Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handling of the New Auto Token Rotation Feature #1196

Open
MrGiga opened this issue Oct 15, 2024 · 4 comments
Open

Handling of the New Auto Token Rotation Feature #1196

MrGiga opened this issue Oct 15, 2024 · 4 comments
Labels
work-in-progress Issue/PR is worked, should not become stale

Comments

@MrGiga
Copy link
Contributor

MrGiga commented Oct 15, 2024
edited
Loading

Describe the solution you'd like

The new runner authentication method includes an auto-rotation feature (disabled by default). For this feature to function, the expiration interval must be configured within GitLab. Once the interval is set and the time is reached, the Gitlab runner automatically initiate a process to reset the token, with the new token stored in the configuration file. The SSM 'token counter' method will be removed in the upcoming version 8.0.0 of this module (As noted
here ). I am proposing that that implementation is not removed and instead is re-used to handle the new auto-rotation feature. Otherwise this module will not be compatible with Gitlab instances that have the auto-rotation feature enabled.

Describe alternatives you've considered

None

Suggest a solution

There are two possible solutions:

First Solution (easiest):
Mark the handling of token rotation as out of scope and add a disclaimer in the documentation.

Second Solution:
Do not remove the "usage counter" SSM parameter and use that along with the reset-token command. The process would be as follows:

  1. SED config.toml for token_expires_at if it exists move to step 2 otherwise skip.
  2. Check the usage counter, if it is 0 then continue to step 2
  3. Run the reset-token command - https://docs.gitlab.com/runner/commands/#gitlab-runner-reset-token
  4. SED config.toml for Token value
  5. Update token value in SSM Parameter

Additional context

The token rotation handling event should most likely occur during the termination of the runners. In my use case I rotate out the runners every week which results in the latest AMI version being used but that would not be suitable for everyone. Handling a race condition properly is hard.
@MrGiga MrGiga changed the title Handling of the Auto Token Rotation Handling of the New Auto Token Rotation Feature Oct 15, 2024
@kayman-mk
Copy link
Collaborator

kayman-mk commented Oct 15, 2024
edited
Loading

The first solution is not an option as rotating the tokens adds security.

Solution two sounds feasible.

We have to make sure that older versions of the Runner are still working. Not sure when the reset-token command was added.

@MrGiga
Copy link
Contributor Author

MrGiga commented Oct 15, 2024

The first solution is not an option as rotating the tokens adds security.

Solution two sounds feasible.

We have to make sure that older versions of the Runner are still working. Not sure when the reset-token command was added.

Looks like it first appeared in v15.10.0

Sources:
MR: https://gitlab.com/gitlab-org/gitlab-runner/-/merge_requests/3209
Commit: https://gitlab.com/gitlab-org/gitlab-runner/-/commit/5e8770d2cb1606f7db37d2ae706c8ad099e57295

@github-actions github-actions bot added stale Issue/PR is stale and closed automatically and removed stale Issue/PR is stale and closed automatically labels Dec 15, 2024
@kayman-mk kayman-mk added the work-in-progress Issue/PR is worked, should not become stale label Jan 16, 2025
@cattle-ops cattle-ops deleted a comment from MrGiga Jan 16, 2025
@cattle-ops cattle-ops deleted a comment from github-actions bot Jan 16, 2025
@kayman-mk
Copy link
Collaborator

@MrGiga Any chance to get a PR from you? This feature looks valuable.

@kayman-mk kayman-mk mentioned this issue Jan 16, 2025
Open
@MrGiga
Copy link
Contributor Author

MrGiga commented Feb 10, 2025
edited
Loading

@MrGiga Any chance to get a PR from you? This feature looks valuable.

I can take a look. Solving the race condition is pretty intimidating.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
work-in-progress Issue/PR is worked, should not become stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MrGiga @kayman-mk