Resolve "Keyless signing with Keystore missing ci_config_ref_uri on specific configurations"
What does this MR do and why?
This change is related to OpenID Connect (OIDC) Authentication Using ID Tokens. We're looking to change the default behavior. More background in issue, specifically background on crash and background on fix.
Current behavior
Current behavior for unimplemented project_config types is to return an empty hash, which causes Fulcio to crash.
Behavior after this fix
We will return reasonable defaults, specifically Project.ci_config_file_or_default. More info on why this fix is reasonable in issue, along with feedback from previous people who worked on this issue.
MR which originally added this claim, Add ci_config_ref_uri claim to Ci::JwtV2 for repository source, also states this is desirable:
The
ci_config_ref_uriclaim is only populated if the CI config is located in the repository. In a future iteration we will populate it for other config sources as well.
Original issue ticket also states defaulting to .gitlab.yml. Add claims to ID token to support Fulcio integration (#404722) · Issue · gitlab-org/gitlab
Fully qualified reference to the pipeline definition, defaults to
.gitlab-ci.yml
Release behind FF
Will be released behind FF for safety: default_jwt_ci_config_ref_uri -- Derisk default JWT field ci_config_ref_url value change (#588392) · Issue · gitlab-org/gitlab.
I will rollout according to the plan D specified in Use ChatOps to enable and disable feature flags, to be extra conservative.
References
- Keyless signing with Keystore missing ci_config_ref_uri on specific configurations (#579211) · Issue · gitlab-org/gitlab
- Add claims to ID token to support Fulcio integration (#404722) · Issue · gitlab-org/gitlab
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #579211