search

gocd / gocd

GoCD - Continuous Delivery server main repository
https://www.gocd.org
Apache License 2.0
7.1k stars 970 forks source link

Prevent elastic agent profile selection in Pipeline as code #10864

Open worapojc opened 1 year ago

worapojc commented 1 year ago
Issue Type
Summary

My use case is that I've one cluster profile and many agent profile for each squad team.

Squad Elastic Agent Profile
Squad-A Squad-A-Build-Agent
Squad-B Squad-B-Build-Agent
Squad-C Squad-C-Build-Agent

I'm also using YAML plugin to allow squad can write their own pipeline as code.

The problem is that the config repo allow to set the permission only Environment, Pipeline and Pipeline Group.

In the config repo of Squad B, it can select Squad-A-Build-Agent profile or Squad-B-Build-Agent profile with elastic_profile_id property.

It cannot prevent elastic agent profile selection as code.

In the UI, it's OK because it allows to list and view but you cannot use the agent profile which is not configured in Role. https://docs.gocd.org/current/configuration/policy_in_gocd.html#elastic-agent-configuration

Basic environment details
Expected Results

The elastic cluster profile and elastic agent profile in Config Repo

chadlwilson commented 1 year ago

Relates to https://github.com/gocd/gocd/issues/7605 where the initial set of rules were implemented.

worapojc commented 1 year ago

Hello @chadlwilson, May I ask this feature has planned to implement yet?

chadlwilson commented 1 year ago

It should be reasonably straightforward to add I think (and makes sense to me), but I didn't get a chance to look at it for 22.3.0 (just released) and think about the right approach here.

worapojc commented 1 year ago

Thank you for this follow up.

worapojc commented 1 year ago

Sorry to bother you @chadlwilson, I saw this request was removed from Release 23.1.0.

When it be release on which version? By the way, do we have a workaround to prevent this use case?

chadlwilson commented 1 year ago

I removed it because I hadn't had time/motivation to work on it and I wanted to release other changes in 23.1.0 soon. I can't commit to any specific release unfortunately. https://www.gocd.org/2023/02/13/gocd-project-status/

The only workaround I can think of might be to implement some kind of pull request process outside GoCD on your config repo changes using some automation that validates the elastic_profile_ids are appropriate for each team/squad's config repo, using rules that you control.

stale[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had activity in the last 90 days. If you can still reproduce this error on the master branch using local development environment or on the latest GoCD Release, please reply with all of the information you have about it in order to keep the issue open. Thank you for all your contributions.