Page MenuHomePhabricator

Replace deprecated `CI_JOB_JWT` CI variable in Kokkuri
Closed, ResolvedPublic

Description

The variable is deprecated and scheduled for removal in GitLab 16. Replaced by the id_tokens mechanism.

Our GitLab instance's version is currently 15.9.8. Kokkuri will need to be updated before we can upgrade to 16.0.1 or later. GitLab page I referenced above was recently updated. It now mentions 16.5 as the version where the variable will be removed. Full details.

Details

ReferenceSource BranchDest BranchAuthorTitle
repos/releng/buildkit!54wmf/v0.12-I365eddd13a865584afb54c1d2cc08f2f29abf3e0wmf/v0.12dancyUse new Gitlab JWT mechanism
repos/releng/jwt-authorizer!16update-readmemainjnucheREADME: reflect change to allow multiple JWT issuers
repos/releng/jwt-authorizer!14mutliple-issuersmainjnucheJWT issuer: allow for multiple values
repos/releng/kokkuri!86update-used-image-versionmainjnucheuse latest version for the base Kokkuri image
repos/releng/kokkuri!85jwt-deprecated-part-deuxmainjnuchejwt: replace deprecated `CI_JOB_JWT` variable with an ID token
repos/releng/kokkuri!84revertmainjnucheRevert "jwt: replace deprecated `CI_JOB_JWT` variable with an ID token"
repos/releng/jwt-authorizer!13fix-deb-targetmainjnucheblubber: add missing Go toolchain package to `build-deb` variant
repos/releng/jwt-authorizer!11multiple-issuersmainjnucheJWT issuer: hardcode transitory check for `https://gitlab.wikimedia.org`
repos/releng/kokkuri!83support-multiple-jwt-typesmainjnuchejwt: support both `CI_JOB_JWT` and id tokens
repos/releng/reggie!74support-multiple-jwt-issuersmainjnucheadd support for multiple JWT issuers
repos/releng/jwt-authorizer!10jwt-audiencemainjnuchecheck additional audience claim in tokens
repos/releng/kokkuri!73jwt-deprecatedmainjnuchejwt: replace deprecated `CI_JOB_JWT` variable with an ID token
Show related patches Customize query in GitLab

Event Timeline

jnuche changed the task status from Open to In Progress.May 26 2023, 9:50 AM

@brennen I updated the description. It seems this won't prevent us from upgrading to GitLab 16 after all.

jnuche opened https://gitlab.wikimedia.org/repos/releng/jwt-authorizer/-/merge_requests/11

JWT issuer: hardcode transitory check for https://gitlab.wikimedia.org

jnuche merged https://gitlab.wikimedia.org/repos/releng/jwt-authorizer/-/merge_requests/11

JWT issuer: hardcode transitory check for https://gitlab.wikimedia.org

Mentioned in SAL (#wikimedia-operations) [2023-08-16T14:51:41Z] <jelto> registry* - upgrade jwt-authorizer package on all 4 hosts to version 1.1.1-1 - T337474

jnuche opened https://gitlab.wikimedia.org/repos/releng/kokkuri/-/merge_requests/84

Revert "jwt: replace deprecated CI_JOB_JWT variable with an ID token"

jnuche merged https://gitlab.wikimedia.org/repos/releng/kokkuri/-/merge_requests/84

Revert "jwt: replace deprecated CI_JOB_JWT variable with an ID token"

Mentioned in SAL (#wikimedia-operations) [2023-08-17T12:04:39Z] <jelto> restart jwt-authorizer service (docker-registry-ha-jwt.service) on registry nodes - T337474

Change 951484 had a related patch set uploaded (by Jaime Nuche; author: Jaime Nuche):

[operations/puppet@production] jwt_authorizer: reflect changes to accept multiple issuers

https://gerrit.wikimedia.org/r/951484

Mentioned in SAL (#wikimedia-operations) [2023-08-23T12:48:39Z] <jelto> update jwt-authorizer package to v1.2.0 - T337474

Mentioned in SAL (#wikimedia-operations) [2023-08-23T12:56:35Z] <jelto> registry* - upgrade jwt-authorizer package on all 4 hosts to version 1.2.0-1 - T337474

Change 951484 merged by Jelto:

[operations/puppet@production] jwt_authorizer: reflect changes to accept multiple issuers

https://gerrit.wikimedia.org/r/951484

The new id tokens changed the value in the issuer (iss) field which made the transition more complicated than expected. I updated both reggie and jwt-authorizer to support multiple issuers in case we need to handle a similar situation in the future.

Kokkuri has stopped using the CI_JOB_JWT variable and it's using id tokens instead.