Replace deprecated `CI_JOB_JWT` CI variable in Kokkuri
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	jnuche
	May 25 2023, 12:40 PM

Description

The variable is deprecated and scheduled for removal in GitLab 16. Replaced by the id_tokens mechanism.

Our GitLab instance's version is currently 15.9.8. ~~Kokkuri will need to be updated before we can upgrade to 16.0.1 or later.~~ GitLab page I referenced above was recently updated. It now mentions 16.5 as the version where the variable will be removed. Full details.

Details

	Subject	Repo	Branch	Lines +/-
	jwt_authorizer: reflect changes to accept multiple issuers	operations/puppet	production	+5 -5

Customize query in gerrit

Title	Reference	Author	Source Branch	Dest Branch
Use new Gitlab JWT mechanism	repos/releng/buildkit!54	dancy	wmf/v0.12-I365eddd13a865584afb54c1d2cc08f2f29abf3e0	wmf/v0.12
README: reflect change to allow multiple JWT issuers	repos/releng/jwt-authorizer!16	jnuche	update-readme	main
JWT issuer: allow for multiple values	repos/releng/jwt-authorizer!14	jnuche	mutliple-issuers	main
use latest version for the base Kokkuri image	repos/releng/kokkuri!86	jnuche	update-used-image-version	main
jwt: replace deprecated `CI_JOB_JWT` variable with an ID token	repos/releng/kokkuri!85	jnuche	jwt-deprecated-part-deux	main
Revert "jwt: replace deprecated `CI_JOB_JWT` variable with an ID token"	repos/releng/kokkuri!84	jnuche	revert	main
blubber: add missing Go toolchain package to `build-deb` variant	repos/releng/jwt-authorizer!13	jnuche	fix-deb-target	main
JWT issuer: hardcode transitory check for `https://gitlab.wikimedia.org`	repos/releng/jwt-authorizer!11	jnuche	multiple-issuers	main
jwt: support both `CI_JOB_JWT` and id tokens	repos/releng/kokkuri!83	jnuche	support-multiple-jwt-types	main
add support for multiple JWT issuers	repos/releng/reggie!74	jnuche	support-multiple-jwt-issuers	main
check additional audience claim in tokens	repos/releng/jwt-authorizer!10	jnuche	jwt-audience	main
jwt: replace deprecated `CI_JOB_JWT` variable with an ID token	repos/releng/kokkuri!73	jnuche	jwt-deprecated	main

Related Objects

Mentioned In: T365675: Upgrade GitLab to major version 17

Event Timeline

jnuche created this task.May 25 2023, 12:40 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 25 2023, 12:40 PM

jnuche claimed this task.May 25 2023, 12:41 PM

jnuche added a project: Release-Engineering-Team (They Live 🕶️🧟).

jnuche updated the task description. (Show Details)May 25 2023, 2:33 PM

dancy subscribed.May 25 2023, 3:32 PM

jnuche changed the task status from Open to In Progress.May 26 2023, 9:50 AM

jnuche moved this task from Backlog to In progress on the Release-Engineering-Team (They Live 🕶️🧟) board.

@brennen I updated the description. It seems this won't prevent us from upgrading to GitLab 16 after all.

jnuche opened https://gitlab.wikimedia.org/repos/releng/kokkuri/-/merge_requests/73

jwt: replace deprecated CI_JOB_JWT variable with an ID token

CodeReviewBot added a project: Patch-For-Review.May 30 2023, 12:12 PM

jnuche opened https://gitlab.wikimedia.org/repos/releng/jwt-authorizer/-/merge_requests/10

check additional audience claim in tokens

jeena moved this task from In progress to Waiting for review on the Release-Engineering-Team (They Live 🕶️🧟) board.Jun 12 2023, 9:02 PM

thcipriani edited projects, added Release-Engineering-Team (Escape Goats🐐); removed Release-Engineering-Team (They Live 🕶️🧟).Jul 26 2023, 2:52 PM

thcipriani moved this task from Backlog to Waiting for review on the Release-Engineering-Team (Escape Goats🐐) board.Jul 26 2023, 3:21 PM

jnuche moved this task from Waiting for review to In progress on the Release-Engineering-Team (Escape Goats🐐) board.Jul 31 2023, 11:21 AM

jnuche opened https://gitlab.wikimedia.org/repos/releng/reggie/-/merge_requests/74

add support for multiple JWT issuers

jnuche merged https://gitlab.wikimedia.org/repos/releng/reggie/-/merge_requests/74

add support for multiple JWT issuers

jnuche merged https://gitlab.wikimedia.org/repos/releng/gitlab-cloud-runner/-/merge_requests/242

Support multiple jwt issuers

jnuche opened https://gitlab.wikimedia.org/repos/releng/gitlab-cloud-runner/-/merge_requests/248

enable JWT debug temporarily for troubleshooting

jnuche opened https://gitlab.wikimedia.org/repos/releng/kokkuri/-/merge_requests/83

jwt: support both CI_JOB_JWT and id tokens

jnuche merged https://gitlab.wikimedia.org/repos/releng/kokkuri/-/merge_requests/83

jwt: support both CI_JOB_JWT and id tokens

jnuche closed https://gitlab.wikimedia.org/repos/releng/jwt-authorizer/-/merge_requests/10

check additional audience claim in tokens

jnuche opened https://gitlab.wikimedia.org/repos/releng/jwt-authorizer/-/merge_requests/11

JWT issuer: hardcode transitory check for https://gitlab.wikimedia.org

jnuche merged https://gitlab.wikimedia.org/repos/releng/jwt-authorizer/-/merge_requests/11

JWT issuer: hardcode transitory check for https://gitlab.wikimedia.org

jnuche opened https://gitlab.wikimedia.org/repos/releng/jwt-authorizer/-/merge_requests/13

blubber: add missing Go toolchain package to build-deb variant

jnuche merged https://gitlab.wikimedia.org/repos/releng/jwt-authorizer/-/merge_requests/13

blubber: add missing Go toolchain package to build-deb variant

Mentioned in SAL (#wikimedia-operations) [2023-08-16T14:51:41Z] <jelto> registry* - upgrade jwt-authorizer package on all 4 hosts to version 1.1.1-1 - T337474

jnuche merged https://gitlab.wikimedia.org/repos/releng/kokkuri/-/merge_requests/73

jwt: replace deprecated CI_JOB_JWT variable with an ID token

jnuche opened https://gitlab.wikimedia.org/repos/releng/kokkuri/-/merge_requests/84

Revert "jwt: replace deprecated CI_JOB_JWT variable with an ID token"

jnuche merged https://gitlab.wikimedia.org/repos/releng/kokkuri/-/merge_requests/84

Revert "jwt: replace deprecated CI_JOB_JWT variable with an ID token"

Mentioned in SAL (#wikimedia-operations) [2023-08-17T12:04:39Z] <jelto> restart jwt-authorizer service (docker-registry-ha-jwt.service) on registry nodes - T337474

jnuche opened https://gitlab.wikimedia.org/repos/releng/kokkuri/-/merge_requests/85

jwt: replace deprecated CI_JOB_JWT variable with an ID token

jnuche merged https://gitlab.wikimedia.org/repos/releng/kokkuri/-/merge_requests/85

jwt: replace deprecated CI_JOB_JWT variable with an ID token

jnuche opened https://gitlab.wikimedia.org/repos/releng/kokkuri/-/merge_requests/86

use latest version for the base Kokkuri image

jnuche merged https://gitlab.wikimedia.org/repos/releng/kokkuri/-/merge_requests/86

use latest version for the base Kokkuri image

jnuche opened https://gitlab.wikimedia.org/repos/releng/jwt-authorizer/-/merge_requests/14

JWT issuer: allow for multiple values

Change 951484 had a related patch set uploaded (by Jaime Nuche; author: Jaime Nuche):

[operations/puppet@production] jwt_authorizer: reflect changes to accept multiple issuers

https://gerrit.wikimedia.org/r/951484

jnuche merged https://gitlab.wikimedia.org/repos/releng/jwt-authorizer/-/merge_requests/14

JWT issuer: allow for multiple values

Mentioned in SAL (#wikimedia-operations) [2023-08-23T12:48:39Z] <jelto> update jwt-authorizer package to v1.2.0 - T337474

Mentioned in SAL (#wikimedia-operations) [2023-08-23T12:56:35Z] <jelto> registry* - upgrade jwt-authorizer package on all 4 hosts to version 1.2.0-1 - T337474

Change 951484 merged by Jelto:

[operations/puppet@production] jwt_authorizer: reflect changes to accept multiple issuers

https://gerrit.wikimedia.org/r/951484

jnuche opened https://gitlab.wikimedia.org/repos/releng/jwt-authorizer/-/merge_requests/16

README: reflect change to allow multiple JWT issuers

jnuche merged https://gitlab.wikimedia.org/repos/releng/jwt-authorizer/-/merge_requests/16

README: reflect change to allow multiple JWT issuers

The new id tokens changed the value in the issuer (iss) field which made the transition more complicated than expected. I updated both reggie and jwt-authorizer to support multiple issuers in case we need to handle a similar situation in the future.

Kokkuri has stopped using the CI_JOB_JWT variable and it's using id tokens instead.

Jelto added a project: collaboration-services.Aug 23 2023, 1:26 PM

Great work @jnuche !

dancy opened https://gitlab.wikimedia.org/repos/releng/buildkit/-/merge_requests/54

Use new Gitlab JWT mechanism

dancy merged https://gitlab.wikimedia.org/repos/releng/buildkit/-/merge_requests/54

Use new Gitlab JWT mechanism

Jelto mentioned this in T365675: Upgrade GitLab to major version 17.Wed, May 29, 10:32 AM