Handle RSA key issues when generating CI_JOB_JWT

Some instances may have invalid (or missing) OpenID Connect signing key,
which will break generating CI_JOB_JWT and as result break CI too - no
jobs can be requested by and assigned to runners.

Instead of exploding, catch and track exceptions and set the CI variable
only when the JWT was generated successfully.

Related to https://gitlab.com/gitlab-org/gitlab/-/issues/215902.

app/models/ci/build.rb

@@ -990,6 +990,8 @@ module Ci
 
         jwt = Gitlab::Ci::Jwt.for_build(self)
         variables.append(key: 'CI_JOB_JWT', value: jwt, public: false, masked: true)
+      rescue OpenSSL::PKey::RSAError => e
+        Gitlab::ErrorTracking.track_exception(e)
       end
     end
   end

changelogs/unreleased/215902-ci-job-jwt-handle-signing-key-issues.yml

+---
+title: Handle possible RSA key exceptions when generating CI_JOB_JWT
+merge_request: 30702
+author:
+type: changed

spec/models/ci/build_spec.rb

@@ -2350,6 +2350,16 @@ describe Ci::Build do
         end
       end
 
+      context 'when CI_JOB_JWT generation fails' do
+        it 'CI_JOB_JWT is not included' do
+          expect(Gitlab::Ci::Jwt).to receive(:for_build).and_raise(OpenSSL::PKey::RSAError, 'Neither PUB key nor PRIV key: not enough data')
+          expect(Gitlab::ErrorTracking).to receive(:track_exception)
+
+          expect { subject }.not_to raise_error
+          expect(subject.pluck(:key)).not_to include('CI_JOB_JWT')
+        end
+      end
+
       describe 'variables ordering' do
         context 'when variables hierarchy is stubbed' do
           let(:build_pre_var) { { key: 'build', value: 'value', public: true, masked: false } }