Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handling of the New Auto Token Rotation Feature #1196

Open
MrGiga opened this issue Oct 15, 2024 · 2 comments
Open

Handling of the New Auto Token Rotation Feature #1196

MrGiga opened this issue Oct 15, 2024 · 2 comments

Comments

@MrGiga
Copy link
Contributor

MrGiga commented Oct 15, 2024
edited
Loading

Describe the solution you'd like

The new runner authentication method includes an auto-rotation feature (disabled by default). For this feature to function, the expiration interval must be configured within GitLab. Once the interval is set and the time is reached, the Gitlab runner automatically initiate a process to reset the token, with the new token stored in the configuration file. The SSM 'token counter' method will be removed in the upcoming version 8.0.0 of this module (As noted
here ). I am proposing that that implementation is not removed and instead is re-used to handle the new auto-rotation feature. Otherwise this module will not be compatible with Gitlab instances that have the auto-rotation feature enabled.

Describe alternatives you've considered

None

Suggest a solution

There are two possible solutions:

First Solution (easiest):
Mark the handling of token rotation as out of scope and add a disclaimer in the documentation.

Second Solution:
Do not remove the "usage counter" SSM parameter and use that along with the reset-token command. The process would be as follows:

  1. SED config.toml for token_expires_at if it exists move to step 2 otherwise skip.
  2. Check the usage counter, if it is 0 then continue to step 2
  3. Run the reset-token command - https://docs.gitlab.com/runner/commands/#gitlab-runner-reset-token
  4. SED config.toml for Token value
  5. Update token value in SSM Parameter

Additional context

The token rotation handling event should most likely occur during the termination of the runners. In my use case I rotate out the runners every week which results in the latest AMI version being used but that would not be suitable for everyone. Handling a race condition properly is hard.
@MrGiga MrGiga changed the title Handling of the Auto Token Rotation Handling of the New Auto Token Rotation Feature Oct 15, 2024
@kayman-mk
Copy link
Collaborator

kayman-mk commented Oct 15, 2024
edited
Loading

The first solution is not an option as rotating the tokens adds security.

Solution two sounds feasible.

We have to make sure that older versions of the Runner are still working. Not sure when the reset-token command was added.

@MrGiga
Copy link
Contributor Author

MrGiga commented Oct 15, 2024

The first solution is not an option as rotating the tokens adds security.

Solution two sounds feasible.

We have to make sure that older versions of the Runner are still working. Not sure when the reset-token command was added.

Looks like it first appeared in v15.10.0

Sources:
MR: https://gitlab.com/gitlab-org/gitlab-runner/-/merge_requests/3209
Commit: https://gitlab.com/gitlab-org/gitlab-runner/-/commit/5e8770d2cb1606f7db37d2ae706c8ad099e57295

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MrGiga @kayman-mk