Generate JWT for authentication and provide it to CI jobs

Problem to solve

We want to support existing Vault users with a lightweight integration using JWT. This will address the needs of those customers that already have Vault installed and want to use it to provide secrets to GitLab CI. It will work for both self-managed and GitLab.com.

Intended users

Further details

Original proposal - #199737 (comment 282657457)
PoC - !25331 (closed)

Proposal

Generate JWT and provide it to CI jobs so that they can use it to authenticate to 3rd party services that support JWT Auth method (e.g. https://www.vaultproject.io/docs/auth/jwt/).

The JWT should contain any relevant information that may be used by the other party to verify the authentication.

Example payload:

{
  "jti": "c82eeb0c-5c6f-4a33-abf5-4c474b92b558", # Unique identifier for this token
  "iss": "gitlab.example.com",                   # Issuer, the domain of your GitLab instance
  "iat": 1585710286,                             # Issued at
  "nbf": 1585798372,                             # Not valid before
  "exp": 1585713886,                             # Expire at
  "sub": "22",                                   # Subject (project id)
  "namespace_id": "1",
  "namespace_path": "mygroup",
  "project_id": "22",
  "project_path": "mygroup/myproject",
  "user_id": "42",
  "user_login": "myuser",
  "user_email": "myuser@example.com"
  "pipeline_id": "1212",
  "job_id": "1212",
  "ref": "auto-deploy-2020-04-01",               # Git ref for this job
  "ref_type": "branch",                          # Git ref type, branch or tag
  "ref_protected": "true"                        # true if this git ref is protected, false otherwise
}

Documentation

What does success look like, and how can we measure that?

Users are able to use their own Vault with GitLab

What is the type of buyer?

Community Edition

Links / references

Please use this anchor for documentation: https://docs.gitlab.com/ee/#hashicorp-vault-jwt-authentication

Edited Apr 14, 2020 by Krasimir Angelov