Commit 93dc9760 authored by Thong Kuah's avatar Thong Kuah

Merge branch 'ci-jwt-signing-key-enable-by-default' into 'master'

Update `ci_jwt_signing_key` feature flag to be enabled by default

See merge request gitlab-org/gitlab!47336
parents d9535c98 441b0564
---
title: Use dedicated signing key for CI_JOB_JWT by default
merge_request: 47336
author:
type: changed
...@@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/258546 ...@@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/258546
milestone: '13.6' milestone: '13.6'
type: development type: development
group: group::release management group: group::release management
default_enabled: false default_enabled: true
...@@ -56,7 +56,7 @@ The JWT's payload looks like this: ...@@ -56,7 +56,7 @@ The JWT's payload looks like this:
} }
``` ```
The JWT is encoded by using RS256 and signed with your GitLab instance's OpenID Connect private key. The expire time for the token will be set to job's timeout, if specified, or 5 minutes if it is not. The key used to sign this token may change without any notice. In such case retrying the job will generate new JWT using the current signing key. The JWT is encoded by using RS256 and signed with a dedicated private key. The expire time for the token will be set to job's timeout, if specified, or 5 minutes if it is not. The key used to sign this token may change without any notice. In such case retrying the job will generate new JWT using the current signing key.
You can use this JWT and your instance's JWKS endpoint (`https://gitlab.example.com/-/jwks`) to authenticate with a Vault server that is configured to allow the JWT Authentication method for authentication. You can use this JWT and your instance's JWKS endpoint (`https://gitlab.example.com/-/jwks`) to authenticate with a Vault server that is configured to allow the JWT Authentication method for authentication.
......
...@@ -63,7 +63,7 @@ module Gitlab ...@@ -63,7 +63,7 @@ module Gitlab
def key def key
@key ||= begin @key ||= begin
key_data = if Feature.enabled?(:ci_jwt_signing_key, build.project) key_data = if Feature.enabled?(:ci_jwt_signing_key, build.project, default_enabled: true)
Gitlab::CurrentSettings.ci_jwt_signing_key Gitlab::CurrentSettings.ci_jwt_signing_key
else else
Rails.application.secrets.openid_connect_signing_key Rails.application.secrets.openid_connect_signing_key
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment