Use dedicated signing key for CI_JOB_JWT by default

This updates the `ci_jwt_signing_key` feature flag to be enabled by default. Related to https://gitlab.com/gitlab-org/gitlab/-/issues/258546.

Use dedicated signing key for CI_JOB_JWT by default
This updates the `ci_jwt_signing_key` feature flag to be enabled by default. Related to https://gitlab.com/gitlab-org/gitlab/-/issues/258546.
441b0564 · Krasimir Angelov · Thong Kuah · 78977b06 · 441b0564 · 441b0564
Commit 441b0564 authored Nov 12, 2020 by Krasimir Angelov Committed by Thong Kuah Nov 12, 2020
4 changed files
--- a/changelogs/unreleased/ci-jwt-signing-key-enable-by-default.yml
+++ b/changelogs/unreleased/ci-jwt-signing-key-enable-by-default.yml
+---
+title: Use dedicated signing key for CI_JOB_JWT by default
+merge_request: 47336
+author:
+type: changed
--- a/config/feature_flags/development/ci_jwt_signing_key.yml
+++ b/config/feature_flags/development/ci_jwt_signing_key.yml
@@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/258546
 milestone: '13.6'
 type: development
 group: group::release management
-default_enabled: false
+default_enabled: true
--- a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
+++ b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
@@ -56,7 +56,7 @@ The JWT's payload looks like this:
 }
 ```

-The JWT is encoded by using RS256 and signed with your GitLab instance's OpenID Connect private key. The expire time for the token will be set to job's timeout, if specified, or 5 minutes if it is not. The key used to sign this token may change without any notice. In such case retrying the job will generate new JWT using the current signing key.
+The JWT is encoded by using RS256 and signed with a dedicated private key. The expire time for the token will be set to job's timeout, if specified, or 5 minutes if it is not. The key used to sign this token may change without any notice. In such case retrying the job will generate new JWT using the current signing key.

 You can use this JWT and your instance's JWKS endpoint (`https://gitlab.example.com/-/jwks`) to authenticate with a Vault server that is configured to allow the JWT Authentication method for authentication.


--- a/lib/gitlab/ci/jwt.rb
+++ b/lib/gitlab/ci/jwt.rb
@@ -63,7 +63,7 @@ module Gitlab

      def key
        @key ||= begin
-                   key_data = if Feature.enabled?(:ci_jwt_signing_key, build.project)
+                   key_data = if Feature.enabled?(:ci_jwt_signing_key, build.project, default_enabled: true)
                                Gitlab::CurrentSettings.ci_jwt_signing_key
                              else
                                Rails.application.secrets.openid_connect_signing_key