Provide separate namespaces for each project environment
Problem to solve
Our Kubernetes integration currently deploys into the same namespaces regardless of the project environment. This presents the following issues:
- Operators cannot reuse the same cluster for different environments (ie run dev/stage on same cluster)
- Operators cannot configure permissions by environment (bob can deploy to dev but not to prod)
(Include use cases, benefits, and/or goals)
In order to run multiple environments in the same cluster and manage permissions/security in a more granular way a namespace should be provided per environment.
- Because environments are dynamic and can be created as part of a CI job, we will create matching namespaces as CI creates environments (we can will use JIT resource creation https://gitlab.com/gitlab-org/gitlab-ce/issues/57115).
- Namespace naming nomenclature will follow
<project_slug>-<project_id>-<env_name>pattern. Users who have already specified a custom namespace name (currently 40% of users as of Mar-2019) will continue to use the same namespace for all environments. This makes the feature backwards compatible. Users who specify a custom namespace and choose GitLab-managed going forward will have a namespace per environment based on their custom namespace:
<custom-namespace>-<env_name>. We will not create namespaces if the user chooses to self-manage their cluster. We will simply use the namespace provided by user if the user sets a namespace AND chooses to self-manage
- As each review app creates a unique environment, we will create a namespace for those as well, ie
- In order to be backward compatible and not break existing integrations, we will add a setting to "create namespace per environment" to the BE; it will be disabled for existing integration and enabled by default for new integrations. It will not be displayed in FE
- To provide further flexibility, we will follow-up with an issue for the ability to provide a custom namespace per environment https://gitlab.com/gitlab-org/gitlab-ce/issues/59638
- Cleanup namespaces as environments are destroyed https://gitlab.com/gitlab-org/gitlab-ce/issues/59368
What does success look like, and how can we measure that?
(If no way to measure success, link to an issue that will implement a way to measure this)