Group-level UI for Protected Environment settings
Release notes
Previously, group-level configuration for protected environments was only available through the API. With this release, you can now view and edit configuration settings for protected environments at the group level in the UI.
Problem
Group-level protected environments is useful feature for the organizations that want to enforce additional authorization on deployments in all subsequent projects at once. However, currently, they must use Public API to configure it, which is unintuitive UX. We should add UI support to let them easily audit/configure the settings.
Proposal
Introduce the UI to configure Group-level protected environments, that can be used as an alternative solution aside from the public API.
The group level setting will be similar to the project level setting. In this iteration, we specifically target the following spec:
- We support the group-base access setting (e.g. Members in the
@operator-group
can deploy to production environments in theXYZ org
). This is the most practical usage in this feature that allows a specific group to authorize all deployment jobs. - We do not support role-base access setting (e.g. Project members with
Maintainer
role can deploy to production environments in theXYZ org
). This is less practical because technically delegating the deployment authorization to the project maintainers. - We do not support specific user access setting (e.g.
@john
can deploy to production environments in theXYZ org
). This causes a scalability issue because the single person in the organization blocks the deployments in the entire organization. - Unlike project-level protected environments, the assignable groups must be a subgroup of the configuration group. (No invitation needed)
For more details, you can see the PoC.
Implementation plan
-
Add Protected Environment instance variables to Groups::Settings::CiCdController
(similar to https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/controllers/ee/projects/settings/ci_cd_controller.rb#L27) -
Create Groups::ProtectedEnvironmentsController
(similar to https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/controllers/projects/protected_environments_controller.rb)
- Frontend code can mostly be copy-pasted from the project-level settings
-
Add form for protecting environments at the group level under Group > CI/CD > Protected Environments
- UI text: Only specified users can execute deployments in the protected environments of the group. How do protected environments work?
- Add help text with a link to the documentation on protected environments
-
Add form for editing currently protected environments.
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.