Group Deploy Keys
Problem to solve
You need to add a deploy key to every project manually in order to use GitLab CI with the same deploy keys across projects. This is so the runner will get permission to clone/fetch other repositories that are internal or private.
This is not very effective, especially if you need to update your key or add a new one.
Intended users
Everyone working with GitLab CI and using the repo tool:
User experience goal
- The user should be able to configure deploy keys on the group level so they will be accessible in any child project. - Users should find it easy to locate the group deploy keys in a group.
- Ideally, users should be knowledgable about group deploy keys when being in a project context
Proposal
- Add a menu option
Repository
under the group sidebarSettings
menu - Add a section
Deploy keys
- Group Deploy keys allow read-only or read-write (if enabled) access to your project repositories within the group.
- Note Group deploy keys do not support protected branches unless #30769 (comment 337230547) is implemented.
- Deploy keys can be used for access to environments. You can create a group deploy key or add an existing one.
- Note Group deploy keys do not support protected environments unless #223748 is implemented
- Project deploy keys are unique within the same instance. This means they can't be both be added in User settings > SSH keys and in a group's or project's deploy keys section.
- This is shown with an error message similar as for project deploy keys (depicted at #14729 (comment 387842401))
- Group deploy keys inherit the same read/write access given to the key to the entire group.
- Group deploy keys are shown the same way as instance level deploy keys within a project's deploy keys context.
Deploy keys
section:
UI layout of Similar to the project settings section at /settings/repository
to begin with. This should ideally be moved to a similar creation flow as variables with a modal containing the creation flow.
#### Deploy Keys
Deploy keys allow read-only or read-write (if enabled) access to your group's repositories. Deploy keys can be used for CI, staging, or production servers. You can create a deploy key or add an existing one.
Create a new deploy key for this group.
Title
[FIELD]
Key
[FIELD]
Paste a machine public key here. Read more about how to generate it [here](https://gitlab.com/help/ssh/README).
* [ ] Write access allowed
Allow this key to push to __all of this group's repositories__ as well? (Default only allows pull access.)
Deploy keys table:
[TAB][Enabled deploy keys][NUM] [TAB][Privately accessible deploy keys][NUM] [TAB][Publicly accessible deploy keys][NUM]
[HEADER][Deploy key] [HEADER][Project usage] [HEADER][Created]
[ROW]{Title}{Fingerprint} [BADGE per Project]{Project reference}{Access level icon} [Date]{icon:calendar}{time ago} [ACTIONS]{Enable}{Disable}{Remove}{Edit}
Further details
Permissions and Security
Everyone who has access to Group > Settings > CI / CD should be able to add Group Deploy Keys/Tokens.
-
Add expected impact to Maintainer (40) members -
Add expected impact to Owner (50) members
Documentation
Availability & Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Core or Starter
Is this a cross-stage feature?
Links / references
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.