KAS CI/CD Tunnel ci_access does not work for projects/groups outside of the group with the agent config project
Summary
Kubernetes Agent CI/CD Tunnel CI Access, as documented at https://docs.gitlab.com/ee/user/clusters/agent/repository.html#authorize-projects-and-groups-to-use-an-agent, only works for projects within the group that contains the agent configuration project.
Despite defining the ci_access groups/projects, the KUBECONFIG
variable is not injected for any groups projects other than the group containing the agent config.
I initially discovered this on a self-managed installation deployed using the GitLab Helm chart and have reproduced the issue on GitLab.com
This issue is currently blocking an Ultimate licensed customer with whom we are working.
Proposal
GitLab Hosted
On gitlab.com support the following CI/CD tunnel sharing:
gitlab.com/top-namespace/
|- infra-group/infra-project
| |- my-agent
|- dev-group/app-project
my-agent
can be shared with the dev-group
and all its project.
Original bug report
Steps to reproduce
Create the following structure:
- Group: Infrastructure (everything in here will get the KUBECONFIG variable)
- Project: Agent Config (add KAS config.yaml here, allowing access to the "Infrastructure" and "Another Group" groups)
- Group: Another Group (nothing in here will get the KUBECONFIG variable)
- Project: Another Project (this won't get the KUBECONFIG variable)
Example Project
See the following group for an example: https://gitlab.com/ottra-gold/kas-ci-access-issue
Agent config project: https://gitlab.com/ottra-gold/kas-ci-access-issue/infrastructure/kubernetes
All other projects contain the same .gitlab-ci.yml file.
What is the current bug behavior?
ci_access only works for groups/projects within ottra-gold/kas-ci-access-issue/infrastructure
What is the expected correct behavior?
ci_access should work for ottra-gold/kas-ci-access-issue/a-project
and ottra-gold/kas-ci-access-issue/another-group
too.
Relevant logs and/or screenshots
Working: https://gitlab.com/ottra-gold/kas-ci-access-issue/infrastructure/a-working-project/-/jobs/1818621002 Not Working: https://gitlab.com/ottra-gold/kas-ci-access-issue/another-group/another-project/-/jobs/1818626156