Skip to content

Apply PEP policy job variables with highest precedence

Martin Čavoj requested to merge 455312-backend-handle-pipeline-execution-policy-variables into master

What does this MR do and why?

This change marks the jobs coming from the Pipeline Execution Policies using build metadata and re-applies the yaml_variables from these jobs with the highest precedence.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Enable the feature flag 
    Feature.enable(:pipeline_execution_policy_type)
  2. Create a group
  3. In the group, create a Compliance project
  4. In the Compliance project, create a file variables.yml: 
    variables:
  OTHER_POLICY_VAR: 'should not leak into project pipeline'
  TEST_TOKEN: 'policy token'
project_policy::policy test job:
  variables:
    POLICY_JOB_VAR: 'policy job variable'
  stage: test
  script:
    - echo "OTHER_POLICY_VAR = $OTHER_POLICY_VAR"
    - echo "TEST_TOKEN = $TEST_TOKEN"
    - echo "POLICY_JOB_VAR = $POLICY_JOB_VAR"
  5. In the group, create a project Variables precedence
  6. In the project Variables precedence, create .gitlab-ci.yml: 
    variables:
  TEST_TOKEN: 'global token'
  CI_DEBUG_TRACE: "true"
build:
  stage: build
  script:
    - echo "TEST_TOKEN = $TEST_TOKEN, OTHER_POLICY_VAR = $OTHER_POLICY_VAR"
rspec:
  stage: test
  variables:
    TEST_TOKEN: "rspec token"
  script:
    - echo "Running RSpec..."
    - echo "TEST_TOKEN = $TEST_TOKEN, OTHER_POLICY_VAR = $OTHER_POLICY_VAR, POLICY_JOB_VAR = $POLICY_JOB_VAR"
  7. In the project, go to Secure -> Policies -> New policy -> Pipeline execution policy. Go to .yaml mode and use the following: 
    type: pipeline_execution_policy
name: PEP with variables
description: ''
enabled: true
pipeline_config_strategy: inject_ci
content:
  include:
    - project: gitlab-org/pipeline-execution-policies/compliance-project
      file: variables.yml
      ref: main
  8. Configure with merge request and merge
  9. Go back to Variables precedence project, run a pipeline and observe the variables output. Verify that variables from the policy jobs are only applied in the policy jobs and that values defined in the project's CI YAML are overwritten.
  10. Go to project's settings -> CI/CD and create new variables TEST_TOKEN = overwritten from project settings, POLICY_JOB_VAR = overwritten from project settings
  11. Run a new pipeline and verify that the value is only applied for non-policy jobs. Policy jobs should keep the previous value.

Related to #455312 (closed)

Edited by Martin Čavoj

Merge request reports