Agent: Create a group level authorisation system that can be used to authorise multiple projects
Problem to solve
As a Platform Engineer, I want to set up an agent to be accessible for deployments of specific project/groups inside my company namespace, so that I won't block developers on deploying new projects.
Intended users
User experience goal
The Platform Engineer and the Application Operator should be able to use a single agent connection that is managed by the Platform Engineer and customised in a restricted way by the Application Operator.
Proposal
To support the use case where the agent needs to be able to deploy several project all grouped in the same GitLab group we should create an authorisation model that can be used to authenticate against all the project of a given group.
- Enable the agent token to have access to any group that authorized the given agent
Q: How could we define this authorization in code?
- A group might enable multiple agents.
Q: How can the location of the manifest files be configured?
- Configuring every manifest project 1-by-1 in the configuration project seems bad UX as it requires modifications at least in the group and in the agent configuration project.
Edited by Viktor Nagy (GitLab)