Skip to content

Add worker architecture for scheduled PEP

Andy Schoenen requested to merge 504088-add-pipeline-execution-schedule-model into master

What does this MR do and why?

Adds model and Sidekiq worker architecture for pipeline execution policy schedules.

The idea is that for each project that is in scope for a policy, we create a record on the new security_pipeline_execution_schedules table. The Security::PipelineExecutionPolicies::ScheduleWorker worker that runs every 15 minutes only has to queue the security_pipeline_execution_schedules table without loading the actual policy configuration to enqueue individual workers for each project and policy.

Feature availability

This MR is part of a new feature addition (&14147) it does not contain a feature flag because there is no UI for feature yet that we can hide.

References

Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

There is no user visible change in this MR which makes it hard to test manually.

  1. Check the count for project schedules in rails console: Security::PipelineExecutionProjectSchedule.count. It should be 0
  2. Create a group with a project in it
  3. Create another project in the group
  4. In the new project, add a policy-ci.yml file: 
    pipeline execution policy job:
  stage: .pipeline-policy-pre
  script:
    - echo "Enforce your policy here"
  5. Create a policy configuration file .gitlab/security-policies/policy.yml in the project and replace the project field with the path to your project: 
    ---
pipeline_execution_schedule_policy:
- name: test
  description: ''
  enabled: true
  content:
    include:
    - project: path/to-your/project
      file: policy-ci.yml
  schedule:
    cadence: 0 * * * *
approval_policy: []
  6. Go back to the group page and select Security & Compliance and Policies on the left sidebar.
  7. Select Edit policy project.
  8. Select the project you created and select Save.
  9. Check the count of schedules again Security::PipelineExecutionProjectSchedule.count. It should now be 2. One for each project in the group.

Related to #504088 (closed)

Edited by Andy Schoenen

Merge request reports