GitLab: ci_config_ref_uri can be empty

[haydentherapper]

Description

Version

I've noticed errors in our server logs: template: :1:11: executing "" at <.ci_config_ref_uri>: map has no entry for key "ci_config_ref_uri". This is coming from the ciprovider issuer where the mapping between certificate extensions and token claims is specified in a template. ci_config_ref_uri is a token claim for GitLab that's used for the subject alternative name and build signer URI.

From the GitLab docs on ci_config_ref_uri, "If the pipeline definition is not located in the same project, or if the pipeline is a merge request pipeline from a forked project running in the target project, the claim is null".

If this value can be null, we ideally should pick a different value as the SAN. We fail gracefully with an Invalid Argument error, though we could provide a more precise error to users.

[haydentherapper]

Likely related: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/208180

[haydentherapper]

Ref: https://gitlab.com/gitlab-org/gitlab/-/issues/579211

[jku]

We fail gracefully with an Invalid Argument error, though we could provide a more precise error to users.

We could also start logging at least these specific failures at a lower level than ERROR