Add deployment tier to CI_JOB_JWT
Problem
Currently, CI_JOB_JWT
has environment
(environment name) and environment_protected
(whether the environment is protected), but it doesn't have Deployment tier of environments. In order to fetch secretes from a value per deployment tier, we should add the tier in the payload.
Proposal
Add deployment_tier
field to the JWT.
diff --git a/lib/gitlab/ci/jwt.rb b/lib/gitlab/ci/jwt.rb
index 97774bc5e13..25cabc17c70 100644
--- a/lib/gitlab/ci/jwt.rb
+++ b/lib/gitlab/ci/jwt.rb
@@ -58,10 +58,13 @@ def custom_claims
job_id: build.id.to_s,
ref: source_ref,
ref_type: ref_type,
- ref_protected: build.protected.to_s
+ ref_protected: build.protected.to_s,
+ deployment_tier: build.environment_deployment_tier
}
if environment.present?
+ fields[:deployment_tier] ||= environment.tier
+
fields.merge!(
environment: environment.name,
environment_protected: environment_protected?.to_s
Edited by Chris Balane