Toggle JWT access from CI/CD settings
What does this MR do and why?
For #360657 (closed). Requires !109194 (merged) to be merged first.
This allows the user to limit JWT access from pipeline jobs such that the token must be manually declared in each job that needs it. The toggle is available in the CI/CD settings and is disabled by default.
Screenshots or screen recordings
Toggle Enabled | Toggle Disabled |
---|---|
How to set up and validate locally
Verifying through Rails Console
- Pull the changes from !109194 (merged).
- Go to Settings > CI/CD > Token Access > Limit JSON Web Token (JWT) access.
- Enable/Disable the toggle.
- In the rails console, check the value of
Project.find(<project_id>).ci_cd_settings.opt_in_jwt
. It should have the same value as the toggle in the UI.
Verifying the JWT limit
The following should work when the toggle is enabled.
-
Set up your GDK to use Hashicorp Vault (Docs). Your GDK must have a Premium license and must be set up to use HTTPS.
-
Add the following to your
.gitlab-ci.yml
file, prefilling the values with the ones provided in Step 1.test_secrets: variables: VAULT_AUTH_PATH: gitlab VAULT_AUTH_ROLE: gitlab-test-role VAULT_SERVER_URL: http://127.0.0.1:8200 id_tokens: TEST_ID_TOKEN: aud: http://gdk.test:3000 secrets: DATABASE_PASSWORD: vault: gitlab-test/db/password script: - echo $DATABASE_PASSWORD - cat $DATABASE_PASSWORD
-
Save your
.gitlab-ci.yml
file and run a pipeline. The job should print the value of$DATABASE_PASSWORD
.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.