Docs: Kubernetes contexts from agent not injected into pipeline of projects authorized to use the agent

Summary

I have issues with access to kubernetes agent from different projects. The variables and contexts that should be available in the pipeline don't appear. I'm running gitlab 14.5 CE omnibus docker image.

I set up two pipelines to test this:

  1. Pipeline in the kubernetes agent config repository.
  2. Pipeline in a separate project that is listed in authorized projects. I used this as an example. I tried both group and project authorization.

Excerpt from the documentation:

Authorize projects to use an Agent
To grant projects access to the Agent through the CI/CD Tunnel:
Go to your Agent’s configuration project.
Edit the Agent’s configuration file (config.yaml).
Add the projects attribute into ci_access.
Identify the project through its path:

   ci_access:
      projects:
      - id: path/to/project

The first pipeline works, I can use kubectl from the pipeline and the contexts are visible. By setting the context from my agent I can apply manifests to the cluster.

The second one doesn't work. The documentation says that appropriate variables should be injected into my pipeline but it doesn't seem to be the case.

When you authorize a project to use an agent through the CI/CD Tunnel, the selected Kubernetes context is automatically injected into CI/CD jobs, allowing you to run Kubernetes commands from your authorized projects’ scripts. When you authorize a group, all the projects that belong to that group can access the selected agent.

Is there some additional setup required? Relevant forum thread: https://forum.gitlab.com/t/kubernetes-contexts-from-agent-not-injected-into-pipeline-of-projects-authorized-to-use-the-agent/61855/2

Scope of this issue

Clarify the docs on https://docs.gitlab.com/ee/user/clusters/agent/repository.html#authorize-projects-and-groups-to-use-an-agent Today it says:

An Agent can only authorize projects or groups in the same group hierarchy as the Agent’s configuration project.

The issue will be addressed in #346566 (closed)

Original bug report

Steps to reproduce

  1. Create a new kubernetes agent config repository and connect your agent to the repository.
  2. Check that kubernetes variables are properly injected into the pipeline when the pipeline runs in the agent repository.
  3. Add a new project or group to ci_access: in agent configuration.

What is the current bug behavior?

The kubernetes agent variables and contexts are not injected into the pipeline of the authorized project.

What is the expected correct behavior?

The kubernetes agent variables and contexts are injected into the pipeline of the authorized project and allow for deployment to the cluster.

Relevant logs and/or screenshots

Output from the pipeline of an authorized project:

$ kubectl config get-contexts
CURRENT   NAME   CLUSTER   AUTHINFO   NAMESPACE
$ kubectl config view
apiVersion: v1
clusters: null
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null
$ kubectl config use-context project/devops:project-dev
error: no context exists with the name: "project/devops:project-dev"

Output from the pipeline of the agent configuration project:

$ kubectl config use-context project/devops:project-dev
Switched to context "project/devops:project-dev".
$ kubectl config set-context $(kubectl config current-context) --namespace project-dev
Context "project/devops:project-dev" modified.

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

System information
System:		
Current User:	git
Using RVM:	no
Ruby Version:	2.7.4p191
Gem Version:	3.1.4
Bundler Version:2.1.4
Rake Version:	13.0.6
Redis Version:	6.0.16
Git Version:	2.33.1.
Sidekiq Version:6.2.2
Go Version:	unknown

GitLab information
Version:	14.5.0
Revision:	f8796c0836e
Directory:	/opt/gitlab/embedded/service/gitlab-rails
DB Adapter:	PostgreSQL
DB Version:	12.7
URL:		https://gitlab.redacted.io
HTTP Clone URL:	https://gitlab.redacted.io/some-group/some-project.git
SSH Clone URL:	git@gitlab.redacted.io:some-group/some-project.git
Using LDAP:	yes
Using Omniauth:	yes
Omniauth Providers: 

GitLab Shell
Version:	13.22.0
Repository storage paths:
- default: 	/var/opt/gitlab/git-data/repositories
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell
Git:		/opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check 
Checking GitLab subtasks ...


Checking GitLab Shell ...


GitLab Shell: ... GitLab Shell version >= 13.22.0 ? ... OK (13.22.0)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
INFO[0000] SSL_CERT_DIR is configured                    ssl_cert_dir=/opt/gitlab/embedded/ssl/certs/
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Gitaly ...


Gitaly: ... default ... OK


Checking Gitaly ... Finished


Checking Sidekiq ...


Sidekiq: ... Running? ... yes
Number of Sidekiq processes (cluster/worker) ... 1/1


Checking Sidekiq ... Finished


Checking Incoming Email ...


Incoming Email: ... Reply by email is disabled in config/gitlab.yml


Checking Incoming Email ... Finished


Checking LDAP ...


LDAP: ... Server: ldapmain
not verifying SSL hostname of LDAPS server 'ldap-proxy.lan.redacted.io:8636'
LDAP authentication... Failed. Check bind_dn and password configuration values
LDAP users with access to your GitLab server (only showing the first 100 results)
User output sanitized. Found 100 users of 100 limit.


Checking LDAP ... Finished


Checking GitLab App ...


Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Projects have namespace: ...
73/1 ... yes
91/2 ... yes
93/3 ... yes
102/4 ... yes
85/5 ... yes
81/6 ... yes
75/7 ... yes
91/8 ... yes
74/9 ... yes
87/10 ... yes
81/11 ... yes
73/12 ... yes
74/13 ... yes
91/14 ... yes
91/15 ... yes
78/16 ... yes
78/17 ... yes
91/18 ... yes
95/19 ... yes
95/20 ... yes
95/21 ... yes
95/22 ... yes
95/23 ... yes
95/24 ... yes
73/25 ... yes
70/26 ... yes
91/27 ... yes
83/28 ... yes
90/29 ... yes
90/30 ... yes
90/31 ... yes
90/32 ... yes
90/33 ... yes
90/34 ... yes
90/35 ... yes
90/36 ... yes
90/37 ... yes
90/38 ... yes
91/39 ... yes
91/40 ... yes
87/41 ... yes
90/42 ... yes
90/43 ... yes
90/44 ... yes
90/45 ... yes
90/46 ... yes
77/47 ... yes
73/48 ... yes
87/49 ... yes
87/50 ... yes
87/51 ... yes
91/52 ... yes
87/53 ... yes
73/55 ... yes
73/56 ... yes
91/57 ... yes
73/58 ... yes
90/59 ... yes
90/60 ... yes
90/61 ... yes
90/62 ... yes
90/63 ... yes
90/64 ... yes
72/65 ... yes
87/66 ... yes
90/67 ... yes
90/68 ... yes
90/69 ... yes
90/70 ... yes
90/71 ... yes
90/72 ... yes
87/73 ... yes
87/74 ... yes
72/75 ... yes
91/76 ... yes
91/77 ... yes
91/78 ... yes
154/79 ... yes
91/80 ... yes
79/81 ... yes
77/82 ... yes
71/83 ... yes
77/84 ... yes
77/85 ... yes
80/86 ... yes
91/87 ... yes
77/88 ... yes
77/89 ... yes
77/90 ... yes
77/91 ... yes
75/92 ... yes
87/93 ... yes
90/94 ... yes
101/95 ... yes
90/96 ... yes
90/97 ... yes
92/98 ... yes
90/99 ... yes
90/100 ... yes
90/101 ... yes
94/102 ... yes
90/103 ... yes
90/104 ... yes
90/105 ... yes
69/106 ... yes
86/107 ... yes
90/108 ... yes
79/109 ... yes
90/110 ... yes
90/111 ... yes
90/112 ... yes
90/113 ... yes
90/114 ... yes
90/115 ... yes
90/116 ... yes
90/117 ... yes
90/118 ... yes
75/119 ... yes
90/120 ... yes
90/121 ... yes
90/122 ... yes
90/123 ... yes
90/124 ... yes
90/125 ... yes
75/126 ... yes
90/127 ... yes
90/128 ... yes
90/129 ... yes
90/130 ... yes
90/131 ... yes
90/132 ... yes
89/133 ... yes
90/134 ... yes
79/135 ... yes
90/136 ... yes
79/137 ... yes
90/138 ... yes
90/139 ... yes
90/140 ... yes
90/141 ... yes
90/142 ... yes
77/143 ... yes
77/144 ... yes
90/145 ... yes
90/146 ... yes
90/147 ... yes
90/148 ... yes
90/149 ... yes
90/150 ... yes
90/151 ... yes
90/152 ... yes
90/153 ... yes
91/154 ... yes
91/155 ... yes
100/156 ... yes
77/157 ... yes
87/158 ... yes
88/162 ... yes
73/163 ... yes
104/165 ... yes
91/168 ... yes
107/170 ... yes
107/171 ... yes
107/172 ... yes
107/174 ... yes
91/175 ... yes
91/176 ... yes
98/177 ... yes
98/179 ... yes
73/180 ... yes
73/181 ... yes
91/182 ... yes
73/183 ... yes
116/184 ... yes
121/186 ... yes
121/187 ... yes
121/188 ... yes
121/189 ... yes
127/190 ... yes
135/191 ... yes
135/192 ... yes
143/194 ... yes
143/195 ... yes
143/196 ... yes
145/197 ... yes
146/198 ... yes
146/199 ... yes
147/200 ... yes
147/202 ... yes
146/203 ... yes
81/204 ... yes
98/205 ... yes
103/207 ... yes
103/208 ... yes
103/209 ... yes
103/210 ... yes
103/211 ... yes
103/212 ... yes
103/213 ... yes
103/214 ... yes
103/215 ... yes
103/216 ... yes
103/217 ... yes
103/218 ... yes
103/219 ... yes
103/220 ... yes
103/221 ... yes
103/222 ... yes
103/223 ... yes
103/224 ... yes
103/225 ... yes
103/226 ... yes
103/227 ... yes
103/228 ... yes
103/229 ... yes
103/230 ... yes
103/231 ... yes
103/232 ... yes
103/233 ... yes
103/234 ... yes
103/235 ... yes
103/236 ... yes
103/237 ... yes
103/238 ... yes
103/239 ... yes
103/240 ... yes
103/241 ... yes
103/242 ... yes
103/243 ... yes
103/244 ... yes
103/245 ... yes
103/246 ... yes
103/247 ... yes
103/248 ... yes
103/249 ... yes
103/250 ... yes
103/251 ... yes
103/252 ... yes
103/253 ... yes
103/254 ... yes
103/255 ... yes
103/256 ... yes
103/257 ... yes
103/258 ... yes
103/259 ... yes
103/260 ... yes
103/261 ... yes
103/262 ... yes
103/263 ... yes
103/264 ... yes
151/266 ... yes
151/267 ... yes
151/268 ... yes
151/269 ... yes
153/270 ... yes
154/271 ... yes
98/272 ... yes
103/273 ... yes
135/274 ... yes
135/275 ... yes
135/276 ... yes
75/277 ... yes
160/280 ... yes
160/281 ... yes
160/282 ... yes
160/283 ... yes
166/284 ... yes
91/285 ... yes
91/286 ... yes
103/287 ... yes
103/288 ... yes
103/289 ... yes
174/290 ... yes
177/291 ... yes
177/292 ... yes
177/293 ... yes
177/294 ... yes
103/296 ... yes
103/297 ... yes
178/302 ... yes
178/303 ... yes
178/304 ... yes
178/307 ... yes
174/308 ... yes
75/309 ... yes
73/310 ... yes
179/312 ... yes
180/313 ... yes
180/314 ... yes
180/315 ... yes
180/316 ... yes
180/317 ... yes
180/318 ... yes
180/319 ... yes
180/320 ... yes
180/321 ... yes
180/322 ... yes
180/323 ... yes
180/324 ... yes
180/325 ... yes
180/326 ... yes
180/327 ... yes
180/328 ... yes
180/329 ... yes
153/330 ... yes
91/331 ... yes
183/332 ... yes
183/333 ... yes
68/334 ... yes
68/335 ... yes
68/336 ... yes
68/337 ... yes
68/338 ... yes
68/340 ... yes
68/341 ... yes
146/342 ... yes
184/344 ... yes
91/345 ... yes
185/346 ... yes
185/348 ... yes
186/349 ... yes
Redis version >= 5.0.0? ... yes
Ruby version >= 2.7.2 ? ... yes (2.7.4)
Git version >= 2.33.0 ? ... yes (2.33.1)
Git user has default SSH configuration? ... yes
Active users: ... 78
Is authorized keys file accessible? ... yes
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes


Checking GitLab App ... Finished


Checking GitLab subtasks ... Finished
Edited by Viktor Nagy (GitLab)