Updated OpsLevel GitLab App Permissions as Part of Service Creation

On August 18, 2022, OpsLevel will begin providing Early Access to one of our most anticipated new features - Service Creation. With Service Creation, you can create and manage a gallery of service templates that can be utilized by developers to easily spin up new services. When creating new services, OpsLevel will automatically register them in your catalog and publish them to your GitLab organization. This will allow you kick off service creation workflows directly in OpsLevel.

How Do I Get Started with Service Creation?

If you want Early Access to Service Creation, please notify your Customer Success Manager on or after August 18, 2022 to turn the feature on for you.

For Service Creation to integrate with GitLab, OpsLevel needs additional permissions from GitLab to create repos. You will be required to update your existing GitLab OpsLevel App in order to grant us these permissions. We have a step-by-step guide on how to update your permissions in our documentation.

What Should I Know About these New GitLab Permissions?

In order for you to make use of Service Creation, OpsLevel will need to perform the following actions within your GitLab repository:

• Create a new repository and populate it with a new service code
• Create pull/merge requests against existing repositories

We will not be taking any actions other than the ones listed above. We will update you should we ever need to expand these actions for future features.

Even though we only need to perform a limited set of actions, the GitLab permissions model is not granular enough to restrict us to only these required actions.

Specifically, we are requesting the following additional permissions in your GitLab organization:

• Read and write on “administration”:  We need this to create new repos.
• Read and write on “contents”: We need this to populate newly created repos with the templated repo content.‍
• Read and write on “pull requests” We need this to create new pull requests., which we’ll use to help update templates.‍
• Read and write on “checks” We need this to create GitHub checks per pull request. This is for a future feature to see OpsLevel checks, including new checks around templates, directly in GitHub.

NOTE: Several of the APIs in this list require further permissions to be able to use them (e.g., the secrets, checks, and workflows endpoints). We have no plans at this time to use any of the APIs we haven’t explicitly mentioned as part of Service Creation. We will notify you if we ever change these plans.

How will OpsLevel ensure these permissions are used securely and responsibly?

We appreciate that the GitLab app permissions we’re requesting are broad in scope. These permissions are broader than we’d like, but they are the minimum necessary for us to provide Service Creation.

On the security front, we have taken measures to ensure that the access you grant us to your GitLab organization cannot be accessed by malicious actors nor inadvertently leaked.

 
• All-access tokens, including GitLab, are encrypted at rest and in transit. Our security page has more details on ciphers and versions.
• As part of our SOC2 compliance, all access to our production systems are logged.
• The background workers running the service creation logic are running exclusively within our secured infrastructure
• From a product perspective, again, we currently plan to use these permissions only for the use cases around service creation:
• Creating new repositories
• Creating pull / merge requests against existing repositories
 

We take seriously the trust you have in us to properly protect this data. Customer security is at the forefront of our product development process. We will not introduce any new action without it being thoroughly reviewed by our Product and Engineering teams.

We are also always available to listen to feedback and concerns that you may have.

Use Branch Protection for additional protection

We empathize that despite taking all steps necessary to minimize risks with granting us these new permissions, there may still be some hesitancy or additional protections customers would like to have in place.

One such protection is enabling branch protection on all of your services’ repositories.  We always recommend enabling this. Branch protection ensures that your default branches are protected and that no one, including OpsLevel, can do things against them like delete, force push, etc.

OpsLevel has a branch protection check that can assist in giving visibility into which service repos already have this in place.

What Are the Next Steps?

On August 18, 2022, we will update the existing GitLab App to enable these changes. You will be notified by OpsLevel when the updated GitLab App is available. We encourage our customers to update to the new app in order to take full advantage of Service Creation. However, if you do not want to update, there will be no changes to your existing OpsLevel functionality outside of not being able to use the Service Creation feature.

We aim to have all of our customers updated to the new permissions by September 16, 2022. If you have any hesitations or concerns, please reach out to your Customer Success Manager and we will be more than happy to schedule time and work through any issues.