdk restart and verify
  3. Verify the gdk reconfigure works as expected (should remove the iam_service configuration)

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Daniele Bracciani

Merge request reports