Deprecate shared SaaS testing namespaces
Problem Statement
What is the problem?
As discussed in RFC #5230 (closed), the SaaS test namespaces gitlab-bronze
, gitlab-gold
and gitlab-silver
have a few issues:
- Previously they were public
- There's no DRI for maintaining them
- There's no oversight into who is added: former employees may invite test accounts and retain those test accounts and get "forever" subscriptions
- Running out of CI minutes or storage brings things down for everyone
Why is this a problem?
- No security boundaries in place
- Offboarding isn't clean
- Leaky permissions
- Likelihood of leaked credentials
Proposal
- Deprecate the use of
gitlab-gold
,gitlab-silver
andgitlab-bronze
in favor of personal, private, licensed namespaces. - Add these namespaces to baseline entitlements: https://gitlab.com/gitlab-com/team-member-epics/access-requests/-/merge_requests/1412
- Create namespaces for each individual support engineer: https://gitlab.com/gitlab-com/support/support-ops/support-ops-project/-/issues/930
- Add notes on keeping SaaS test enviornments for Support Engineers and keeping SaaS testing environments secure.: gitlab-com/www-gitlab-com!126332
DRI
@lyle will act as the DRI for this issue.
Required Resources
- Scripting to create top-level namespaces and provision appropriate subscription levels (see roadblocks)
- Setting a date to sunset current namespaces for Support
- Coordination with CS and other internal users for them to either move in lockstep with support, or do something different.
- Need a list of non-support folks to make sure they're alerted.
✅ SaaS Test Group Users (GitLab Internal Only)
- Need a list of non-support folks to make sure they're alerted.
Potential Roadblocks/Things to consider
- Top level namespace creation is disabled on GitLab.com through a feature flag: gitlab-org/gitlab!56360 (merged) => This will affect our ability to mass provision namespaces. We can either: coordinate to turn off the FF to run a script -or- do this through the console (FF preferred).
- Closing
gitlab-gold
, etc. may lag behind Support migration to personal namespaces.
SaaS Test Group Users (GitLab Internal Only) Breakdown:
Desired Outcome
What does success look like?
A full transition away from shared, public resources for test environments.
Future success would be having on-demand provisioning through Sandbox Cloud.
How do we measure success?
gitlab-gold
, etc. are no longer used by support (or anyone).
Where would future feedback go?
This issue is a great place for current feedback.
Related Issues/MRs/Epics/Tickets
Edited by Lyle Kozloff