Introduce OpenBao JWT audience

Dmytro Biryukovrequested to merge
dbiryukov_jwt_aud_bao_geo_mr-571099 into master

What does this MR do and why?

This MR implements JWT audience configuration for OpenBao in Geo environments, addressing the issue where secondary Geo sites with different OpenBao URLs cannot authenticate properly due to JWT audience mismatches.

Problem: In GitLab Geo deployments with OpenBao integration, secondary sites may have different URLs for accessing the secrets manager compared to the primary site. The JWT audience field must match OpenBao's configured bound_audiences, but the current implementation assumes a single static audience value across all Geo sites.

Solution: Introduces a new jwt_audience configuration option in gitlab.yml under the openbao section that can be set independently from the external OpenBao URL. This allows:

  • Flexible audience validation in multi-site Geo deployments
  • Secondary sites to use different URLs while maintaining consistent JWT authentication
  • Backward compatibility by defaulting to the existing OpenBao URL when not specified

Changes Made

  1. Configuration (config/gitlab.yml.example):

    • Added jwt_audience parameter documentation with examples for Geo deployments

  2. Core Implementation (ee/app/models/secrets_management/base_secrets_manager.rb):

    • Added jwt_audience class method that returns configured audience or defaults to server_url
    • Updated JWT audience claim (aud) to use the new method

  3. Service Updates:

    • Updated GroupSecretsManager and ProjectSecretsManager provision services to use jwt_audience for bound audience configuration

  4. JWT Generation (ee/lib/secrets_management/):

    • Updated all JWT classes to use jwt_audience instead of server_url for the audience claim

  5. Documentation (doc/administration/secrets_manager/_index.md):

    • Added Geo configuration section explaining how to use jwt_audience for multi-site deployments

  6. Tests (ee/spec/):

    • Added comprehensive test coverage for the new jwt_audience method
    • Updated existing tests to verify bound audiences use the new configuration

References

Closes #571099 (closed)

How to set up and validate locally

  1. Configure OpenBao with a bound audience value (e.g., https://openbao.shared.example.com:8200)
  2. In gitlab.yml, set: 
    openbao:
  url: https://openbao.site-specific.example.com:8200
  jwt_audience: https://openbao.shared.example.com:8200
  3. Verify that JWTs generated for OpenBao authentication contain the configured audience
  4. Test authentication from both primary and secondary Geo sites

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

  • Code follows GitLab style guidelines
  • Tests added/updated for new functionality
  • Documentation updated
  • Backward compatible (defaults to existing behavior)
  • No breaking changes
Edited by Dmytro Biryukov

Merge request reports