Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 49,670
    • Issues 49,670
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1,564
    • Merge requests 1,564
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #389393
Closed
Open
Issue created Jan 26, 2023 by Viktor Nagy (GitLab)@nagyv-gitlab🕊Developer

Flux to GitLab access management

Release notes

Problem to solve

As an Application Operator, I want a very simple API and/or UI driven approach to authorize access of given Flux installation to my GitLab repo to retrieve manifests from it.

As an Application Operator, I want a very simple API and/or UI driven approach to authorize access of given Flux installation and Kubernetes cluster to my GitLab container registry to retrieve containers from it.

As an Application Operator, I want a very simple API and/or UI driven approach to restrict access to my manifests and containers only to the namespaces and service accounts I own.

As a Platform Engineer, once I authorized a team to deploy using potentially a set of restrictions (a service account), I want to ensure that application team can easily deploy their workflows without much overhead.

As a Platform Engineer, I want any keys accessing GitLab to be regularly and automatically rotated.

Proposal

Intended users

  • Priyanka (Platform Engineer)
  • Allison (Application Ops)

Feature Usage Metrics

Educational Resources

  • https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/blob/master/doc/modules.md#extending-gitlab-kas-or-agentk-with-new-functionality About extending kas and agentk

  • https://docs.gitlab.com/ee/user/project/deploy_keys/ We talk a lot about Deploy Keys and Deploy Tokens

  • https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/blob/master/doc/kas_request_routing.md More interesting agentk/kas architecture

  • https://kubernetes.io/docs/concepts/security/multi-tenancy/ This is an incredibly good read and clears up a lot of the terminology around multi-tenancy (e.g. multi-team tenancy, multi-customer tenancy).

  • https://github.com/fluxcd/flux2-multi-tenancy This shows some examples as well as some Flux specific flows for onboarding new tenants

Prior art / Related issues

  • Manifest projects outside of the Agent configur... (&7704)

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Edited Feb 14, 2023 by Hunter Stewart
Assignee
Assign to
Time tracking