Executor/GitLab Runner: Allow users to configure the list of trusted users
Currently, gateway runners are only usable by trusted users or trusted namespaces. This list is sourced from gateway.yml
and cannot be modified by farm owners... which prevents them from using their own CI gateway as a runner for testing CI-tron (self-hosting) while also giving the current trusted developers too much access to farms that they shouldn't have access to.
Just like we did with SSH (!692 (merged)), we should source the list of trusted users/namespaces from /config/
. Doing so would however partially break CI in gfx-ci/ci-tron
since it would not be possible to know ahead of time which CI-tron-based gateway allows a user to run or not. Potential solutions:
- Always allow
gfx-ci/ci-tron
to run pipelines: Not ideal because it takes away control from users - Allow users to set additional tags to their gateway runners, use an agreed-upon tag that allow using the runner for
gfx-ci/ci-tron
(CI-tron-runner
?), allow users to override the default runner variables (!722 (merged)), then using this feature to useCI-tron-runner
ingfx-ci/ci-tron
.
Related: #214