如何为本地 Gitlab 部署工作负载身份联合?

huangapple go评论60阅读模式
英文:

How to set up Workload Identity Federation for an on-prem Gitlab?

问题

我们有一个本地的Gitlab实例,它无法公开访问(只能通过VPN访问)。

GCP文档表示IdP的OIDC元数据和JWKs端点需要公开访问。在这种情况下,我们如何设置工作负载身份联合?

另外,Gitlab实例是v14.0版本,所以CI_JOB_JWT_V2变量不可用。我想我们将不得不升级版本,因为没有其他方法可以获取正确的JWT令牌。

英文:

We have an on-prem Gitlab instance, which is not accessible publicly (only through a VPN).

The GCP documentation says that the IdP's OIDC metadata and JWKs endpoints need to be publicly accessible.
How can we set up the Workload Identity Federation in this case?

Also, the Gitlab instance is v14.0, so the CI_JOB_JWT_V2 variable is unavailable. I suppose we will have to upgrade the version because there is no other way to get a correct JWT token.

答案1

得分: 3

你可以使用工作负载身份联合其他支持OpenID Connect(OIDC)或SAML身份验证协议的身份提供商(IdPs)。要执行此任务,您的外部IdP应支持OpenID Connect和IdP的OIDC元数据和JWKs端点,这些端点应该是可以公开访问的,如云文档中所述。

Google Cloud使用这些端点下载您的IdP的密钥集,并使用该密钥集验证令牌。

您正在使用GitLab 14.0,其中JWT已被弃用,因为自GitLab 15.9起已弃用CI_JOB_JWT_V2,并计划在GitLab 16.5中将其移除。请改用ID令牌

使用id_tokens创建JSON Web令牌(JWT)以与第三方服务进行身份验证。以这种方式创建的所有JWT都支持OIDC身份验证。所需的aud子关键字用于配置JWT的aud声明,如Gitlab文档中所述。

可能的输入:

  • 带有其aud声明的令牌名称。aud可以是单个字符串或字符串数组。

id_tokens的示例:

job_with_id_tokens:
  id_tokens:
    ID_TOKEN_1:
      aud: https://gitlab.com
    ID_TOKEN_2:
      aud:
        - https://gcp.com
        - https://aws.com
  script:
    - 使用$ID_TOKEN_1进行GitLab身份验证的命令
    - 使用$ID_TOKEN_2进行AWS身份验证的命令
英文:

You can use workload identity federation with other identity providers (IdPs) that support either OpenID Connect (OIDC) or SAML authentication protocols. To perform this task, your external IdP should support OpenID Connect and IdP's OIDC metadata and JWKs endpoints which are publicly accessible over the internet as mentioned in cloud documentation.

Google Cloud uses these endpoints to download your IdP's key set and uses this key set to validate tokens.

You are using GitLab 14.0 in which the JWT is deprecated since CI_JOB_JWT_V2 was deprecated in GitLab 15.9 and is scheduled to be removed in GitLab 16.5. Use ID tokens instead.

Use id_tokens to create JSON web tokens (JWT) to authenticate with third party services. All JWTs created this way support OIDC authentication. The required aud sub-keyword is used to configure the aud claim for the JWT which was mentioned in Gitlab docs.

Possible inputs:

  • Token names with their aud claims. aud can be a single string or as an array of strings.

Example of id_tokens:

job_with_id_tokens:
  id_tokens:
    ID_TOKEN_1:
      aud: https://gitlab.com
    ID_TOKEN_2:
      aud:
        - https://gcp.com
        - https://aws.com
  script:
    - command_to_authenticate_with_gitlab $ID_TOKEN_1
    - command_to_authenticate_with_aws $ID_TOKEN_2

huangapple
  • 本文由 发表于 2023年5月29日 17:16:22
  • 转载请务必保留本文链接:https://go.coder-hub.com/76356071.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定