Commit 441b0564 authored by Krasimir Angelov's avatar Krasimir Angelov Committed by Thong Kuah

Use dedicated signing key for CI_JOB_JWT by default

This updates the `ci_jwt_signing_key` feature flag to be enabled by
default.

Related to https://gitlab.com/gitlab-org/gitlab/-/issues/258546.
parent 78977b06
---
title: Use dedicated signing key for CI_JOB_JWT by default
merge_request: 47336
author:
type: changed
...@@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/258546 ...@@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/258546
milestone: '13.6' milestone: '13.6'
type: development type: development
group: group::release management group: group::release management
default_enabled: false default_enabled: true
...@@ -56,7 +56,7 @@ The JWT's payload looks like this: ...@@ -56,7 +56,7 @@ The JWT's payload looks like this:
} }
``` ```
The JWT is encoded by using RS256 and signed with your GitLab instance's OpenID Connect private key. The expire time for the token will be set to job's timeout, if specified, or 5 minutes if it is not. The key used to sign this token may change without any notice. In such case retrying the job will generate new JWT using the current signing key. The JWT is encoded by using RS256 and signed with a dedicated private key. The expire time for the token will be set to job's timeout, if specified, or 5 minutes if it is not. The key used to sign this token may change without any notice. In such case retrying the job will generate new JWT using the current signing key.
You can use this JWT and your instance's JWKS endpoint (`https://gitlab.example.com/-/jwks`) to authenticate with a Vault server that is configured to allow the JWT Authentication method for authentication. You can use this JWT and your instance's JWKS endpoint (`https://gitlab.example.com/-/jwks`) to authenticate with a Vault server that is configured to allow the JWT Authentication method for authentication.
......
...@@ -63,7 +63,7 @@ module Gitlab ...@@ -63,7 +63,7 @@ module Gitlab
def key def key
@key ||= begin @key ||= begin
key_data = if Feature.enabled?(:ci_jwt_signing_key, build.project) key_data = if Feature.enabled?(:ci_jwt_signing_key, build.project, default_enabled: true)
Gitlab::CurrentSettings.ci_jwt_signing_key Gitlab::CurrentSettings.ci_jwt_signing_key
else else
Rails.application.secrets.openid_connect_signing_key Rails.application.secrets.openid_connect_signing_key
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment