search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.53k stars 1.75k forks source link

Machine ID: Support delegated joining on GitLab #17059

Closed strideynet closed 1 year ago

strideynet commented 2 years ago

Reference GitHub implementation at https://github.com/gravitational/teleport/pull/16938

https://docs.gitlab.com/ee/ci/cloud_services/

https://docs.gitlab.com/ee/ci/variables/index.html#pass-an-environment-variable-to-another-job

Reference

Information available in GitLab tokens

CI_JOB_JWT:

{
  "alg": "RS256",
  "kid": "4i3sFE7sxqNPOT7FdvcGA1ZVGGI_r-tsDXnEuYT4ZqE",
  "typ": "JWT"
},
{
  "namespace_id": "1008548",
  "namespace_path": "strideynet",
  "project_id": "39980849",
  "project_path": "strideynet/test-gitlab-jwt",
  "user_id": "842508",
  "user_login": "strideynet",
  "user_email": "redacted",
  "pipeline_id": "659183071",
  "pipeline_source": "push",
  "job_id": "3131574536",
  "ref": "main",
  "ref_type": "branch",
  "ref_protected": "true",
  "jti": "03362687-b43c-404a-b3bd-0a57e2f7b512",
  "iss": "gitlab.com",
  "iat": 1664985077,
  "nbf": 1664985072,
  "exp": 1664988677,
  "sub": "job_3131574536"
}

CI_JOB_JWT_V2

{
  "alg": "RS256",
  "kid": "4i3sFE7sxqNPOT7FdvcGA1ZVGGI_r-tsDXnEuYT4ZqE",
  "typ": "JWT"
},
{
  "namespace_id": "1008548",
  "namespace_path": "strideynet",
  "project_id": "39980849",
  "project_path": "strideynet/test-gitlab-jwt",
  "user_id": "842508",
  "user_login": "strideynet",
  "user_email": "redacted",
  "pipeline_id": "659183071",
  "pipeline_source": "push",
  "job_id": "3131574536",
  "ref": "main",
  "ref_type": "branch",
  "ref_protected": "true",
  "jti": "f5e60e65-c5c8-4a27-a4d9-e689d580d084",
  "iss": "https://gitlab.com",
  "iat": 1664985077,
  "nbf": 1664985072,
  "exp": 1664988677,
  "sub": "project_path:strideynet/test-gitlab-jwt:ref_type:branch:ref:main",
  "aud": "https://gitlab.com"
}
mdaniel commented 2 years ago

Even if the full-blown CEL implementation doesn't make it in, please allow either substring matches, globbing, or regex, because within GitLab the hierarchy is a lot more complex than GitHub, and thus just trusting repository_owner: or one-by-one repository: items will be painful in most GL setups

strideynet commented 2 years ago

Even if the full-blown CEL implementation doesn't make it in, please allow either substring matches, globbing, or regex, because within GitLab the hierarchy is a lot more complex than GitHub, and thus just trusting repository_owner: or one-by-one repository: items will be painful in most GL setups

Indeed, it looks as if really we need to let users glob/regex on sub since GitLab doesn't seem to offer more broken down claims like GitHub do. Thanks for the feedback on this.

rosskusler commented 1 year ago

I too would love a way for Gitlab-ci jobs running in containerized/ephemeral environments (with no access to a long-running tbot daemon) to be able to leverage machine-id. If Teleport could be configured to trust the Gitlab signed JWT that would be really useful, I think.

strideynet commented 1 year ago

GitLab 15.7 introduced new id_tokens config to replace CI_JOB_JWT_V2. It looks like in 16.0, the old style will be removed.

This new config enables the configuration of the aud claim:

https://gitlab.com/gitlab-org/gitlab/-/issues/356986 https://docs.gitlab.com/ee/ci/yaml/index.html#id_tokens https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html

job_needing_oidc_auth:
  id_tokens:
    OIDC_TOKEN:
      aud: https://my.teleport.cluster
  script:
    - echo $OIDC_TOKEN

It should reference the name of the Teleport cluster. It produces a token in the V2 format:

{
  "namespace_id": "1008548",
  "namespace_path": "strideynet",
  "project_id": "44082717",
  "project_path": "strideynet/gitlab-sandbox",
  "user_id": "842508",
  "user_login": "strideynet",
  "user_email": "redacted",
  "pipeline_id": "797448961",
  "pipeline_source": "push",
  "job_id": "3881800392",
  "ref": "main",
  "ref_type": "branch",
  "ref_protected": "true",
  "jti": "7df5bf03-31a6-4689-95f9-be9170853595",
  "iss": "https://gitlab.com",
  "iat": 1678115324,
  "nbf": 1678115319,
  "exp": 1678118924,
  "sub": "project_path:strideynet/gitlab-sandbox:ref_type:branch:ref:main",
  "aud": "https://my.teleport.cluster"
}

Do we force users to use TBOT_GITLAB_JWT as the token name or similar ? Do we allow this to be customised ?

imo: we should aim to target this new style only, and forget about CI_JOB_JWT_V2 and CI_JOB_JWT as these are likely to be removed.

strideynet commented 1 year ago

Note: we should ensure the minimum requirement of GitLab 15.7 is communicated.

strideynet commented 1 year ago

Released in 12.2