PoC: Deployment Approvals
What's changed in this PoC
[NOT FOR MERGE] THIS IS POC/PROTOTYPE
This MR provides a prototype of Deployment Approval feature, that is based on this backend proposal and the UX/UI proposal.
Specifically, this MR introduces the following changes:
- Add
Deployments::Approvalactive record model (deployment_approvalstable). This model represents the approval history of deployments. - Add
Deployments::ApprovalServiceas a SSOT facility to approve/reject a deployment and trigger a subsequent process. - Add a new status
blockedto the deployment model. This represents that the a deployment is waiting for approvals. - Add
required_approval_countcolumn toprotected_environmentstable, that represents how many approvals are needed to deploy to a protected environment. - Add a new failure reason
deployment_rejectedto pipeline jobs, that represents a deployment job failed by rejection.
Related #344233 (closed) #343864 (closed) #343864 (closed)
How to use this feature
Configure required_approval_count on protected environments
Protect an environment (with 1 additional approval)
curl --header 'Content-Type: application/json' --request POST \
--data '{"name": "production", "required_approval_count": 1, "deploy_access_levels": [{"access_level": 40}]}' \
--header "PRIVATE-TOKEN: A3K6cFWthsQrQLaM8Fj1" \
http://local.gitlab.test:8181/api/v4/projects/219/protected_environments
> {"name":"production","deploy_access_levels":[{"access_level":40,"access_level_description":"Maintainers","user_id":null,"group_id":null}],"required_approval_count":1}Other utilities:
# Get a single Protected Environment
curl -H 'Private-Token: A3K6cFWthsQrQLaM8Fj1' http://local.gitlab.test:8181/api/v4/projects/219/protected_environments/production
> {"name":"production","deploy_access_levels":[{"access_level":40,"access_level_description":"Maintainers","user_id":null,"group_id":null}],"required_approval_count":0}
# List of Protected Environments
curl -H 'Private-Token: A3K6cFWthsQrQLaM8Fj1' http://local.gitlab.test:8181/api/v4/projects/219/protected_environments
> [{"name":"production","deploy_access_levels":[{"access_level":40,"access_level_description":"Maintainers","user_id":null,"group_id":null}],"required_approval_count":0}]
# Unprotect an environment
curl -X DELETE -H 'Private-Token: A3K6cFWthsQrQLaM8Fj1' http://local.gitlab.test:8181/api/v4/projects/219/protected_environments/productionRun a pipeline in a project
Here is an example:
deploy:
script: echo
environment: productionand confirm that a deployment job is blocked.
Approve a deployment to a protected environment
Get the latest deployment and its approval status
curl -H 'Private-Token: A3K6cFWthsQrQLaM8Fj1' "http://local.gitlab.test:8181/api/v4/projects/219/deployments?environment=production&sort=desc" | jq '.[0] | { id: .id, iid: .iid, status: .status, required_approval_count: .required_approval_count, approvals: .approvals }'
{
"id": 1085,
"iid": 17,
"status": "blocked",
"required_approval_count": 1,
"approvals": []
}Approve the deployemnt as a different user
curl -d 'status=approved' -H 'Private-Token: -B_sqZgkw_ptEf_ytyZP' "http://local.gitlab.test:8181/api/v4/projects/219/deployments/1085/approval"
{"user":{"id":1,"name":"Administrator","username":"root","state":"active","avatar_url":"https://www.gravatar.com/avatar/e64c7d89f26bd1972efa854d13d7dd61?s=80\u0026d=identicon","web_url":"http://local.gitlab.test:8181/root"},"status":"approved"}2nd time: Get the latest deployment and its approval status
{
"id": 1085,
"iid": 17,
"status": "success",
"required_approval_count": 0,
"approvals": [
{
"user": {
"id": 1,
"name": "Administrator",
"username": "root",
"state": "active",
"avatar_url": "https://www.gravatar.com/avatar/e64c7d89f26bd1972efa854d13d7dd61?s=80&d=identicon",
"web_url": "http://local.gitlab.test:8181/root"
},
"status": "approved"
}
]
}(Note: A runner is needed to actually run the deployment job and transition the deployment status from blocked to running => success)
Confirm pipeline succeeded
Edited by Shinya Maeda