Moving agents between environments
17 views
Skip to first unread message
Daan Potter
Jun 10, 2020, 10:57:29 AM6/10/20
to go-cd
Setup:
Environments: prod and non-prod
Agents: prod and non-prod, attached to the respective environment
I have defined a role with the following rights:
| allow | view | * | * |
| allow | administer | environment | non-prod |
When I check my environment from the engineer role I see the following:
Pipelines: Perfect, I can't move production pipelines to non-prod environment and vice versa.
Agents: Not so perfect, I have administer rights on the non-prod environment so I am able to move production agents to the non prod environment through agent association and use those in my non-prod setup.
How can I setup a hard split between agents so I can only deploy with a specific set? It seems that using environments is not the correct way.
Helge Walter
Jun 11, 2020, 3:52:55 AM6/11/20
to go-cd
Hello Daan
I came across the same problem and opened the feature request 7769 for GoCD.
My current workaround is the following:
1. Do not give "pipeline users" admin rights to environments.
2. Do a logical association of pipeline group to environment (which is not a technical constraint of GoCD because it is not possible to define there)
3. Run a cron job every 5 minutes to assign newly created pipelines to an environment as defined by the pipeline group.
The only thing which I did not get managed right is definition of environment variables on environments.
Maybe you can push my feature request ;)
Regards,
Helge
Message has been deleted
Daan Potter
Jun 11, 2020, 7:44:56 AM6/11/20
to go-cd
Hi Helge,
Thank you for your input. I also have found something myself what could help me, and maybe also you:
It goes towards what you are doing a bit.
Pipelines outside of environments will only be assigned to agents in the default pool (not associated with any environment).
As we only manage two environments; prod and nonprod, I should be able just to remove the nonprod environment as a whole.
So everything that shouldn't be touched is included in an environment, everything that should can touched stays outside of an environment.
I think that solves my problem. Haven't tested if it works yet though.
Reply all
Reply to author
Forward
0 new messages