diff --git a/.gitignore b/.gitignore index 27d57b3..0099811 100644 --- a/.gitignore +++ b/.gitignore @@ -1,11 +1,24 @@ +**/*.tfstate +**/*.tfstate.backup +*.tar.gz +*.tar.zst +~/ +.DS_Store +defense-unicorns-distro/preflight.sh +.terraform +tmp +zarf-sbom + .cache/ .idea/ -.vscode/ build/ .DS_Store *.tar.zst test/tf/public-ec2-instance/.tool-versions zarf-sbom +tmp/ +values-*.yaml +overlay-values-* # Terraform test/tf/public-ec2-instance/.test-data @@ -13,6 +26,3 @@ test/tf/public-ec2-instance/.terraform terraform.tfstate terraform.tfstate.backup .terraform.lock.hcl - -# SOPS stuff that should never be committed to the repo -secret-sops-gpg.yaml diff --git a/Makefile b/Makefile index bb8ffc9..459e855 100755 --- a/Makefile +++ b/Makefile @@ -137,7 +137,7 @@ cluster/destroy: ## Destroy the k3d cluster # Build Section ######################################################################## -build/all: build build/zarf build/zarf-init.sha256 build/dubbd-pull-k3d.sha256 build/uds-capability-gitlab ## +build/all: build build/zarf build/zarf-init.sha256 build/dubbd-pull-k3d.sha256 build/test-pkg-deps build/uds-capability-gitlab ## build: ## Create build directory mkdir -p build @@ -167,6 +167,12 @@ build/dubbd-pull-k3d.sha256: | build ## Download dubbd k3d oci package echo "Creating shasum of the dubbd-k3d package" shasum -a 256 build/zarf-package-dubbd-k3d-amd64-$(DUBBD_K3D_VERSION).tar.zst | awk '{print $$1}' > build/dubbd-pull-k3d.sha256 +build/test-pkg-deps: | build ## Build package dependencies for testing + build/zarf package create utils/pkg-deps/namespaces/ --skip-sbom --confirm --output-directory build + build/zarf package create utils/pkg-deps/gitlab/postgres/ --skip-sbom --confirm --output-directory build + build/zarf package create utils/pkg-deps/gitlab/redis/ --skip-sbom --confirm --output-directory build + build/zarf package create utils/pkg-deps/gitlab/minio/ --skip-sbom --confirm --output-directory build + build/uds-capability-gitlab: | build ## Build the gitlab capability build/zarf package create . --skip-sbom --confirm --output-directory build @@ -174,7 +180,7 @@ build/uds-capability-gitlab: | build ## Build the gitlab capability # Deploy Section ######################################################################## -deploy/all: deploy/init deploy/dubbd-k3d deploy/uds-capability-gitlab ## +deploy/all: deploy/init deploy/dubbd-k3d deploy/test-pkg-deps deploy/uds-capability-gitlab ## deploy/init: ## Deploy the zarf init package ./build/zarf init --confirm --components=git-server @@ -182,5 +188,11 @@ deploy/init: ## Deploy the zarf init package deploy/dubbd-k3d: ## Deploy the k3d flavor of DUBBD cd ./build && ./zarf package deploy zarf-package-dubbd-k3d-amd64-$(DUBBD_K3D_VERSION).tar.zst --confirm +deploy/test-pkg-deps: ## Deploy the package dependencies needed for testing the gitlab capability + cd ./build && ./zarf package deploy zarf-package-gitlab-namespaces-* --confirm + cd ./build && ./zarf package deploy zarf-package-gitlab-postgres-* --confirm + cd ./build && ./zarf package deploy zarf-package-gitlab-redis-* --confirm + cd ./build && ./zarf package deploy zarf-package-gitlab-minio-* --confirm + deploy/uds-capability-gitlab: ## Deploy the gilab capability - cd ./build && ./zarf package deploy zarf-package-gitlab-*.tar.zst --confirm --components=gitlab-values + cd ./build && ./zarf package deploy zarf-package-gitlab-amd*.tar.zst --confirm diff --git a/README.md b/README.md index 35e4a5c..921df1e 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,79 @@ # uds-capability-gitlab -Platform One Gitlab deployed via flux -## Pre-req -- Minimum compute requirements for single node deployment are at LEAST 64 GB RAM and 32 virtual CPU threads (aws `m6i.8xlarge` instance type should do) -- k3d installed on machine +Bigbang [Gitlab](https://repo1.dso.mil/big-bang/product/packages/gitlab) deployed via flux by zarf -## Deploy +## Deployment Prerequisites + +### GitLab Capability + +The Gitlab Capability expects the pieces listed below to exist in the cluster before being deployed. + +#### General + +- Create `gitlab` namespace +- Label `gitlab` namespace with `istio-injection: enabled` + +#### Database + +- A Postgres database is running on port `5432` and accessible to the cluster +- This database can be logged into via the username `gitlab` +- This database instance has a psql database created matching what is defined in the deploy time variable `GITLAB_DB`. Default is `gitlabdb` +- The `gitlab` user has read/write access to the above mentioned database +- Create `gitlab-postgres` service in `gitlab` namespace that points to the psql database +- Create `gitlab-postgres` secret in `gitlab` namespace with the key `password` that contains the password to the `gitlab` user for the psql database + +#### Redis / Redis Equivalent + +- An instance of Redis or Redis equivalent (elasticache, etc.) is running on port `6379` and accessible to the cluster +- The redis instance accepts anonymous auth (password only) +- Create `gitlab-redis` service in `gitlab` namespace that points to the redis instance +- Create `gitlab-redis` secret in `gitlab` namespace with the key `password` that contains the password to the redis instance + +#### Object Storage + +Object Storage works a bit differently as there are many kinds of file stores gitlab can be configured to use. + +- Create the secret `gitlab-object-store` in the `gitlab` namespace with the following keys: + - An example for in-cluster Minio can be found in this repository at the path `utils/pkg-deps/gitlab/minio/secret.yaml` + - `connection` + - This key refers to the configuration for the main gitlab service. The documentation for what goes in this key is located [here](https://docs.gitlab.com/16.0/ee/administration/object_storage.html#configure-the-connection-settings) + - `registry` + - This key refers to the configuration for the gitlab registry. The documentation for what goes in this key is located [here](https://docs.docker.com/registry/configuration/#storage) + - `backups` + - This key refers to the configuration for the gitlab-toolbox backup tool. It relies on a program called `s3cmd`. The documentation for what goes in this key is located [here](https://s3tools.org/kb/item14.htm) +- Below are the list of buckets that need to be created before starting GitLab: + - uds-gitlab-pages + - uds-gitlab-registry + - uds-gitlab-lfs + - uds-gitlab-artifacts + - uds-gitlab-uploads + - uds-gitlab-packages + - uds-gitlab-mr-diffs + - uds-gitlab-terraform-state + - uds-gitlab-ci-secure-files + - uds-gitlab-dependency-proxy + - uds-gitlab-backups + - uds-gitlab-tmp +- These buckets can have a suffix applied via the `BUCKET_SUFFIX` zarf variable (e.x. `-some-deployment-name` plus `uds-gitlab-backups` would be `uds-gitlab-backups-some-deployment-name`) + +## Deploying + +### Deploy Everything + +#### Via Makefile and local package + +```bash +# This will destroy and create a compatible k3d cluster then it will run make build/all and make deploy/all. Follow the breadcrumbs in the Makefile to see what and how its doing it. +make cluster/full +``` + +### From GHCR OCI Via Zarf + +```bash +zarf package deploy ghcr.io/defenseunicorns/uds-capability/gitlab:0.0.6-amd64 +``` + +## Building ### Use zarf to login to the needed registries i.e. registry1.dso.mil and ghcr.io @@ -21,7 +89,7 @@ export REGISTRY1_USERNAME="YOUR-USERNAME-HERE" export REGISTRY1_TOKEN="YOUR-TOKEN-HERE" echo $REGISTRY1_TOKEN | build/zarf tools registry login registry1.dso.mil --username $REGISTRY1_USERNAME --password-stdin -# ghcr.io (To access oci packages needed) +# ghcr.io (If you need to push to GHCR) export GH_USERNAME="YOUR-USERNAME-HERE" export GH_TOKEN="YOUR-TOKEN-HERE" echo $GH_TOKEN | build/zarf tools registry login ghcr.io --username $GH_USERNAME --password-stdin @@ -29,26 +97,8 @@ echo $GH_TOKEN | build/zarf tools registry login ghcr.io --username $GH_USERNAME set -o history ``` -### Deploy Everything +### Creating the Package ```bash -# This will destroy and create a compatible k3d cluster then it will run make build/all and make deploy/all. Follow the breadcrumbs in the Makefile to see what and how its doing it. -make cluster/full +make build/uds-capability-gitlab ``` - -## Import Zarf Skeleton -Below is an example of how to import this projects zarf skeleton into your zarf.yaml. The [uds-package-sofware-factory](https://github.com/defenseunicorns/uds-package-software-factory.git) does this with a subset of the uds-capability projects. - -```yaml -components: - - name: values - required: true - files: - - source: - target: values-gitlab.yaml - - name: gitlab - required: true - import: - name: gitlab - url: oci://ghcr.io/defenseunicorns/uds-capability/gitlab:0.0.4-skeleton -``` \ No newline at end of file diff --git a/gitlab-flux-values.yaml b/gitlab-flux-values.yaml index 53a4408..f95e10b 100644 --- a/gitlab-flux-values.yaml +++ b/gitlab-flux-values.yaml @@ -7,7 +7,192 @@ application: ref: # renovate: datasource=gitlab-tags depName=big-bang/product/packages/gitlab versioning=loose registryUrl=https://repo1.dso.mil tag: 7.1.2-bb.0 - values: | - ###ZARF_VAR_GITLAB_VALUES### dependsOn: ###ZARF_VAR_GITLAB_DEPENDS_ON### + baseValues: + hostname: ###ZARF_VAR_DOMAIN### + domain: ###ZARF_VAR_DOMAIN### + + global: + psql: + host: gitlab-postgres + port: 5432 + database: gitlabdb + username: gitlab + password: + useSecret: true + secret: gitlab-postgres + key: password + redis: + host: gitlab-redis + port: 6379 + auth: + enabled: true + secret: gitlab-redis + key: password + minio: + enabled: false + # added to help with Gitlab sub-chart configuration + image: + pullPolicy: IfNotPresent + istio: + enabled: true + injection: enabled + hosts: + domain: ###ZARF_VAR_DOMAIN### + + gitlab: + name: gitlab.###ZARF_VAR_DOMAIN### + + registry: + name: registry.###ZARF_VAR_DOMAIN### + registry: + relativeurls: true + pages: + objectStore: + bucket: uds-gitlab-pages###ZARF_VAR_BUCKET_SUFFIX### + appConfig: + registry: + bucket: uds-gitlab-registry###ZARF_VAR_BUCKET_SUFFIX### + lfs: + bucket: uds-gitlab-lfs###ZARF_VAR_BUCKET_SUFFIX### + artifacts: + bucket: uds-gitlab-artifacts###ZARF_VAR_BUCKET_SUFFIX### + uploads: + bucket: uds-gitlab-uploads###ZARF_VAR_BUCKET_SUFFIX### + packages: + bucket: uds-gitlab-packages###ZARF_VAR_BUCKET_SUFFIX### + externalDiffs: + bucket: uds-gitlab-mr-diffs###ZARF_VAR_BUCKET_SUFFIX### + terraformState: + bucket: uds-gitlab-terraform-state###ZARF_VAR_BUCKET_SUFFIX### + ciSecureFiles: + bucket: uds-gitlab-ci-secure-files###ZARF_VAR_BUCKET_SUFFIX### + dependencyProxy: + bucket: uds-gitlab-dependency-proxy###ZARF_VAR_BUCKET_SUFFIX### + backups: + bucket: uds-gitlab-backups###ZARF_VAR_BUCKET_SUFFIX### + tmpBucket: uds-gitlab-tmp###ZARF_VAR_BUCKET_SUFFIX### + object_store: + enabled: true + proxy_download: true + connection: + secret: gitlab-object-store + key: connection + + postgresql: + install: false + redis: + install: false + + registry: + annotations: + bigbang.dev/istioVersion: ###ZARF_VAR_ISTIO_VERSION### + storage: + secret: gitlab-object-store + key: registry + metrics: + serviceMonitor: + endpointConfig: + scheme: https + tlsConfig: + caFile: /etc/prom-certs/root-cert.pem + certFile: /etc/prom-certs/cert-chain.pem + keyFile: /etc/prom-certs/key.pem + insecureSkipVerify: true # Prometheus does not support Istio security naming, thus skip verifying target pod certificate + + gitlab: + toolbox: + annotations: + bigbang.dev/istioVersion: ###ZARF_VAR_ISTIO_VERSION### + backups: + objectStorage: + config: + secret: gitlab-object-store + key: backups + gitlab-exporter: + enabled: true + metrics: + annotations: + bigbang.dev/istioVersion: ###ZARF_VAR_ISTIO_VERSION### + serviceMonitor: + endpointConfig: + scheme: https + tlsConfig: + caFile: /etc/prom-certs/root-cert.pem + certFile: /etc/prom-certs/cert-chain.pem + keyFile: /etc/prom-certs/key.pem + insecureSkipVerify: true # Prometheus does not support Istio security naming, thus skip verifying target pod certificate + webservice: + annotations: + bigbang.dev/istioVersion: ###ZARF_VAR_ISTIO_VERSION### + metrics: + serviceMonitor: + endpointConfig: + scheme: https + tlsConfig: + caFile: /etc/prom-certs/root-cert.pem + certFile: /etc/prom-certs/cert-chain.pem + keyFile: /etc/prom-certs/key.pem + insecureSkipVerify: true # Prometheus does not support Istio security naming, thus skip verifying target pod certificate + workhorse: + metrics: + serviceMonitor: + endpointConfig: + scheme: https + tlsConfig: + caFile: /etc/prom-certs/root-cert.pem + certFile: /etc/prom-certs/cert-chain.pem + keyFile: /etc/prom-certs/key.pem + insecureSkipVerify: true # Prometheus does not support Istio security naming, thus skip verifying target pod certificate + sidekiq: + annotations: + bigbang.dev/istioVersion: ###ZARF_VAR_ISTIO_VERSION### + migrations: + annotations: + bigbang.dev/istioVersion: ###ZARF_VAR_ISTIO_VERSION### + gitaly: + annotations: + bigbang.dev/istioVersion: ###ZARF_VAR_ISTIO_VERSION### + metrics: + serviceMonitor: + endpointConfig: + scheme: https + tlsConfig: + caFile: /etc/prom-certs/root-cert.pem + certFile: /etc/prom-certs/cert-chain.pem + keyFile: /etc/prom-certs/key.pem + insecureSkipVerify: true # Prometheus does not support Istio security naming, thus skip verifying target pod certificate + gitlab-shell: + annotations: + bigbang.dev/istioVersion: ###ZARF_VAR_ISTIO_VERSION### + metrics: + serviceMonitor: + endpointConfig: + scheme: https + tlsConfig: + caFile: /etc/prom-certs/root-cert.pem + certFile: /etc/prom-certs/cert-chain.pem + keyFile: /etc/prom-certs/key.pem + insecureSkipVerify: true # Prometheus does not support Istio security naming, thus skip verifying target pod certificate + + openshift: false + + istio: + enabled: true + injection: enabled + gitlab: + gateways: + - istio-system/tenant + registry: + gateways: + - istio-system/tenant + + monitoring: + enabled: true + + networkPolicies: + enabled: true + ingressLabels: + app: tenant-ingressgateway + controlPlaneCidr: 0.0.0.0/0 diff --git a/utils/pkg-deps/gitlab/minio/policy-exceptions/registry.yaml b/utils/pkg-deps/gitlab/minio/policy-exceptions/registry.yaml new file mode 100644 index 0000000..76d8388 --- /dev/null +++ b/utils/pkg-deps/gitlab/minio/policy-exceptions/registry.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v2alpha1 +kind: PolicyException +metadata: + name: gitlab-minio-registry-exception + namespace: gitlab-minio +spec: + exceptions: + - policyName: restrict-image-registries + ruleNames: + - validate-registries + - autogen-validate-registries + match: + any: + - resources: + kinds: + - Deployment + namespaces: + - gitlab-minio + names: + - minio + - resources: + kinds: + - Job + namespaces: + - gitlab-minio + names: + - minio-post-job diff --git a/utils/pkg-deps/gitlab/minio/secret.yaml b/utils/pkg-deps/gitlab/minio/secret.yaml new file mode 100644 index 0000000..0eb4b65 --- /dev/null +++ b/utils/pkg-deps/gitlab/minio/secret.yaml @@ -0,0 +1,34 @@ +# Source: bigbang/templates/gitlab/secret-objectstore.yaml +apiVersion: v1 +kind: Secret +metadata: + name: gitlab-object-store + namespace: gitlab +type: kubernetes.io/opaque +stringData: + connection: |- + provider: AWS + region: minio + aws_access_key_id: ###ZARF_VAR_ACCESS_KEY### + aws_secret_access_key: ###ZARF_VAR_SECRET_KEY### + endpoint: "http://minio.gitlab-minio.svc.cluster.local:9000" + aws_signature_version: 4 + path_style: true + registry: |- + s3: + bucket: gitlab-registry + accesskey: ###ZARF_VAR_ACCESS_KEY### + secretkey: ###ZARF_VAR_SECRET_KEY### + regionendpoint: "http://minio.gitlab-minio.svc.cluster.local:9000" + region: minio + aws_signature_version: 4 + path_style: true + backups: |- + [default] + access_key = ###ZARF_VAR_ACCESS_KEY### + secret_key = ###ZARF_VAR_SECRET_KEY### + host_base = http://minio.gitlab-minio.svc.cluster.local:9000 + host_bucket = http://minio.gitlab-minio.svc.cluster.local:9000 + bucket_location = minio + multipart_chunk_size_mb = 128 + use_https = False diff --git a/utils/pkg-deps/gitlab/minio/service.yaml b/utils/pkg-deps/gitlab/minio/service.yaml new file mode 100644 index 0000000..c8d1845 --- /dev/null +++ b/utils/pkg-deps/gitlab/minio/service.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Service +metadata: + name: gitlab-minio + namespace: gitlab +spec: + type: ExternalName + externalName: minio.gitlab-minio.svc.cluster.local diff --git a/utils/pkg-deps/gitlab/minio/values.yaml b/utils/pkg-deps/gitlab/minio/values.yaml new file mode 100644 index 0000000..8cb4a3a --- /dev/null +++ b/utils/pkg-deps/gitlab/minio/values.yaml @@ -0,0 +1,20 @@ +replicas: 1 +mode: standalone + +buckets: + - name: uds-gitlab-artifacts + - name: uds-gitlab-backups + - name: uds-gitlab-ci-secure-files + - name: uds-gitlab-dependency-proxy + - name: uds-gitlab-lfs + - name: uds-gitlab-mr-diffs + - name: uds-gitlab-packages + - name: uds-gitlab-pages + - name: uds-gitlab-terraform-state + - name: uds-gitlab-uploads + - name: uds-gitlab-registry + - name: uds-gitlab-tmp + +postJob: + podAnnotations: + sidecar.istio.io/inject: "false" diff --git a/utils/pkg-deps/gitlab/minio/zarf.yaml b/utils/pkg-deps/gitlab/minio/zarf.yaml new file mode 100644 index 0000000..5d08f71 --- /dev/null +++ b/utils/pkg-deps/gitlab/minio/zarf.yaml @@ -0,0 +1,47 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json +kind: ZarfPackageConfig +metadata: + name: gitlab-minio + version: "0.0.1" + architecture: amd64 + +components: + - name: minio-kyverno-exceptions + required: true + manifests: + - name: kyverno-exceptions + files: + - policy-exceptions/registry.yaml + - name: minio + required: true + charts: + - name: minio + version: 5.0.13 + namespace: gitlab-minio + url: https://charts.min.io/ + valuesFiles: + - "values.yaml" + images: + - quay.io/minio/mc:RELEASE.2023-06-28T21-54-17Z + - quay.io/minio/minio:RELEASE.2023-07-07T07-13-57Z + - name: minio-secret + required: true + actions: + onDeploy: + before: + - cmd: kubectl get secret -n gitlab-minio minio --template='{{ index .data "rootPassword" }}' | base64 -d + mute: true + setVariables: + - name: SECRET_KEY + sensitive: true + - cmd: kubectl get secret -n gitlab-minio minio --template='{{ index .data "rootUser" }}' | base64 -d + mute: true + setVariables: + - name: ACCESS_KEY + sensitive: true + - name: gitlab-secret + required: true + manifests: + - name: gitlab-secret + files: + - "secret.yaml" diff --git a/utils/pkg-deps/gitlab/postgres/policy-exceptions/externalName.yaml b/utils/pkg-deps/gitlab/postgres/policy-exceptions/externalName.yaml new file mode 100644 index 0000000..00135a6 --- /dev/null +++ b/utils/pkg-deps/gitlab/postgres/policy-exceptions/externalName.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v2alpha1 +kind: PolicyException +metadata: + name: gitlab-postgres-external-names-exception + namespace: gitlab +spec: + exceptions: + - policyName: restrict-external-names + ruleNames: + - external-names + match: + any: + - resources: + kinds: + - Service + namespaces: + - gitlab + names: + - gitlab-postgres diff --git a/utils/pkg-deps/gitlab/postgres/policy-exceptions/registry.yaml b/utils/pkg-deps/gitlab/postgres/policy-exceptions/registry.yaml new file mode 100644 index 0000000..fe8b35f --- /dev/null +++ b/utils/pkg-deps/gitlab/postgres/policy-exceptions/registry.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v2alpha1 +kind: PolicyException +metadata: + name: gitlab-postgres-registry-exception + namespace: gitlab-db +spec: + exceptions: + - policyName: restrict-image-registries + ruleNames: + - validate-registries + - autogen-validate-registries + match: + any: + - resources: + kinds: + - StatefulSet + namespaces: + - gitlab-db + names: + - postgresql diff --git a/utils/pkg-deps/gitlab/postgres/service.yaml b/utils/pkg-deps/gitlab/postgres/service.yaml new file mode 100644 index 0000000..417c753 --- /dev/null +++ b/utils/pkg-deps/gitlab/postgres/service.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Service +metadata: + name: gitlab-postgres + namespace: gitlab +spec: + type: ExternalName + externalName: postgresql.gitlab-db.svc.cluster.local diff --git a/utils/pkg-deps/gitlab/postgres/values.yaml b/utils/pkg-deps/gitlab/postgres/values.yaml new file mode 100644 index 0000000..7b75942 --- /dev/null +++ b/utils/pkg-deps/gitlab/postgres/values.yaml @@ -0,0 +1,3 @@ +auth: + username: gitlab + database: gitlabdb diff --git a/utils/pkg-deps/gitlab/postgres/zarf.yaml b/utils/pkg-deps/gitlab/postgres/zarf.yaml new file mode 100644 index 0000000..a080a56 --- /dev/null +++ b/utils/pkg-deps/gitlab/postgres/zarf.yaml @@ -0,0 +1,53 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json +kind: ZarfPackageConfig +metadata: + name: gitlab-postgres + version: "0.0.1" + architecture: amd64 + +components: + - name: postgres-kyverno-exceptions + required: true + manifests: + - name: kyverno-exceptions + files: + - policy-exceptions/externalName.yaml + - policy-exceptions/registry.yaml + - name: postgres + required: true + charts: + - name: postgresql + version: 12.6.6 + namespace: gitlab-db + url: https://charts.bitnami.com/bitnami + valuesFiles: + - "values.yaml" + images: + - docker.io/bitnami/postgresql:15.3.0-debian-11-r24 + actions: + onDeploy: + after: + - wait: + cluster: + kind: Pod + name: postgresql-0 + condition: Ready + namespace: gitlab-db + - name: postgres-secret + required: true + actions: + onDeploy: + before: + - cmd: kubectl get secret -n gitlab-db postgresql --template={{.data.password}} | base64 -d + mute: true + setVariables: + - name: DB_PASSWORD + sensitive: true + after: + - cmd: kubectl create secret generic gitlab-postgres -n gitlab --from-literal=password=${ZARF_VAR_DB_PASSWORD} + - name: postgres-service + required: true + manifests: + - name: service for gitlab + files: + - service.yaml diff --git a/utils/pkg-deps/gitlab/redis/policy-exceptions/externalName.yaml b/utils/pkg-deps/gitlab/redis/policy-exceptions/externalName.yaml new file mode 100644 index 0000000..67473a8 --- /dev/null +++ b/utils/pkg-deps/gitlab/redis/policy-exceptions/externalName.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v2alpha1 +kind: PolicyException +metadata: + name: gitlab-redis-external-names-exception + namespace: gitlab +spec: + exceptions: + - policyName: restrict-external-names + ruleNames: + - external-names + match: + any: + - resources: + kinds: + - Service + namespaces: + - gitlab + names: + - gitlab-redis diff --git a/utils/pkg-deps/gitlab/redis/policy-exceptions/registry.yaml b/utils/pkg-deps/gitlab/redis/policy-exceptions/registry.yaml new file mode 100644 index 0000000..cd4294d --- /dev/null +++ b/utils/pkg-deps/gitlab/redis/policy-exceptions/registry.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v2alpha1 +kind: PolicyException +metadata: + name: gitlab-redis-registry-exception + namespace: gitlab-redis +spec: + exceptions: + - policyName: restrict-image-registries + ruleNames: + - validate-registries + - autogen-validate-registries + match: + any: + - resources: + kinds: + - StatefulSet + namespaces: + - gitlab-redis + names: + - redis-master diff --git a/utils/pkg-deps/gitlab/redis/service.yaml b/utils/pkg-deps/gitlab/redis/service.yaml new file mode 100644 index 0000000..5436c0d --- /dev/null +++ b/utils/pkg-deps/gitlab/redis/service.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Service +metadata: + name: gitlab-redis + namespace: gitlab +spec: + type: ExternalName + externalName: redis-master.gitlab-redis.svc.cluster.local diff --git a/utils/pkg-deps/gitlab/redis/values.yaml b/utils/pkg-deps/gitlab/redis/values.yaml new file mode 100644 index 0000000..dfef688 --- /dev/null +++ b/utils/pkg-deps/gitlab/redis/values.yaml @@ -0,0 +1 @@ +architecture: standalone diff --git a/utils/pkg-deps/gitlab/redis/zarf.yaml b/utils/pkg-deps/gitlab/redis/zarf.yaml new file mode 100644 index 0000000..8eda71a --- /dev/null +++ b/utils/pkg-deps/gitlab/redis/zarf.yaml @@ -0,0 +1,53 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json +kind: ZarfPackageConfig +metadata: + name: gitlab-redis + version: "0.0.1" + architecture: amd64 + +components: + - name: redis-kyverno-exceptions + required: true + manifests: + - name: kyverno-exceptions + files: + - policy-exceptions/externalName.yaml + - policy-exceptions/registry.yaml + - name: redis + required: true + charts: + - name: redis + version: 17.13.2 + namespace: gitlab-redis + url: https://charts.bitnami.com/bitnami + valuesFiles: + - "values.yaml" + images: + - docker.io/bitnami/redis:7.0.12-debian-11-r2 + actions: + onDeploy: + after: + - wait: + cluster: + kind: Pod + name: redis-master-0 + condition: Ready + namespace: gitlab-redis + - name: redis-secret + required: true + actions: + onDeploy: + before: + - cmd: kubectl get secret -n gitlab-redis redis --template='{{ index .data "redis-password" }}' | base64 -d + mute: true + setVariables: + - name: REDIS_PASSWORD + sensitive: true + after: + - cmd: kubectl create secret generic gitlab-redis -n gitlab --from-literal=password=${ZARF_VAR_REDIS_PASSWORD} + - name: redis-service + required: true + manifests: + - name: service for gitlab + files: + - service.yaml diff --git a/utils/pkg-deps/namespaces/values.yaml b/utils/pkg-deps/namespaces/values.yaml new file mode 100644 index 0000000..dbb0ce8 --- /dev/null +++ b/utils/pkg-deps/namespaces/values.yaml @@ -0,0 +1,13 @@ +namespaces: + - name: gitlab + labels: + istio-injection: enabled + - name: gitlab-db + labels: + istio-injection: enabled + - name: gitlab-redis + labels: + istio-injection: enabled + - name: gitlab-minio + labels: + istio-injection: enabled diff --git a/utils/pkg-deps/namespaces/zarf.yaml b/utils/pkg-deps/namespaces/zarf.yaml new file mode 100644 index 0000000..110c667 --- /dev/null +++ b/utils/pkg-deps/namespaces/zarf.yaml @@ -0,0 +1,18 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json +kind: ZarfPackageConfig +metadata: + name: gitlab-namespaces + description: "package used to deploy needed namespaces" + version: "0.0.1" + architecture: amd64 + +components: + - name: namespaces + required: true + charts: + - name: namespaces + version: 1.0.0 + namespace: default + url: https://defenseunicorns.github.io/uds-support-charts/ + valuesFiles: + - values.yaml diff --git a/values-gitlab.yaml b/values-gitlab.yaml deleted file mode 100644 index 857a617..0000000 --- a/values-gitlab.yaml +++ /dev/null @@ -1,159 +0,0 @@ -# hostname is deprecated and replaced with domain. But if hostname exists then use it. -hostname: bigbang.dev -domain: bigbang.dev - -# Define variables to help with conditionals later - -openshift: false - -istio: - enabled: true - injection: enabled - gitlab: - gateways: - - istio-system/tenant - registry: - gateways: - - istio-system/tenant - -monitoring: - enabled: true - -networkPolicies: - enabled: true - ingressLabels: - app: tenant-ingressgateway - istio: null - controlPlaneCidr: 0.0.0.0/0 -redis: - metrics: - serviceMonitor: - enabled: true - namespace: gitlab - master: - podAnnotations: - bigbang.dev/istioVersion: 1.17.3 - slave: - podAnnotations: - bigbang.dev/istioVersion: 1.17.3 -postgresql: - master: - podAnnotations: - bigbang.dev/istioVersion: 1.17.3 - slave: - podAnnotations: - bigbang.dev/istioVersion: 1.17.3 -registry: - annotations: - bigbang.dev/istioVersion: 1.17.3 - metrics: - serviceMonitor: - endpointConfig: - scheme: https - tlsConfig: - caFile: /etc/prom-certs/root-cert.pem - certFile: /etc/prom-certs/cert-chain.pem - keyFile: /etc/prom-certs/key.pem - insecureSkipVerify: true # Prometheus does not support Istio security naming, thus skip verifying target pod certificate - -gitlab: - toolbox: - annotations: - bigbang.dev/istioVersion: 1.17.3 - gitlab-exporter: - enabled: true - metrics: - annotations: - bigbang.dev/istioVersion: 1.17.3 - serviceMonitor: - endpointConfig: - scheme: https - tlsConfig: - caFile: /etc/prom-certs/root-cert.pem - certFile: /etc/prom-certs/cert-chain.pem - keyFile: /etc/prom-certs/key.pem - insecureSkipVerify: true # Prometheus does not support Istio security naming, thus skip verifying target pod certificate - webservice: - metrics: - serviceMonitor: - endpointConfig: - scheme: https - tlsConfig: - caFile: /etc/prom-certs/root-cert.pem - certFile: /etc/prom-certs/cert-chain.pem - keyFile: /etc/prom-certs/key.pem - insecureSkipVerify: true # Prometheus does not support Istio security naming, thus skip verifying target pod certificate - workhorse: - metrics: - serviceMonitor: - endpointConfig: - scheme: https - tlsConfig: - caFile: /etc/prom-certs/root-cert.pem - certFile: /etc/prom-certs/cert-chain.pem - keyFile: /etc/prom-certs/key.pem - insecureSkipVerify: true # Prometheus does not support Istio security naming, thus skip verifying target pod certificate - annotations: - bigbang.dev/istioVersion: 1.17.3 - sidekiq: - annotations: - bigbang.dev/istioVersion: 1.17.3 - migrations: - annotations: - bigbang.dev/istioVersion: 1.17.3 - gitaly: - annotations: - bigbang.dev/istioVersion: 1.17.3 - metrics: - serviceMonitor: - endpointConfig: - scheme: https - tlsConfig: - caFile: /etc/prom-certs/root-cert.pem - certFile: /etc/prom-certs/cert-chain.pem - keyFile: /etc/prom-certs/key.pem - insecureSkipVerify: true # Prometheus does not support Istio security naming, thus skip verifying target pod certificate - gitlab-shell: - annotations: - bigbang.dev/istioVersion: 1.17.3 - metrics: - serviceMonitor: - endpointConfig: - scheme: https - tlsConfig: - caFile: /etc/prom-certs/root-cert.pem - certFile: /etc/prom-certs/cert-chain.pem - keyFile: /etc/prom-certs/key.pem - insecureSkipVerify: true # Prometheus does not support Istio security naming, thus skip verifying target pod certificate - - praefect: - annotations: - bigbang.dev/istioVersion: 1.17.3 - gitlab-grafana: - annotations: - bigbang.dev/istioVersion: 1.17.3 -shared-secrets: - annotations: - bigbang.dev/istioVersion: 1.17.3 -minio: - podAnnotations: - bigbang.dev/istioVersion: 1.17.3 - -global: - - # added to help with Gitlab sub-chart configuration - image: - pullPolicy: IfNotPresent - - istio: - enabled: true - injection: enabled - - hosts: - domain: bigbang.dev - - gitlab: - name: gitlab.bigbang.dev - - registry: - name: registry.bigbang.dev diff --git a/zarf.yaml b/zarf.yaml index 9935ffb..bd786e1 100644 --- a/zarf.yaml +++ b/zarf.yaml @@ -3,38 +3,37 @@ kind: ZarfPackageConfig metadata: name: gitlab description: "UDS GitLab capability deployed via flux" - version: "0.0.5" + version: "0.0.6" architecture: amd64 variables: - name: GITLAB_DEPENDS_ON default: "[]" - name: GITLAB_CREATE_NAMESPACE - default: "true" + default: "false" + - name: DOMAIN + default: "bigbang.dev" + - name: BUCKET_SUFFIX + default: "" + - name: ISTIO_VERSION + default: "unset" components: - - name: gitlab-values - files: - - source: values-gitlab.yaml - target: values-gitlab.yaml - - name: gitlab + - name: istio-version required: true - description: "Deploy gitlab via flux" actions: onDeploy: before: - - cmd: cat values-gitlab.yaml - description: Read gitlab values into variable. - mute: true - setVariables: - - name: GITLAB_VALUES - autoIndent: true - sensitive: true + - cmd: kubectl get deployment -n monitoring monitoring-monitoring-kube-operator -o=jsonpath='{.spec.template.metadata.annotations.bigbang\.dev/istioVersion}' + setVariable: ISTIO_VERSION + - name: gitlab + required: true + description: "Deploy gitlab via flux" charts: # renovate: datasource=helm - name: flux-app url: https://defenseunicorns.github.io/uds-support-charts/ - version: 1.0.5 + version: 1.0.7 namespace: gitlab valuesFiles: - gitlab-flux-values.yaml