Allow configuring image for Duo Workflow remote execution

Dylan Griffithrequested to merge
549763-allow-configuring-image-for-duo-workflow into master

Related to #549763 (closed)

What does this MR do and why?

You can read more about Duo Workflow at https://handbook.gitlab.com/handbook/engineering/architecture/design-documents/duo_workflow/ . The "Remote Execution" feature allows you to trigger a workflow to run inside a CI job. Previously this feature just used a hardcoded docker image as the base image to run the CI job in. That is not particularly useful as it might not have the right development tooling configured in it.

Note that this features is only partially implemented and only available via the API for now. It's not available to external users but it can still be tested internally but it doesn't do much.

This MR introduces the ability to pass the image query parameter when creating a workflow via the API. This image is persisted with the workflow and is then used when constructing the CI job which runs the workflow for Remote Execution.

How to test

You can test remote execution locally using the instructions in !176742 (merged) and in particular you can test this new image with:

  1. Build an image with and without Ruby. I used the following Dockerfile 
    FROM ubuntu

RUN apt-get update && apt-get install -y wget git ruby # Remove ruby for the image without ruby
  2. Create a simple ruby project with a failing rspec test
  3. docker build -t ubuntu-without-ruby .
  4. Run a workflow without ruby (change project_id to match your GDK project) 
    curl -H 'Content-Type: application/json' -H "Private-Token: $(op item get 'GDK root API Token' --fields label=credential)" -d '{"start_workflow":true,"allow_agent_to_request_user":false,"agent_privileges":[1,2,3,4],"pre_approved_agent_privileges":[1,2,3,4],"goal":"Run `rspec` and fix any failing specs"}' -XPOST 'http://gdk.test:3000/api/v4/ai/duo_workflows/workflows?project_id=23&image=ubuntu-without-ruby'
  5. Observe the logs for errors relating to not having ruby available. And also see the image pulled at the start of the job
  6. docker build -t ubuntu-with-ruby .
  7. Run a workflow with ruby (change project_id to match your GDK project) 
    curl -H 'Content-Type: application/json' -H "Private-Token: $(op item get 'GDK root API Token' --fields label=credential)" -d '{"start_workflow":true,"allow_agent_to_request_user":false,"agent_privileges":[1,2,3,4],"pre_approved_agent_privileges":[1,2,3,4],"goal":"Run `rspec` and fix any failing specs"}' -XPOST 'http://gdk.test:3000/api/v4/ai/duo_workflows/workflows?project_id=23&image=ubuntu-with-ruby'
  8. Observe no more logs for errors relating to not having ruby available. And also see the image pulled at the start of the job

References

Related to #549763 (closed)

Screenshots or screen recordings

Before After

How to set up and validate locally

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #549763 (closed)

Edited by Sebastian Rehm

Merge request reports