<!-- The first section "Release notes" is required if you want to have your release post blog MR auto generated. Currently in BETA, details on the **release post item generator** can be found in the handbook: https://about.gitlab.com/handbook/marketing/blog/release-posts/#release-post-item-generator and this video: https://www.youtube.com/watch?v=rfn9ebgTwKg. The next four sections: "Problem to solve", "Intended users", "User experience goal", and "Proposal", are strongly recommended in your first draft, while the rest of the sections can be filled out during the problem validation or breakdown phase. However, keep in mind that providing complete and relevant information early helps our product team validate the problem and start working on a solution. --> **Engineering DRI:** @ash2k ## Release notes <!-- What is the problem and solution you're proposing? This content sets the overall vision for the feature and serves as the release notes that will populate in various places, including the [release post blog](https://about.gitlab.com/releases/categories/releases/) and [Gitlab project releases](https://gitlab.com/gitlab-org/gitlab/-/releases). " --> ## Problem to solve As an Application Operator, I would like to use the GitLab Kubernetes Agent for deployments as part of my CI job, so that I don't have to open up my cluster to connect it to GitLab. ## Intended users * [Allison (Application Ops)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#allison-application-ops) * [Priyanka (Platform Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#priyanka-platform-engineer) ## User experience goal The user can configure their CI to send kubernetes manifests over for one or more agents to deploy. We want to support a single pipeline to deploy to multiple clusters, that is to deploy using multiple Agents. This is often required in production environments, where the production environment is composed of multiple clusters in different regions/availability zones. [This would be possible using matrix builds](https://gitlab.com/gitlab-org/gitlab/-/issues/280563#note_458445901). ## Proposal Enable the Runner job to talk directly through kas to a cluster on private network, so that commands such as `kubectl` can be run directly against the cluster. Initially, we can provide the `KUBECONTEXT` with the agent's access rights, thus we would gain a similar experience to the non-gitlab managed apps today: the CI would be allowed to do anything that the agent has rights to do. We might change this once https://gitlab.com/gitlab-org/gitlab/-/issues/243740 is implemented. ### Iteration 1 - MVP **In the first version**, we are aiming for single-project setups. That is the CI can access the agent(s) registered in the same project. Moreover, this behavior is enabled by default, and is available to any CI job. This can be the equivalent of the current project level cluster integrations, except for managing namespaces. Initial metric: increment a metric +1 per agent when a request hits kas.gitlab.example.com and report it in usage ping. How to make sure that the deployment token is still alive? The `CI_JOB_TOKEN` becomes invalid once the job is over. - [x] [Docs] Technical design https://gitlab.com/gitlab-org/gitlab/-/issues/323145 - Other tasks in the epic: https://gitlab.com/groups/gitlab-org/-/epics/5781 ### Iteration 2 - CI user impersonation Support CI user impersonation when accessing Kubernetes API. https://gitlab.com/groups/gitlab-org/-/epics/5782 ### Iteration 3 - CI job impersonation Support CI job impersonation when accessing Kubernetes API. https://gitlab.com/groups/gitlab-org/-/epics/5783 ### Iteration 4 - group support Allow agents to grant access to groups. Any project within that group can access Kubernetes via the given Agent. https://gitlab.com/groups/gitlab-org/-/epics/5784 ### Questions - How do we select which agent to use for the deployment when the project has multiple agent's configured? - It's up to the user. Using a matrix pipeline, it might use multiple agents too. - Can the CI job use an agent outside of the given project? - Not in the first iteration - How can the CI job use a group level agent? - Not in the first iteration - How are CI projects authorized to use an agent as a tunnel? - In the first iteration we start with a single-project setup where the project should contain the agent - Shall we use the `environment` keyword to specify the agent or introduce a new one? - [How can we measure usage?](https://gitlab.com/gitlab-org/gitlab/-/issues/280563#note_463612784) ## Further details ## Documentation <!-- See the Feature Change Documentation Workflow https://docs.gitlab.com/ee/development/documentation/workflow.html#for-a-product-change * Add all known Documentation Requirements in this section. See https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html#documentation-requirements * If this feature requires changing permissions, update the permissions document. See https://docs.gitlab.com/ee/user/permissions.html --> ## Availability & Testing <!-- This section needs to be retained and filled in during the workflow planning breakdown phase of this feature proposal, if not earlier. What risks does this change pose to our availability? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing? Please list the test areas (unit, integration and end-to-end) that needs to be added or updated to ensure that this feature will work as intended. Please use the list below as guidance. * Unit test changes * Integration test changes * End-to-end test change See the test engineering planning process and reach out to your counterpart Software Engineer in Test for assistance: https://about.gitlab.com/handbook/engineering/quality/test-engineering/#test-planning --> ## What does success look like, and how can we measure that? We expect this feature to increase the number of Agents being installed. [The related metrics are still being discussed](https://gitlab.com/gitlab-org/gitlab/-/issues/280563#note_463612784): ## What is the type of buyer? <!-- What is the buyer persona for this feature? See https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/buyer-persona/ In which enterprise tier should this feature go? See https://about.gitlab.com/handbook/product/pricing/#four-tiers --> Pick one for the tier: - [ ] gitlab~13116818 - https://gitlab.com/gitlab-com/Product/-/issues/1398#note_423651212 - [x] gitlab~2278657 ## Is this a cross-stage feature? <!-- Communicate if this change will affect multiple Stage Groups or product areas. We recommend always start with the assumption that a feature request will have an impact into another Group. Loop in the most relevant PM and Product Designer from that Group to provide strategic support to help align the Group's broader plan and vision, as well as to avoid UX and technical debt. https://about.gitlab.com/handbook/product/#cross-stage-features --> ## Links / references <!-- Label reminders - you should have one of each of the following labels. Read the descriptions on https://gitlab.com/gitlab-org/gitlab/-/labels to find the correct ones -->