Put groups_direct field in CI JWT tokens behind feature flag
What does this MR do and why?
In GitLab 16.11
!146881 (merged)
introduced the groups_direct
fields for CI JWT tokens used in the
Vault integration. However, since JWT tokens are often sent in the
Authorization
HTTP header, the addition of the groups_direct
field
can cause the header to exceed the maximum allowed header size of
Web/proxy servers.
To avoid this issue, put this groups_direct
field behind a
ci_jwt_groups_direct
feature flag while we figure out the best way
to handle this.
Relates to #467253 (closed)
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
How to set up and validate locally
- Define a CI job (https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html) with the
id_tokens
keyword:
job_with_id_tokens:
id_tokens:
FIRST_ID_TOKEN:
aud: https://first.service.com
script:
- |
apt update && apt install -y jq
export HEADER=$(echo $FIRST_ID_TOKEN | cut -d "." -f1 | base64 -d 2>/dev/null | jq .)
export PAYLOAD=$(echo $FIRST_ID_TOKEN | cut -d "." -f2 | base64 -d 2>/dev/null | jq .)
echo "Header: $HEADER"
echo "Payload: $PAYLOAD"
image: ubuntu:20.04
- Ensure
groups_direct
isn't available. - Enable the
ci_jwt_groups_direct
feature flag and rerun the pipeline. - Verify
groups_direct
is present.