Merge branch 'ci-jwt-signing-key-enable-by-default' into 'master'

Update `ci_jwt_signing_key` feature flag to be enabled by default See merge request gitlab-org/gitlab!47336

Merge branch 'ci-jwt-signing-key-enable-by-default' into 'master'
Update `ci_jwt_signing_key` feature flag to be enabled by default See merge request gitlab-org/gitlab!47336
93dc9760 · Thong Kuah · d9535c98 · 441b0564 · 93dc9760 · 93dc9760
Commit 93dc9760 authored Nov 12, 2020 by Thong Kuah
4 changed files
--- a/changelogs/unreleased/ci-jwt-signing-key-enable-by-default.yml
+++ b/changelogs/unreleased/ci-jwt-signing-key-enable-by-default.yml
+---
+title: Use dedicated signing key for CI_JOB_JWT by default
+merge_request: 47336
+author:
+type: changed
--- a/config/feature_flags/development/ci_jwt_signing_key.yml
+++ b/config/feature_flags/development/ci_jwt_signing_key.yml
@@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/258546
 milestone: '13.6'
 type: development
 group: group::release management
-default_enabled: false
+default_enabled: true
--- a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
+++ b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
@@ -56,7 +56,7 @@ The JWT's payload looks like this:
 }
 ```

-The JWT is encoded by using RS256 and signed with your GitLab instance's OpenID Connect private key. The expire time for the token will be set to job's timeout, if specified, or 5 minutes if it is not. The key used to sign this token may change without any notice. In such case retrying the job will generate new JWT using the current signing key.
+The JWT is encoded by using RS256 and signed with a dedicated private key. The expire time for the token will be set to job's timeout, if specified, or 5 minutes if it is not. The key used to sign this token may change without any notice. In such case retrying the job will generate new JWT using the current signing key.

 You can use this JWT and your instance's JWKS endpoint (`https://gitlab.example.com/-/jwks`) to authenticate with a Vault server that is configured to allow the JWT Authentication method for authentication.


--- a/lib/gitlab/ci/jwt.rb
+++ b/lib/gitlab/ci/jwt.rb
@@ -63,7 +63,7 @@ module Gitlab

      def key
        @key ||= begin
-                   key_data = if Feature.enabled?(:ci_jwt_signing_key, build.project)
+                   key_data = if Feature.enabled?(:ci_jwt_signing_key, build.project, default_enabled: true)
                                Gitlab::CurrentSettings.ci_jwt_signing_key
                              else
                                Rails.application.secrets.openid_connect_signing_key