Add rotate endpoint for runner controller token

Taka Nishidarequested to merge
rotate-endpoint-for-runner-controller-token-api into master

What does this MR do and why?

This code adds a new endpoint that allows administrators to rotate runner controller tokens.

The main changes include:

  • A new service that handles the token rotation process by revoking the old token and creating a new one with the same settings
  • A new API endpoint that lets administrators request token rotation for a specific runner controller
  • Proper security checks to ensure only administrators can perform this action
  • Error handling for cases like already-revoked tokens or failed operations
  • Comprehensive tests to verify the feature works correctly and handles various scenarios

The rotation process is done safely using database transactions, so if anything goes wrong during the process, all changes are rolled back to maintain data consistency. This feature enhances security by allowing administrators to refresh authentication tokens when needed without losing the associated configuration.

References

Part of Runner controller management API (Part 4) Rotat... (#578798 - closed).

How to set up and validate locally

  • Set up GDK and prepare instance admin's personal access token.
  • Verify the endpoints using curl.
export PAT="your-personal-access-token"
Prerequisites - create runner controller & token

Create runner controller if not exists:

curl --request POST \
  --header "Content-Type: application/json" \
  --header "PRIVATE-TOKEN: $PAT" \
  "https://gdk.test:3443/api/v4/runner_controllers"

Create new token:

curl --request POST \
  --header "Content-Type: application/json" \
  --header "PRIVATE-TOKEN: $PAT" \
  --data '{
    "description": "Validates runner security settings before registration"
  }' \
  "https://gdk.test:3443/api/v4/runner_controllers/1/tokens"
curl --request GET \
--header "Content-Type: application/json" \
--header "PRIVATE-TOKEN: $PAT" \
"https://gdk.test:3443/api/v4/runner_controllers/1/tokens"
curl --request POST \
  --header "Content-Type: application/json" \
  --header "PRIVATE-TOKEN: $PAT" \
  "https://gdk.test:3443/api/v4/runner_controllers/1/tokens/1/rotate"

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Taka Nishida

Merge request reports