Skip to content

CI Runners: Add authentication token expiration

Kyle Edwards requested to merge KyleFromKitware/gitlab:authentication-token-expiry into master

What does this MR do and why?

This MR adds the option to make the authentication token for runners expire after a set amount of time.

Issue: #30942 (closed)

This depends on !73402 (merged) and !73686 (merged).

This has been broken up into the following MRs:

!77884 (merged)
!77899 (merged)
!78557 (merged)
!78939 (merged)
!78941 (merged)
!79135 (merged)
!75760 (merged)

Screenshots or screen recordings

Settings added

auth_tokens

Expiration interval for a group

Set Not set
image image

Expiration interval for a project

Set Not set
image image

How to set up and validate locally

Shared runners

  1. Go to Menu > Admin

  2. Go to Runners

  3. Set the desired expiration time

  4. Copy the registration token and register with:

    $ curl --form 'token=abc123' http://gitlab.example.com/api/v4/runners
{"id":3,"token":"cB2JjWHVUb7smVHzp3Dq","token_expires_at":"2021-11-05T19:05:29.259Z"}

  5. Refresh the Runners page

  6. See that the listed runner has a "Token expires at"

Group runners

  1. Go to group

  2. Go to Settings > CI/CD

  3. Expand the Runners group

  4. Set the desired expiration time

  5. Copy the registration token and register with:

    $ curl --form 'token=abc123' http://gitlab.example.com/api/v4/runners
{"id":3,"token":"cB2JjWHVUb7smVHzp3Dq","token_expires_at":"2021-11-05T19:05:29.259Z"}

  6. Refresh the CI/CD page

  7. See that the listed runner has a "Token expires at"

  8. (Optional) Repeat steps with the shared runner or parent group runner expiration interval set to a lower value than the group expiration interval. Observe the warning about the enforced interval. See that this interval is enforced when you register the token.

Project runners

  1. Go to project

  2. Go to Settings > CI/CD

  3. Expand the Runners group

  4. Set the desired expiration time

  5. Copy the registration token and register with:

    $ curl --form 'token=abc123' http://gitlab.example.com/api/v4/runners
{"id":3,"token":"cB2JjWHVUb7smVHzp3Dq","token_expires_at":"2021-11-05T19:05:29.259Z"}

  6. Refresh the CI/CD page

  7. See that the listed runner has a "Token expires at"

  8. (Optional) Repeat steps with the shared runner or parent group runner expiration interval set to a lower value than the project expiration interval. Observe the warning about the enforced interval. See that this interval is enforced when you register the token.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Kyle Edwards

Merge request reports