GitOps: manage teams with a user that has team permissions

[noahtalerman]

Goal

User story
As an IT admin,
I want to run fleetctl gitops -f ./teams/team-a.yml -f ./teams/team-b.yml with a team-level user with the GitOps role, build a custom GitHub action that applies changes to a single team in Fleet, and manage global settings in the UI
so that I can manage my teams in GitOps without a GitOps user with global admin permissions.

Key result

None.

Original requests

• #24002

Context

• Product designer: @rachaelshaw

Changes

Product

• [x] UI changes: No changes

• [x] CLI (fleetctl) usage changes:

  • Remove requirement that first file passed into fleetctl gitops -f must be the global config. (Rely on contents of the file to determine if it's global or team config.)
  • If >1 global config file is provided, error: Only one global config file may be provided to fleetctl gitops
  • Allow passing files in any order
  • Remove the text highlighted here:

• [x] YAML changes: No changes

• [x] REST API changes: No changes

• [x] Fleet's agent (fleetd) changes: No changes

• [x] GitOps mode changes: No changes

• [x] Activity changes: No changes

• [x] Permissions changes: PR

• [x] Changes to paid features or tiers: No changes

• [x] Transparency changes: No changes

• [x] First draft of test plan added

• [x] Other reference documentation changes: PR

• [ ] Once shipped, requester has been notified

• [ ] Once shipped, dogfooding issue has been filed

Engineering

• [x] Test plan is finalized
• [ ] Feature guide changes: Need to update the usage. Could be part of Fleetctl help menu or a guide if we have an existing one.
• [x] Database schema migrations: No need
• [x] Load testing: No need

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

• [ ] QA engineer signed-off on the test-plan below. ( @xpkoala )

Risk assessment

• Requires load testing: No
• Risk level: Low

Test plan

1. Run fleetctl gitops --help. Ensure text highlighted in screenshot above is not present.
2. Create an API-only user with the GitOps role for a team
3. Run fleetctl gitops -f <team-yaml-file.yml>, passing in a single file - Should be successful
4. Change the team name
   • Should fail (403 forbidden)
5. Run fleetctl gitops -f <default.yml> -f <team-yaml-file-2.yml>, passing in a default.yml file with org settings.
   • Should fail (403 forbidden)
6. Create an API-only user with the GitOps role for two teams: Team A and Team B. Run fleetctl gitops -f <team-a-yaml-file.yml> -f <team-b-yaml-file.yml>, passing in two teams YAML files
   • Should be successful
7. Now test expected behavior when user does not have access to a team. Remove the user's access to team B. Make a change to Team A's YAML file. Run fleetctl gitops -f <team-a-yaml-file.yml> -f <team-b-yaml-file.yml>again
   • Should fail (403 forbidden), but the changes to Team A will have been applied.
   • Make another small change to Team A's YAML file, then apply the files in the opposite order: fleetctl gitops -f <team-b-yaml-file.yml> -f <team-a-yaml-file.yml>.
   • Should fail (403 forbidden) without the changes to Team A being applied.

Testing notes

Confirmation

1. [ ] Engineer: Added comment to user story confirming successful completion of test plan.
2. [x] QA: Added comment to user story confirming successful completion of test plan.