Skip to content

Toggle JWT access from CI/CD settings

Mireya Andres requested to merge toggle-opt-in-jwt into master

What does this MR do and why?

For #360657 (closed). Requires !109194 (merged) to be merged first.

This allows the user to limit JWT access from pipeline jobs such that the token must be manually declared in each job that needs it. The toggle is available in the CI/CD settings and is disabled by default.

Screenshots or screen recordings

Toggle Enabled Toggle Disabled
Screenshot_2023-01-11_at_11.11.15 Screenshot_2023-01-10_at_00.55.59

How to set up and validate locally

Verifying through Rails Console

  1. Pull the changes from !109194 (merged).
  2. Go to Settings > CI/CD > Token Access > Limit JSON Web Token (JWT) access.
  3. Enable/Disable the toggle.
  4. In the rails console, check the value of Project.find(<project_id>).ci_cd_settings.opt_in_jwt. It should have the same value as the toggle in the UI.

Verifying the JWT limit

The following should work when the toggle is enabled.

  1. Set up your GDK to use Hashicorp Vault (Docs). Your GDK must have a Premium license and must be set up to use HTTPS.

  2. Add the following to your .gitlab-ci.yml file, prefilling the values with the ones provided in Step 1.

    test_secrets:
  variables:
    VAULT_AUTH_PATH: gitlab
    VAULT_AUTH_ROLE: gitlab-test-role
    VAULT_SERVER_URL: http://127.0.0.1:8200
  id_tokens:
    TEST_ID_TOKEN:
      aud: http://gdk.test:3000
  secrets:
    DATABASE_PASSWORD:
      vault: gitlab-test/db/password
  script:
    - echo $DATABASE_PASSWORD
    - cat $DATABASE_PASSWORD

  3. Save your .gitlab-ci.yml file and run a pipeline. The job should print the value of $DATABASE_PASSWORD.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Mireya Andres

Merge request reports