Move the CI Tunnel with agent identity to Core
namespace
below means a GitLab group or project.
Authorization to use EE features of CI tunnel depends on who is trying to access it, see https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/issues/136#note_621564649 (confidential), not the license of the agent owner/creator/namespace.
-
For CI jobs under a licensed namespace, allow access to all CI tunnel features.
-
For CI jobs under a non-licensed namespace, return an empty list from
/api/v4/job/allowed_agents
rails endpoint.i.e. this API returns a list of allowed agents to be accessed by this CI job token. It's a an empty list if nothing is allowed. We don't want to return a 403 to avoid confusing kas as to whether the token is invalid vs something else. Kas can return a more meaningful response to the user if it understands the difference.
Don't forget to update documentation.