Automatic merge of gitlab-org/gitlab master

c9ccd9d4 · GitLab Bot · 49f74420 · 684ef443 · c9ccd9d4 · c9ccd9d4
Commit c9ccd9d4 authored Jan 11, 2022 by GitLab Bot
Showing with 27 additions and 0 deletions

doc/ci/examples/authenticating-with-hashicorp-vault/index.md doc/ci/examples/authenticating-with-hashicorp-vault/index.md +22 -0

doc/development/cicd/index.md doc/development/cicd/index.md +5 -0

No files found.
--- a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
+++ b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
@@ -189,6 +189,28 @@ Combined with [protected branches](../../../user/project/protected_branches.md),

 [`bound_claims_type`](https://www.vaultproject.io/api-docs/auth/jwt#bound_claims_type) configures the interpretation of the `bound_claims` values. If set to `glob`, the values are interpreted as globs, with `*` matching any number of characters.

+The claim fields listed in [the table above](#how-it-works) can also be accessed for [Vault's policy path templating](https://learn.hashicorp.com/tutorials/vault/policy-templating?in=vault/policies) purposes by using the accessor name of the JWT auth within Vault. The [mount accessor name](https://learn.hashicorp.com/tutorials/vault/identity#step-1-create-an-entity-with-alias) (`ACCESSOR_NAME` in the example below) can be retrieved by running `vault auth list`.
+
+Policy template example making use of a named metadata field named `project_path`:
+
+```plaintext
+path "secret/data/{{identity.entity.aliases.ACCESSOR_NAME.metadata.project_path}}/staging/*" {
+  capabilities = [ "read" ]
+}
+```
+
+Role example to support the templated policy above, mapping the claim field `project_path` as a metadata field through use of [`claim_mappings`](https://www.vaultproject.io/api-docs/auth/jwt#claim_mappings) configuration:
+
+```plaintext
+{
+  "role_type": "jwt",
+  ...
+  "claim_mappings": {
+    "project_path": "project_path"
+  }
+}
+```
+
 For the full list of options, see Vault's [Create Role documentation](https://www.vaultproject.io/api/auth/jwt#create-role).

 WARNING:

--- a/doc/development/cicd/index.md
+++ b/doc/development/cicd/index.md
@@ -109,6 +109,11 @@ After the server receives the request it selects a `pending` job based on the [`

 Once all jobs are completed for the current stage, the server "unlocks" all the jobs from the next stage by changing their state to `pending`. These can now be picked by the scheduling algorithm when the runner requests new jobs, and continues like this until all stages are completed.

+If a job is not picked up by a runner in 24 hours it is automatically removed from
+the processing queue after that time. If a pending job is stuck, when there is no
+runner available that can process it, it is removed from the queue after 1 hour.
+In both cases the job's status is changed to `failed` with an appropriate failure reason.
+
 ### Communication between runner and GitLab server

 After the runner is [registered](https://docs.gitlab.com/runner/register/) using the registration token, the server knows what type of jobs it can execute. This depends on: