7 files changed, 66 insertions, 9 deletions

diff --git a/app/models/clusters/agent.rb b/app/models/clusters/agent.rb
index 9fb8cd024c5..cf6d95fc6df 100644
--- a/app/models/clusters/agent.rb
+++ b/app/models/clusters/agent.rb
@@ -10,6 +10,12 @@ module Clusters
     has_many :agent_tokens, class_name: 'Clusters::AgentToken'
     has_many :last_used_agent_tokens, -> { order_last_used_at_desc }, class_name: 'Clusters::AgentToken', inverse_of: :agent
 
+    has_many :group_authorizations, class_name: 'Clusters::Agents::GroupAuthorization'
+    has_many :authorized_groups, class_name: '::Group', through: :group_authorizations, source: :group
+
+    has_many :project_authorizations, class_name: 'Clusters::Agents::ProjectAuthorization'
+    has_many :authorized_projects, class_name: '::Project', through: :project_authorizations, source: :project
+
     scope :ordered_by_name, -> { order(:name) }
     scope :with_name, -> (name) { where(name: name) }
 
diff --git a/app/models/clusters/agents/group_authorization.rb b/app/models/clusters/agents/group_authorization.rb
new file mode 100644
index 00000000000..74c0cec3b7e
--- /dev/null
+++ b/app/models/clusters/agents/group_authorization.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module Clusters
+  module Agents
+    class GroupAuthorization < ApplicationRecord
+      self.table_name = 'agent_group_authorizations'
+
+      belongs_to :agent, class_name: 'Clusters::Agent', optional: false
+      belongs_to :group, class_name: '::Group', optional: false
+
+      validates :config, json_schema: { filename: 'cluster_agent_authorization_configuration' }
+
+      delegate :project, to: :agent
+    end
+  end
+end
diff --git a/app/models/clusters/agents/implicit_authorization.rb b/app/models/clusters/agents/implicit_authorization.rb
new file mode 100644
index 00000000000..967cc686045
--- /dev/null
+++ b/app/models/clusters/agents/implicit_authorization.rb
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Clusters
+  module Agents
+    class ImplicitAuthorization
+      attr_reader :agent
+
+      delegate :id, to: :agent, prefix: true
+      delegate :project, to: :agent
+
+      def initialize(agent:)
+        @agent = agent
+      end
+
+      def config
+        nil
+      end
+    end
+  end
+end
diff --git a/app/models/clusters/agents/project_authorization.rb b/app/models/clusters/agents/project_authorization.rb
new file mode 100644
index 00000000000..1c71a0a432a
--- /dev/null
+++ b/app/models/clusters/agents/project_authorization.rb
@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Clusters
+  module Agents
+    class ProjectAuthorization < ApplicationRecord
+      self.table_name = 'agent_project_authorizations'
+
+      belongs_to :agent, class_name: 'Clusters::Agent', optional: false
+      belongs_to :project, class_name: '::Project', optional: false
+
+      validates :config, json_schema: { filename: 'cluster_agent_authorization_configuration' }
+    end
+  end
+end
diff --git a/app/models/clusters/cluster.rb b/app/models/clusters/cluster.rb
index 2fff0a69a26..feac7bbc363 100644
--- a/app/models/clusters/cluster.rb
+++ b/app/models/clusters/cluster.rb
@@ -148,6 +148,7 @@ module Clusters
     scope :with_management_project, -> { where.not(management_project: nil) }
 
     scope :for_project_namespace, -> (namespace_id) { joins(:projects).where(projects: { namespace_id: namespace_id }) }
+    scope :with_name, -> (name) { where(name: name) }
 
     # with_application_prometheus scope is deprecated, and scheduled for removal
     # in %14.0. See https://gitlab.com/groups/gitlab-org/-/epics/4280
diff --git a/app/models/clusters/clusters_hierarchy.rb b/app/models/clusters/clusters_hierarchy.rb
index 162a1a3290d..9435d258d67 100644
--- a/app/models/clusters/clusters_hierarchy.rb
+++ b/app/models/clusters/clusters_hierarchy.rb
@@ -83,7 +83,7 @@ module Clusters
         project_id: clusterable.id
       }
 
-      model.sanitize_sql_array([Arel.sql(order), values])
+      Arel.sql(model.sanitize_sql_array([Arel.sql(order), values]))
     end
 
     def group_clusters_base_query
diff --git a/app/models/clusters/platforms/kubernetes.rb b/app/models/clusters/platforms/kubernetes.rb
index 7f5f87e3e36..7ec614b048c 100644
--- a/app/models/clusters/platforms/kubernetes.rb
+++ b/app/models/clusters/platforms/kubernetes.rb
@@ -137,6 +137,14 @@ module Clusters
         kubeclient.patch_ingress(ingress.name, data, namespace)
       end
 
+      def kubeconfig(namespace)
+        to_kubeconfig(
+          url: api_url,
+          namespace: namespace,
+          token: token,
+          ca_pem: ca_pem)
+      end
+
       private
 
       def default_namespace(project, environment_name:)
@@ -154,14 +162,6 @@ module Clusters
         ).execute
       end
 
-      def kubeconfig(namespace)
-        to_kubeconfig(
-          url: api_url,
-          namespace: namespace,
-          token: token,
-          ca_pem: ca_pem)
-      end
-
       def read_pods(namespace)
         kubeclient.get_pods(namespace: namespace).as_json
       rescue Kubeclient::ResourceNotFoundError