Answer the question
In order to leave comments, you need to log in
How to set up a deployment in Gitlab CI so that the developer does not get access to the host?
I want to set up build, test and deploy via GitLab.
The conditional scheme of the pipeline looks something like this:
The deploy_staging task is launched automatically.
The deploy_prod task can only be run by certain users.
Hashicorp Vault is used to store and transfer secrets/settings to the pipeline and to the server.
And I can't figure out how to protect the host from being accessed by any developer who might be committing one of the branches.
The only way that came to mind is to manually transfer some special key to the environment every time you start the pipeline, which only a person with rights to access the production server knows. And I'm not sure that this key cannot be peeped in the logs.
In systems where the deployment config is hidden from the developer, you can set some conditions that allow deployment to production under certain conditions (branch name, name of the deployment initiator). In GitLab, all parameters fall into environment variables, they can be displayed in the logs, view, copy all the tokens and certificates for yourself.
Answer the question
In order to leave comments, you need to log in
Yes, I remember somehow puzzling over this, but in the end it turned out that there is some option that the developer can access the production server.
Then I solved it by the fact that the main project had access only to staging, and for the sale there was a fork of this project with its own runner.
But after that, Gitlab added a few features, so maybe now there is another option.
Today I think it's possible to:
- have 2 runners: one for staging, one for production
- runner for production set permission to run only on `master`
- the developer does not have privileges to access `master`.
This implies that staging and production are different servers.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question