Protected Environment-level variables

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Problem

Currently, GitLab has two key features for helping organizations to manage deployments:

  • Group-level protected environments ... Organizations define deployment authorization policy. Only members in the allowlist can execute a critical deployment job, e.g. deploying to production environment.
  • Group-level CI/CD variables ... Organizations define deployment secrets/credentials, which will be populated in subsequent project's pipeline jobs. To prevent arbitrary jobs from reading sensitive secret, users can set environment scopes optionally, such as exposing a variable to production deployment job.

Given that the deployment workflow goes like "Authorization" => "Execution", these features should be tightly coupled, however, these settings are currently sparse and diverged, and this causes problems.

  • Sparse ... It's hard to understand which variables are injected to which protected environments. In addition, it's hard to manually synchronize each setting.
  • Diverged ... Group-level protected environments takes environment tier as a parameter, OTOH Group-level CI/CD variables takes environment name as a parameter. Thus these settings are lacking a compatibility, which causes an issue like this.

To illustrate this problem, here is how the settings could look like:

Group CI/CD Config
  - Varibales
    - `SECRET_VARIABLE_1: 123` - `tier: production` `name: *`
    - `SECRET_VARIABLE_2: 456` - `tier: production` `name: aws-*`
    - `SECRET_VARIABLE_1: 789` - `tier: staging` `name: *`
    - `SECRET_VARIABLE_2: 012` - `tier: staging` `name: aws-*`
  - Protected environments
    - `tier: production` `name: *` ... Allowed to deploy: group-X
    - `tier: staging` `name: *` ... Allowed to deploy: group-Y

Proposal

We introduce a new feature to set CI/CD variables to a specific protected environment. Here is how the variable management will look like in the future:

Group CI/CD Config
  - Protected environments
    - `tier: production` `name: *` ... Allowed to deploy: group-X
      Variables:
      - `SECRET_VARIABLE_1: 123`
      - `SECRET_VARIABLE_2: 456` - `name: aws-*`
    - `tier: staging` `name: *` ... Allowed to deploy: group-Y
      Variables:
      - `SECRET_VARIABLE_1: 789`
      - `SECRET_VARIABLE_2: 012` - `name: aws`

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Edited by 🤖 GitLab Bot 🤖