Provide separate namespaces for each project environment
Problem to solve
Our Kubernetes integration currently deploys into the same namespaces regardless of the project environment. This presents the following issues:
- Operators cannot reuse the same cluster for different environments (ie run dev/stage on same cluster)
- Operators cannot configure permissions by environment (bob can deploy to dev but not to prod)
Further details
(Include use cases, benefits, and/or goals)
Proposal
In order to run multiple environments in the same cluster and manage permissions/security in a more granular way a namespace should be provided per environment.
- Because environments are dynamic and can be created as part of a CI job, we will create matching namespaces as CI creates environments (we can will use JIT resource creation https://gitlab.com/gitlab-org/gitlab-ce/issues/57115).
- Namespace naming nomenclature will follow
<project_slug>-<project_id>-<env_name>
pattern. Users who have already specified a custom namespace name (currently 40% of users as of Mar-2019) will continue to use the same namespace for all environments. This makes the feature backwards compatible. Users who specify a custom namespace and choose GitLab-managed going forward will have a namespace per environment based on their custom namespace:<custom-namespace>-<env_name>
. We will not create namespaces if the user chooses to self-manage their cluster. We will simply use the namespace provided by user if the user sets a namespace AND chooses to self-manage - As each review app creates a unique environment, we will create a namespace for those as well, ie
<project_slug>-<project_id>-<ci_environment_slug>
- In order to be backward compatible and not break existing integrations, we will add a setting to "create namespace per environment" to the BE; it will be disabled for existing integration and enabled by default for new integrations. It will not be displayed in FE
Follow-ups:
- To provide further flexibility, we will follow-up with an issue for the ability to provide a custom namespace per environment https://gitlab.com/gitlab-org/gitlab-ce/issues/59638
- Cleanup namespaces as environments are destroyed https://gitlab.com/gitlab-org/gitlab-ce/issues/59368
What does success look like, and how can we measure that?
(If no way to measure success, link to an issue that will implement a way to measure this)
Links / references
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.