From 5af09cb47b30a258633bdb4c4d2268df3c9e456d Mon Sep 17 00:00:00 2001 From: zamaz <71521611+zachariahmiller@users.noreply.github.com> Date: Fri, 19 Apr 2024 11:47:07 -0400 Subject: [PATCH] feat!: allow [templating of network policies](./docs/networking.md) in the UDS Package (#110) ## Description Adds templating for internal vs external services in the netpol section of the uds package CR ## Related Issue Fixes # [78](https://github.com/defenseunicorns/uds-package-gitlab/issues/78) ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-package-gitlab/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Co-authored-by: Wayne Starr --- README.md | 18 +- charts/config/Chart.yaml | 2 +- charts/config/templates/uds-package.yaml | 218 +++++++++++++++++++---- charts/config/values.yaml | 42 +++++ common/zarf.yaml | 2 +- docs/networking.md | 78 ++++++++ 6 files changed, 319 insertions(+), 41 deletions(-) create mode 100644 docs/networking.md diff --git a/README.md b/README.md index 2526891d..a51f2a6a 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,13 @@ This package is designed for use as part of a [UDS Software Factory](https://git The GitLab Package expects to be deployed on top of [UDS Core](https://github.com/defenseunicorns/uds-core) with the dependencies listed below being configured prior to deployment. -> :warning: **NOTE**: Some GitLab features (such as GitLab pages) will also require a [GitLab runner](https://github.com/defenseunicorns/uds-package-gitlab-runner) along with additional configuration such as an additional certificate SAN for `*.pages.`. +> [!IMPORTANT] +> **NOTE**: Some GitLab features (such as GitLab pages) will also require a [GitLab runner](https://github.com/defenseunicorns/uds-package-gitlab-runner) along with additional configuration such as an additional certificate SAN for `*.pages.`. + +GitLab is configured by default to assume the internal dependencies that are used for testing (see minio, redis and postgres in the [bundle](bundle/uds-bundle.yaml)). + +> [!IMPORTANT] +> If you are using different internal services, cloud services or a mix you will have to configure values in the config chart accordingly via bundle overrides. See the networking [docs](docs/networking.md) for details #### Database @@ -41,6 +47,7 @@ Object Storage works a bit differently as there are many kinds of file stores Gi - `backups` - This key refers to the configuration for the gitlab-toolbox backup tool. It relies on a program called `s3cmd`. The documentation for what goes in this key is located [here](https://s3tools.org/kb/item14.htm) - Below are the list of buckets that need to be created before starting GitLab: + ```yaml - uds-gitlab-pages - uds-gitlab-registry @@ -55,8 +62,11 @@ Object Storage works a bit differently as there are many kinds of file stores Gi - uds-gitlab-backups - uds-gitlab-tmp ``` + - These buckets can have a suffix applied via the `BUCKET_SUFFIX` Zarf variable (e.g. `-some-deployment-name` plus `uds-gitlab-backups` would be `uds-gitlab-backups-some-deployment-name`) + + ## Flavors | Flavor | Description | Example Creation | @@ -64,7 +74,8 @@ Object Storage works a bit differently as there are many kinds of file stores Gi | upstream | Uses upstream images within the package. | `zarf package create . -f upstream` | | registry1 | Uses images from registry1.dso.mil within the package. | `zarf package create . -f registry1` | -> :warning: **Note:** To create the registry1 flavor you will need to be logged into Iron Bank - you can find instructions on how to do this in the [Big Bang Zarf Tutorial](https://docs.zarf.dev/docs/zarf-tutorials/big-bang#setup). +> [!IMPORTANT] +> **NOTE:** To create the registry1 flavor you will need to be logged into Iron Bank - you can find instructions on how to do this in the [Big Bang Zarf Tutorial](https://docs.zarf.dev/tutorials/6-big-bang/#setup). ## Releases @@ -74,7 +85,8 @@ The released packages can be found in [ghcr](https://github.com/defenseunicorns/ *For local dev, this requires you install [uds-cli](https://github.com/defenseunicorns/uds-cli?tab=readme-ov-file#install) -> :white_check_mark: **Tip:** To get a list of tasks to run you can use `uds run --list`! +> [!TIP] +> To get a list of tasks to run you can use `uds run --list`! ## Contributing diff --git a/charts/config/Chart.yaml b/charts/config/Chart.yaml index 65c6ba1b..f76bc16e 100644 --- a/charts/config/Chart.yaml +++ b/charts/config/Chart.yaml @@ -15,4 +15,4 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: 0.2.0 diff --git a/charts/config/templates/uds-package.yaml b/charts/config/templates/uds-package.yaml index 55f441c0..e8f594d7 100644 --- a/charts/config/templates/uds-package.yaml +++ b/charts/config/templates/uds-package.yaml @@ -14,19 +14,19 @@ spec: network: expose: - service: gitlab-webservice-default - podLabels: + selector: app: webservice host: gitlab gateway: tenant port: 8181 - service: gitlab-gitlab-pages - podLabels: + selector: app: gitlab-pages host: "*.pages" gateway: tenant port: 8090 - service: gitlab-registry - podLabels: + selector: app: registry host: registry gateway: tenant @@ -35,90 +35,236 @@ spec: - direction: Ingress remoteGenerated: IntraNamespace + # ingress from runner only if runner lives in cluster. Otherwise, it goes through the gateway + {{- if .Values.runner.internal }} - direction: Ingress - # todo: this should be scoped when we know where the runner is - podLabels: + selector: app: webservice + remoteNamespace: {{ .Values.runner.namespace | quote }} + remoteSelector: + {{ .Values.runner.selector | toYaml | nindent 10 }} port: 8181 description: "Runner Ingress Workhorse" + {{- end }} - direction: Ingress remoteNamespace: monitoring - remotePodLabels: + remoteSelector: app: prometheus - podLabels: + selector: app: gitlab-exporter port: 9168 description: "Monitoring Exporter" - - direction: Ingress - podLabels: - app: runner - remoteNamespace: monitoring - remotePodLabels: - app: prometheus - - port: 9252 - description: "Monitoring Runner" - - direction: Egress - podLabels: + selector: app: registry + {{- if .Values.storage.internal }} + remoteNamespace: {{ .Values.storage.namespace | quote }} + remoteSelector: + {{ .Values.storage.selector | toYaml | nindent 10 }} + port: {{ .Values.storage.port }} + {{- else }} remoteGenerated: Anywhere + {{- end }} description: "Registry Storage" + # Sidekiq Netpols - direction: Egress - podLabels: + selector: app: sidekiq + {{- if .Values.storage.internal }} + remoteNamespace: {{ .Values.storage.namespace | quote }} + remoteSelector: + {{ .Values.storage.selector | toYaml | nindent 10 }} + port: {{ .Values.storage.port }} + {{- else }} remoteGenerated: Anywhere + {{- end }} description: "Sidekiq Storage" - direction: Egress - podLabels: + selector: + app: sidekiq + {{- if .Values.redis.internal }} + remoteNamespace: {{ .Values.redis.namespace | quote }} + remoteSelector: + {{ .Values.redis.selector | toYaml | nindent 10 }} + port: {{ .Values.redis.port }} + {{- else }} + remoteGenerated: Anywhere + {{- end }} + description: "Sidekiq Redis" + + - direction: Egress + selector: + app: sidekiq + {{- if .Values.postgres.internal }} + remoteNamespace: {{ .Values.postgres.namespace | quote }} + remoteSelector: + {{ .Values.postgres.selector | toYaml | nindent 10 }} + port: {{ .Values.postgres.port }} + {{- else }} + remoteGenerated: Anywhere + {{- end }} + description: "Sidekiq Postgres" + + # Migrations Netpols + - direction: Egress + selector: app: migrations + {{- if .Values.postgres.internal }} + remoteNamespace: {{ .Values.postgres.namespace | quote }} + remoteSelector: + {{ .Values.postgres.selector | toYaml | nindent 10 }} + port: {{ .Values.postgres.port }} + {{- else }} remoteGenerated: Anywhere - description: "Migrations Storage" - + {{- end }} + description: "Migrations Postgres" + - direction: Egress - podLabels: + selector: + app: migrations + {{- if .Values.redis.internal }} + remoteNamespace: {{ .Values.redis.namespace | quote }} + remoteSelector: + {{ .Values.redis.selector | toYaml | nindent 10 }} + port: {{ .Values.redis.port }} + {{- else }} + remoteGenerated: Anywhere + {{- end }} + description: "Migrations Redis" + + # Toolbox Netpols + - direction: Egress + selector: app: toolbox + {{- if .Values.storage.internal }} + remoteNamespace: {{ .Values.storage.namespace | quote }} + remoteSelector: + {{ .Values.storage.selector | toYaml | nindent 10 }} + port: {{ .Values.storage.port }} + {{- else }} remoteGenerated: Anywhere - description: "Toolbox egress to database, redis and storage" + {{- end }} + description: "Toolbox Storage" + - direction: Egress + selector: + app: toolbox + {{- if .Values.postgres.internal }} + remoteNamespace: {{ .Values.postgres.namespace | quote }} + remoteSelector: + {{ .Values.postgres.selector | toYaml | nindent 10 }} + port: {{ .Values.postgres.port }} + {{- else }} + remoteGenerated: Anywhere + {{- end }} + description: "Toolbox Postgres" + + - direction: Egress + selector: + app: toolbox + {{- if .Values.redis.internal }} + remoteNamespace: {{ .Values.redis.namespace | quote }} + remoteSelector: + {{ .Values.redis.selector | toYaml | nindent 10 }} + port: {{ .Values.redis.port }} + {{- else }} + remoteGenerated: Anywhere + {{- end }} + description: "Toolbox Redis" + + # Gitlab Netpols - direction: Egress remoteGenerated: IntraNamespace - direction: Egress - # todo: this is over permissive, need to scope it down + selector: + app: gitlab remoteGenerated: KubeAPI - - direction: Egress - remoteNamespace: tempo - remotePodLabels: - app.kubernetes.io/name: tempo - port: 9411 - description: "Tempo" + # Webservice Netpols - direction: Egress - podLabels: + selector: app: webservice port: 443 description: "SSO" - direction: Egress - podLabels: + selector: app: webservice + {{- if .Values.storage.internal }} + remoteNamespace: {{ .Values.storage.namespace | quote }} + remoteSelector: + {{ .Values.storage.selector | toYaml | nindent 10 }} + port: {{ .Values.storage.port }} + {{- else }} remoteGenerated: Anywhere + {{- end }} description: "Webservice Storage" + - direction: Egress + selector: + app: webservice + {{- if .Values.redis.internal }} + remoteNamespace: {{ .Values.redis.namespace | quote }} + remoteSelector: + {{ .Values.redis.selector | toYaml | nindent 10 }} + port: {{ .Values.redis.port }} + {{- else }} + remoteGenerated: Anywhere + {{- end }} + description: "Webservice Redis" + + - direction: Egress + selector: + app: webservice + {{- if .Values.postgres.internal }} + remoteNamespace: {{ .Values.postgres.namespace | quote }} + remoteSelector: + {{ .Values.postgres.selector | toYaml | nindent 10 }} + port: {{ .Values.postgres.port }} + {{- else }} + remoteGenerated: Anywhere + {{- end }} + description: "Webservice Postgres" + + + # Gitlab Pages - direction: Ingress - podLabels: + selector: app: gitlab-pages port: 8090 description: GitLab Pages Ingress - direction: Egress - podLabels: + selector: app: gitlab-pages + {{- if .Values.storage.internal }} + remoteNamespace: {{ .Values.storage.namespace | quote }} + remoteSelector: + {{ .Values.storage.selector | toYaml | nindent 10 }} + port: {{ .Values.storage.port }} + {{- else }} remoteGenerated: Anywhere - description: "GitLab Pages Storage" + {{- end }} + description: "Gitlab Pages Storage" + + # Custom rules for unanticipated scenarios + {{- range .Values.custom }} + - direction: {{ .direction }} + selector: + {{ .selector | toYaml | nindent 10 }} + {{- if not .remoteGenerated }} + remoteNamespace: {{ .remoteNamespace }} + remoteSelector: + {{ .remoteSelector | toYaml | nindent 10 }} + port: {{ .port }} + {{- else }} + remoteGenerated: {{ .remoteGenerated }} + {{- end }} + description: {{ .description }} + {{- end }} diff --git a/charts/config/values.yaml b/charts/config/values.yaml index 9c2f3c1a..1fb42f80 100644 --- a/charts/config/values.yaml +++ b/charts/config/values.yaml @@ -1,2 +1,44 @@ domain: "###ZARF_VAR_DOMAIN###" sso: true +storage: + # Set to false to use external storage + internal: true + selector: + app: minio + namespace: dev-minio + port: 9000 +redis: + # Set to false to use external redis + internal: true + selector: + app.kubernetes.io/name: redis + namespace: dev-redis + port: 6379 +postgres: + # Set to false to use external postgres + internal: true + selector: + cluster-name: pg-cluster + namespace: postgres + port: 5432 +runner: + internal: true + selector: + app: gitlab-runner + namespace: gitlab-runner +# custom: +# # Notice no `remoteGenerated` field here on custom internal rule +# - direction: Ingress +# selector: +# app: jenkins +# remoteNamespace: jenkins +# remoteSelector: +# app: jenkins +# port: 8180 +# description: "Ingress to Jenkins" +# # No `remoteNamespace`, `remoteSelector`, or `port` fields on rule to `remoteGenerated` +# - direction: Egress +# selector: +# app: webservice +# remoteGenerated: Anywhere +# description: "Egress from Webservice" diff --git a/common/zarf.yaml b/common/zarf.yaml index 93574e61..727b4a61 100644 --- a/common/zarf.yaml +++ b/common/zarf.yaml @@ -10,7 +10,7 @@ components: charts: - name: uds-gitlab-config namespace: gitlab - version: 0.1.0 + version: 0.2.0 localPath: ../charts/config - name: uds-gitlab-sso namespace: gitlab diff --git a/docs/networking.md b/docs/networking.md new file mode 100644 index 00000000..c02f498f --- /dev/null +++ b/docs/networking.md @@ -0,0 +1,78 @@ +# Networking + +GitLab is configured by default to assume the internal dependencies that are used for testing (see minio, redis and postgres in the [bundle](bundle/uds-bundle.yaml)). Intentionally, permissive network policies are not created as a default. For example, there is not a default setup of egress anywhere for pods that may need to connect to external storage. + +> [!IMPORTANT] +> If you are using different internal services, cloud services or a mix you will have to configure values in the config chart accordingly via bundle overrides. A couple of example are provided below: + +Configure GitLab for all external services: + +```yaml +# charts/config/values.yaml +storage: + internal: false +redis: + internal: false +postgres: + internal: false +``` + +Configure GitLab for external postgres and s3, but in-cluster redis that is not the dev-redis currently used for testing: + +```yaml +# charts/config/values.yaml +storage: + internal: false +postgres: + internal: false +redis: + internal: true + selector: + app.kubernetes.io/name: redis + namespace: redis + port: 6379 +``` + +Configure GitLab for all external services and a non-default GitLab runner: + +```yaml +# charts/config/values.yaml +storage: + internal: false +postgres: + internal: false +redis: + internal: false + internal: true + selector: + app: gitlab-runner + namespace: my-other-gitlab-runner +``` + +> [!TIP] +> There may be a need to integrate with other in-cluster services that are not a part of the standard connectivity needed by GitLab (for example a Jira integration). As such, there is the ability to add custom rules to allow additional internal network connectivity. + +Add custom rule: + +```yaml +# charts/config/values.yaml +custom: + # Notice no `remoteGenerated` field here on custom internal rule + - direction: Ingress + selector: + app: webservice + remoteNamespace: jira + remoteSelector: + app: jira + port: 8180 + description: "Ingress from Jira" + # No `remoteNamespace`, `remoteSelector`, or `port` fields on rule to `remoteGenerated` + - direction: Egress + selector: + app: webservice + remoteGenerated: Anywhere + description: "Egress from Webservice" +``` + +> [!NOTE] +> The above is just an example of what can be done with the custom key and not representative what any specific integration would need to look like.