Group Deploy Keys

Problem to solve

You need to add a deploy key to every project manually in order to use GitLab CI with the same deploy keys across projects. This is so the runner will get permission to clone/fetch other repositories that are internal or private.

This is not very effective, especially if you need to update your key or add a new one.

Intended users

Everyone working with GitLab CI and using the repo tool:

User experience goal

The user should be able to configure deploy keys on the group level so they will be accessible in any child project. - Users should find it easy to locate the group deploy keys in a group.
Ideally, users should be knowledgable about group deploy keys when being in a project context

Proposal

Add a menu option Repository under the group sidebar Settings menu
Add a section Deploy keys
Group Deploy keys allow read-only or read-write (if enabled) access to your project repositories within the group.
- Note Group deploy keys do not support protected branches unless #30769 (comment 337230547) is implemented.
Deploy keys can be used for access to environments. You can create a group deploy key or add an existing one.
- Note Group deploy keys do not support protected environments unless #223748 is implemented
Project deploy keys are unique within the same instance. This means they can't be both be added in User settings > SSH keys and in a group's or project's deploy keys section.
- This is shown with an error message similar as for project deploy keys (depicted at #14729 (comment 387842401))
Group deploy keys inherit the same read/write access given to the key to the entire group.
Group deploy keys are shown the same way as instance level deploy keys within a project's deploy keys context.

UI layout of `Deploy keys` section:

Similar to the project settings section at /settings/repository to begin with. This should ideally be moved to a similar creation flow as variables with a modal containing the creation flow.

#### Deploy Keys

Deploy keys allow read-only or read-write (if enabled) access to your group's repositories. Deploy keys can be used for CI, staging, or production servers. You can create a deploy key or add an existing one.

Create a new deploy key for this group.

Title

[FIELD]

Key

[FIELD]

Paste a machine public key here. Read more about how to generate it [here](https://gitlab.com/help/ssh/README).

* [ ] Write access allowed
      Allow this key to push to __all of this group's repositories__ as well? (Default only allows pull access.)

Deploy keys table:

[TAB][Enabled deploy keys][NUM] [TAB][Privately accessible deploy keys][NUM] [TAB][Publicly accessible deploy keys][NUM]

[HEADER][Deploy key]       [HEADER][Project usage]                                      [HEADER][Created]

[ROW]{Title}{Fingerprint}  [BADGE per Project]{Project reference}{Access level icon}    [Date]{icon:calendar}{time ago}         [ACTIONS]{Enable}{Disable}{Remove}{Edit}

Further details

Permissions and Security

Everyone who has access to Group > Settings > CI / CD should be able to add Group Deploy Keys/Tokens.

Add expected impact to Maintainer (40) members
Add expected impact to Owner (50) members

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Core or Starter

Is this a cross-stage feature?

Links / references

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Edited May 29, 2024 by 🤖 GitLab Bot 🤖