Investigate: Pull NuGet packages at the Instance level
Context
The GitLab NuGet Repository allows developers to build, publish and share .NET packages, alongside their source code and CI Pipelines. Packages are published to a specific GitLab project or group and can be installed from the project or group.
You can view the permissions required to push/download packages here: https://docs.gitlab.com/ee/user/packages/package_registry/#package-registry-visibility-permissions.
Problem to solve
The problem is that some GitLab customers have complex organizational structures with many groups, sub-groups, and projects. In addition, they. may have to manage permissions carefully between teams. For example, the customer use case below:
Customer problem
GitLab's Nuget registry can be queried on project and group levels, Therefore, our Dotnet applications need a build configuration with multiple GitLab Nuget registry endpoints (as the endpoint on the top-level group level can't be used due to the "Minimum Access" permissions) Nuget's "restore" operation will always query ALL configured endpoints for EVERY package, causing a massive request spike which triggers our rate limiter. This results in pipeline failures and potential developer lock-out from GitLab.
(See issue - https://gitlab.com/gitlab-com/gl-infra/reliability/-/issues/16300)
Proposal
The proposal to address this problem is to add an instance-level NuGet endpoint for pulling NuGet packages.
This issue is an investigation into that proposal as we expect to encounter a few challenges during implementation.
Further details
Challenges
- When adding an instance level endpoint we need to be extra careful with testing the performance and scalability of the feature.
- We'll need to determine a naming convention that makes sense. This is important because it will not be easy to change in the future.
- We'll need to roll this out with a feature flag.
- We'll need to decide if this feature is enabled for GitLab.com.
Permissions and Security
For the instance do we require Reporter+ to pull packages or Guest or higher.
Documentation
- https://docs.gitlab.com/ee/user/packages/package_registry/#package-registry-visibility-permissions
- https://docs.gitlab.com/ee/user/packages/nuget_repository/
Links / references
- Feature specific permissions for the Package R... (#329253 - closed) will be released in 15.7 and includes a way to control the repository visibility separately from the package registry. This could be a useful workaround for sharing registries across projects/groups.
- Another workaround would be to just use a top-level group for packages and use group deploy tokens for installing packages
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.