Handling of the New Auto Token Rotation Feature #1196
Comments
MrGiga
changed the title
|
The first solution is not an option as rotating the tokens adds security. Solution two sounds feasible. We have to make sure that older versions of the Runner are still working. Not sure when the |
Looks like it first appeared in v15.10.0 Sources: |
|
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 15 days. |
|
Post to keep alive |
Describe the solution you'd like
The new runner authentication method includes an auto-rotation feature (disabled by default). For this feature to function, the expiration interval must be configured within GitLab. Once the interval is set and the time is reached, the Gitlab runner automatically initiate a process to reset the token, with the new token stored in the configuration file. The SSM 'token counter' method will be removed in the upcoming version 8.0.0 of this module (As noted
here ). I am proposing that that implementation is not removed and instead is re-used to handle the new auto-rotation feature. Otherwise this module will not be compatible with Gitlab instances that have the auto-rotation feature enabled.
Describe alternatives you've considered
None
Suggest a solution
There are two possible solutions:
First Solution (easiest):
Mark the handling of token rotation as out of scope and add a disclaimer in the documentation.
Second Solution:
Do not remove the "usage counter" SSM parameter and use that along with the
reset-tokencommand. The process would be as follows:token_expires_atif it exists move to step 2 otherwise skip.reset-tokencommand - https://docs.gitlab.com/runner/commands/#gitlab-runner-reset-tokenAdditional context
The token rotation handling event should most likely occur during the termination of the runners. In my use case I rotate out the runners every week which results in the latest AMI version being used but that would not be suitable for everyone. Handling a race condition properly is hard.
The text was updated successfully, but these errors were encountered: