Show shared agents in deployment projects
Problem
Typically, agents are owned by a single project and shared with multiple deployment projects. Project members in the agent owner project can see the list of agents from "Infrastructure > Kubernetes clusters" page, however, project members in deployment projects might not have access to the owner project thus have no idea what agents are available in the project.
Similarly, we recently added a feature to allow users to access agent via user_access keyword. This authentication requires Agent ID, however, project members in the deployment projects might not have access to the owner project thus can't fetch the Agent ID for the authentication. This effectively limits the feature usage to be inside the owner project only.
Proposal
Show shared agents in deployment projects from "Infrastructure > Kubernetes clusters" page. In this page, users see:
- Shared agent names, IDs and it's connection status.
- Shared by - The agent owner project that allowed the access to the agent(s).
- Which keyword is used for sharing, either
ci_access,user_accessor both. - Permissions in the cluster with the given impersonation. i.e.
ClusterRoleBindingorRoleBindingdetails of the impersonated service account. - Future iteration: View resources in the cluster via Kubernetes Dashboard. (
user_accessonly) - Future iteration: Connect to the Agent via Web Terminal. (
user_accessonly)
Example design at the group-level here: #353468[Agent_Group_Installed_agents.png]
![#353468[Agent_Group_Installed_agents.png]](https://gitlab.com/gitlab-org/gitlab/-/issues/353468/designs/Agent_Group_Installed_agents.png){kind=link}
Permissions
Follow View clusters and Manage clusters from https://docs.gitlab.com/ee/user/permissions.html#project-members-permissions
Technical details
- One of main purposes in this iteration is to let deployment project see shared agents. To do so, we need to properly fix Agent permission in GitLab side.
- We likely use
Clusters::Agents::ProjectAuthorizationandClusters::Agents::GroupAuthorizationfor fetching available agent list. - Introduce
read_cluster_agentpermission. Stop reusingread_clusteras it technically infers deprecated certificate-based cluster integration.
Design
Reference
- How to share agents via
ci_access=> doc. - How to share agents via
user_access=> doc. - We show shared Deploy Keys in projects. See "Settings > Repository > Deploy Key" for the reference.