Closed strideynet closed 1 year ago
Even if the full-blown CEL implementation doesn't make it in, please allow either substring matches, globbing, or regex, because within GitLab the hierarchy is a lot more complex than GitHub, and thus just trusting repository_owner:
or one-by-one repository:
items will be painful in most GL setups
Even if the full-blown CEL implementation doesn't make it in, please allow either substring matches, globbing, or regex, because within GitLab the hierarchy is a lot more complex than GitHub, and thus just trusting
repository_owner:
or one-by-onerepository:
items will be painful in most GL setups
Indeed, it looks as if really we need to let users glob/regex on sub
since GitLab doesn't seem to offer more broken down claims like GitHub do. Thanks for the feedback on this.
I too would love a way for Gitlab-ci jobs running in containerized/ephemeral environments (with no access to a long-running tbot daemon) to be able to leverage machine-id. If Teleport could be configured to trust the Gitlab signed JWT that would be really useful, I think.
GitLab 15.7 introduced new id_tokens
config to replace CI_JOB_JWT_V2
. It looks like in 16.0, the old style will be removed.
This new config enables the configuration of the aud
claim:
https://gitlab.com/gitlab-org/gitlab/-/issues/356986 https://docs.gitlab.com/ee/ci/yaml/index.html#id_tokens https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html
job_needing_oidc_auth:
id_tokens:
OIDC_TOKEN:
aud: https://my.teleport.cluster
script:
- echo $OIDC_TOKEN
It should reference the name of the Teleport cluster. It produces a token in the V2 format:
{
"namespace_id": "1008548",
"namespace_path": "strideynet",
"project_id": "44082717",
"project_path": "strideynet/gitlab-sandbox",
"user_id": "842508",
"user_login": "strideynet",
"user_email": "redacted",
"pipeline_id": "797448961",
"pipeline_source": "push",
"job_id": "3881800392",
"ref": "main",
"ref_type": "branch",
"ref_protected": "true",
"jti": "7df5bf03-31a6-4689-95f9-be9170853595",
"iss": "https://gitlab.com",
"iat": 1678115324,
"nbf": 1678115319,
"exp": 1678118924,
"sub": "project_path:strideynet/gitlab-sandbox:ref_type:branch:ref:main",
"aud": "https://my.teleport.cluster"
}
Do we force users to use TBOT_GITLAB_JWT
as the token name or similar ? Do we allow this to be customised ?
imo: we should aim to target this new style only, and forget about CI_JOB_JWT_V2
and CI_JOB_JWT
as these are likely to be removed.
Note: we should ensure the minimum requirement of GitLab 15.7 is communicated.
Released in 12.2
Reference GitHub implementation at https://github.com/gravitational/teleport/pull/16938
https://docs.gitlab.com/ee/ci/cloud_services/
https://docs.gitlab.com/ee/ci/variables/index.html#pass-an-environment-variable-to-another-job
Reference
Information available in GitLab tokens
CI_JOB_JWT:
CI_JOB_JWT_V2