Allow user env vars for GitLab subgroups

[geropl]

Description

This PR allows to specify environment variable patterns for subgroups in GitLab. This is a long-standing issue that we always avoided to fix, but is now requested/assumed to be working by multiple customers.

We had multiple discussions in the past about deprecating this feature in the first place. However never did so, because it's a very convenient feature, that even if we had better secret support, adds value for users.

For examples of what's possible see the tests here and here.

The docs don't need to be changed, but could use a bit more explanation (see here).

Related Issue(s)

Fixes WEB-353

How to test

Resolution

• add these user-level env vars to your user config: link
• open two workspaces:
  • project 1
  • project 2
• note that you only see the expected env vars only ✔️

Permissions 1

• in one of the workspacex run gp env -u USER_GROUP_TEST, and see the "cannot delete" error ✔️

Permissions 2

• in one of the workspaces, run:

gp env TEST_NEW=abc
gp env
gp env -u TEST_NEW
gp env

and see that it does what you'd expect without errors ✔️

Documentation

Preview status

Gitpod was successfully deployed to your preview environment.

• 🏷️ Name - gpl-env-var-1
• 🔗 URL - gpl-env-var-1.preview.gitpod-dev.com/workspaces.
• 📚 Documentation - See our internal documentation for information on how to interact with your preview environment.

Build Options

Build

• /werft with-werft
  Run the build with werft instead of GHA
• leeway-no-cache
• /werft no-test
  Run Leeway with --dont-test

Publish

• /werft publish-to-npm
• /werft publish-to-jb-marketplace

Installer

• analytics=segment
• with-dedicated-emulation
• with-ws-manager-mk2
• workspace-feature-flags
  Add desired feature flags to the end of the line above, space separated

Preview Environment

• /werft with-local-preview
  If enabled this will build install/preview
• /werft with-preview
• /werft with-large-vm
• /werft with-gce-vm
  If enabled this will create the environment on GCE infra
• with-integration-tests=all
  Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh

/hold

[svenefftinge]

Where does this come from?

[svenefftinge]

there is a mention below https://github.dev/gitpod-io/gitpod/blob/2c1d74d479c10c68081d62c5a5f566ad1acd4e6d/components/gitpod-protocol/src/protocol.ts#L497-L498 not sure if this is still used and how/why a user would pass such a pattern through URL

[geropl]

It's from here: https://github.com/gitpod-io/gitpod/pull/17831/files#diff-957d9dd15b947e3969539ebd0dabcb8b40ce8b5564e5820cd9bb27d88be1dbc7L501

Could not find a mention in docs or tests anywhere. 🤷
I*'m inclined to remove it, but want to do that in a separate PR.

[svenefftinge]

In that case I'd say let's remove and see who complains 😅

[geropl]

Will do, after this has landed 👍

[svenefftinge]

It seems a bit surprising that a single * would match any number of segments. I believe it would be better to allow users being explicit about that using a globstar **. Did you consider that?
We could even just use a glob library which would also make it easier to explain users how the pattern match. I believe it is compatible with the limited matching we have currently.

Edit: going with a lib might be a bit too much, but the supporting and requiring ** to match multiple segments would be good. translating the pattern to a regexp seems most straight forward.

[geropl]

We could even just use a glob library which would also make it easier to explain users how the pattern match.

Yes, considered that...

Edit: going with a lib might be a bit too much,

...but also felt it's a tad too much as well. 🙃

but the supporting and requiring ** to match multiple segments would be good.

Hm, so far I only thought about */* (required) vs * (does not work).
I like the idea, and will see how it pans out after lunch.

[geropl]

@svenefftinge I added the ** special case in 996620b and would love your feedback on the complexity.
Good news: it helped uncover a bug due to the additional tests 🙃

[svenefftinge]

I believe translating the pattern to a regexp (i.e. '**' becomes '.*' and '*' becomes '[^/]*') would be simpler.

[geropl]

@svenefftinge I did the regex version in 61f84cb but it a) does not remove that much code, and b) has other problems (escaping the pattern for other regex control characters .+, etc.).
As we have the other version here already and it's tested, I would like to go with that. Ok?

[svenefftinge]

asked chatGPT for replacing control patterns:

s.replace(/[-\/\\^$+?.()|[\]{}]/g, '\\$&')

didn't try 🤷

[svenefftinge]

the segments need to be joined using an escaped slash (\/)
Maybe there is less value in having a join function when gong with the regexp approach.
i.e. maybe just inlining .join('\/')?

[svenefftinge]

new RegExp('^' + regexStr + '$')

[svenefftinge]

Cool! I find the code much simpler tbh as we no longer have the iteration over two arrays logic

[geropl]

/unhold