diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-11-02 15:11:46 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-11-02 15:11:46 +0300 |
commit | d8c4c08d4999959ca9b5a87a32153013791e96e0 (patch) | |
tree | 5772e13f80e3e85334f8b059c103a4065de8d682 /doc/architecture | |
parent | aa84824d04b32ce9cd3abeac90a6bf78fb2be34c (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc/architecture')
-rw-r--r-- | doc/architecture/blueprints/gcp_integration/decisions/001_no_credentials.md | 19 | ||||
-rw-r--r-- | doc/architecture/blueprints/gcp_integration/index.md | 95 |
2 files changed, 0 insertions, 114 deletions
diff --git a/doc/architecture/blueprints/gcp_integration/decisions/001_no_credentials.md b/doc/architecture/blueprints/gcp_integration/decisions/001_no_credentials.md deleted file mode 100644 index 70e696def96..00000000000 --- a/doc/architecture/blueprints/gcp_integration/decisions/001_no_credentials.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -description: 'GCP Integration ADR 001: Do not store GCP credentials in GitLab' ---- - -# GCP Integration ADR 001: Do not store GCP credentials in GitLab - -## Context - -Users need to be able to perform certain actions within GCP based on their -GitLab project membership and permissions. For example, users of the -integration need a mechanism to push packages to the Google Artifact Registry -and to provision Runners within their GCP projects. - -## Decision - -Rely primarily on [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation) -to manage authorization across the platform. This enables a GitLab user or a -group / project owner to authenticate within GCP via OAuth and have the ability -to assume / configure IAM roles in GCP based on their GitLab user attributes. diff --git a/doc/architecture/blueprints/gcp_integration/index.md b/doc/architecture/blueprints/gcp_integration/index.md deleted file mode 100644 index ec5412442e6..00000000000 --- a/doc/architecture/blueprints/gcp_integration/index.md +++ /dev/null @@ -1,95 +0,0 @@ ---- -status: proposed -creation-date: "2023-10-26" -authors: [ "@sgoldstein" ] -coach: "@jessieay" -approvers: [] -owning-stage: "~devops::verify" -participating-stages: ["~devops::verify", "~devops::package", "~devops::govern"] ---- - -<!-- Blueprints often contain forward-looking statements --> -<!-- vale gitlab.FutureTense = NO --> - -# GCP Integration - -## Summary - -GitLab and Google Cloud Platform (GCP) provide complementary tooling which we are integrating via our [partnership](https://about.gitlab.com/blog/2023/08/29/gitlab-google-partnership-s3c/). - -As phase 1 of this integration, we plan to: - -1. Authentication/Authorization Integration. Onboarding, account-linking and permission management between GitLab and GCP Identities. -1. Continuous Integration. Provision Runners into linked GCP projects. -1. Artifact Management. Package Registry integration with Google Artifact Registry. - -This design doc intends to capture the architecture for this initial integration phase. It should answer the following: - -1. How users, permissions, and service accounts managed between GitLab and GCP identities -1. How to automatically provision GitLab Runners on Google Cloud Compute (GCE) in GCP customer project via Terraform, with or without VPC configured -1. How to automatically push containers from GitLab CI to Google Artifact Registry, view those containers in GitLab, and trace to builds. - -NOTE: -GitLab package team has begun work on architecture design in [Google Artifact Registry Integration](../google_artifact_registry_integration/index.md) - -## Decisions - -- [ADR-001: Do not store GCP credentials in GitLab](decisions/001_no_credentials.md) - -## Proposal - -### Authentication/Authorization - -Rely primarily on [Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation) to manage authorization across the platform. This enables a GitLab user to authenticate within GCP via OAuth and have the ability to assume IAM roles in GCP based on their GitLab user attributes. - -#### Workload Identity Pool Provider creation in GCP - -As a GCP and GitLab customer (GitLab Group Owner), I would like to create a Workload Identity Pool and Provider to allow GitLab users to authenticate with GCP when executing CI workloads that utilize GCP services. - -Steps: - - 1. Customer navigates to GitLab → Operate → Google Cloud - 1. Customer authenticates with GCP through an OAuth flow, if the customer is not already authenticated. - 1. Creates a GCP Workload Identity Pool and Provider with OpenID Connect configuration in customers GCP Project, by providing the GCP project number at creation time. - 1. There is an [API to go from projectNum->projectID and back](https://cloud.google.com/resource-manager/reference/rest/v3/projects/get). - -#### GCP resource policy creation in GitLab for Workload Identity Provider - -As a GCP customer, I would like to authorize GitLab’s use of my GCP resources for the purpose of the GitLab - GCP Integration: - -Steps: - -1. Customer navigates to GitLab → Operate → Google Cloud -1. Customer authenticates with GCP through an OAuth flow, if the customer is not already authenticated. -1. Customer selects previously created Workload Identity Provider and adds applicable resource policies by specifying the: - 1. GCP project number - 1. One or more GitLab OpenID claims and associated values to use for authenticating a workload - 1. One or more GCP resources IAM roles the authenticated workload will be authorized to use -1. Customer is presented with a prompt asking them to confirm that they wish to proceed in creating this GCP resource policy - 1. If a customer confirms, a policy for the Workload Identity Provider is created in the specified GCP project. -1. If additional GCP resource policies are required, the customer can repeat steps 2 and 3. - -NOTE: -The user should also be able to edit (claims, values and IAM roles) and delete GCP resources policies. - -#### User to User authentication linkage - -As an existing GitLab user, I can use OAuth to link my existing GCP account so that I can seamlessly exchange data between the two - -This will be used for the following use cases: - - 1. In Artifact Registry where the individual user can see artifacts in GCP - 1. Creation of workload identity federation pools - 1. List, pull and push images to Artifact Registry from GitLab - -Also applies in the reverse direction. Existing GCP users can OAuth into GitLab and link their accounts. - -#### Runner Provisioning - -TBA - -#### GitLab CI to Google Artifact Registry Authn/Authz - -TBA - -## Design and implementation details |