Add support to Agent for environment-specific impersonation with static identify
Proposal
The GitLab Agent currently supports restricting project and group access by using impersonation, where for each project the access_as
attribute can be used to specify a static identify to use to access the cluster.
It also supports restricting project and group access to specific environments.
What isn't supported at present is the ability to specify an access_as
attribute for each environment within a project, and that is the functionality requested by this issue.
You can at present specify an agent configuration with multiple blocks for the same project, such as:
"ci_access":
"projects":
- "id": "group1/subgroup1/project1"
"access_as":
"impersonate":
"username": "system:serviceaccount:staging:staging"
"environments":
- "staging"
- "id": "group1/subgroup1/project1"
"access_as":
"impersonate":
"username": "system:serviceaccount:staging-uat:staging-uat"
"environments":
- "staging/job0"
but only one is actually applied, and the others are ignored.
What is requested here is add support for the following type of configuration combining environments and impersonation - either this (preferred map option as it is clear about having one serviceaccount entry per environment per project):
"ci_access":
"projects":
"group1/subgroup1/project1":
"environments":
"staging":
"access_as":
"impersonate":
"username": "system:serviceaccount:staging:staging"
"staging/uat":
"access_as":
"impersonate":
"username": "system:serviceaccount:staging-uat:staging-uat"
or this using lists:
"ci_access":
"projects":
- "id": "group1/subgroup1/project1"
"environments":
- "name": "staging"
"access_as":
"impersonate":
"username": "system:serviceaccount:staging:staging"
- "name": "staging/uat"
"access_as":
"impersonate":
"username": "system:serviceaccount:staging-uat:staging-uat"
while also establishing precedence rules for grouped environments and a project-wide impersonation setting.