feat!: allow configurability of SSH and harden application settings (#…

…196) ## Description This PR disables SSH more fully by default but adds an option to reconfigure it later - it also adds a way to harden specific settings in GitLab declaratively. > [!IMPORTANT] > ⚠️ BREAKING CHANGE - this is a breaking change as it will force hardened settings on the end user unless the settingsJob is disabled or reconfigured. ## Related Issue Fixes #189 Fixes #190 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [X] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [X] Test, docs, adr added or updated as needed - [X] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-package-gitlab/blob/main/CONTRIBUTING.md#developer-workflow) followed Release-As: v17.2.7-uds.1
defenseunicorns · Sep 24, 2024 · bcd34c6 · bcd34c6
1 parent 6ea19d2
commit bcd34c6
Show file tree

Hide file tree

Showing 38 changed files with 454 additions and 73 deletions.
diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml
@@ -12,4 +12,4 @@ on:
 jobs:
  validate:
  name: Validate
- uses: defenseunicorns/uds-common/.github/workflows/commitlint.yaml@76287d41ec5f06ecbdd0a6453877a78675aceffe # v0.11.2
+ uses: defenseunicorns/uds-common/.github/workflows/commitlint.yaml@e3008473beab00b12a94f9fcc7340124338d5c08 # v0.13.1
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -20,7 +20,7 @@ jobs:
  fetch-depth: 0
 
  - name: Environment setup
- uses: defenseunicorns/uds-common/.github/actions/setup@76287d41ec5f06ecbdd0a6453877a78675aceffe # v0.11.2
+ uses: defenseunicorns/uds-common/.github/actions/setup@e3008473beab00b12a94f9fcc7340124338d5c08 # v0.13.1
  with:
  registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
  registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}

diff --git a/.github/workflows/tag-and-release.yaml b/.github/workflows/tag-and-release.yaml
@@ -42,7 +42,7 @@ jobs:
  - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
  - name: Environment setup
- uses: defenseunicorns/uds-common/.github/actions/setup@76287d41ec5f06ecbdd0a6453877a78675aceffe # v0.11.2
+ uses: defenseunicorns/uds-common/.github/actions/setup@e3008473beab00b12a94f9fcc7340124338d5c08 # v0.13.1
  with:
  registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
  registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
@@ -67,10 +67,10 @@ jobs:
 
  - name: Debug Output
  if: ${{ always() }}
- uses: defenseunicorns/uds-common/.github/actions/debug-output@76287d41ec5f06ecbdd0a6453877a78675aceffe # v0.11.2
+ uses: defenseunicorns/uds-common/.github/actions/debug-output@e3008473beab00b12a94f9fcc7340124338d5c08 # v0.13.1
 
  - name: Save logs
  if: always()
- uses: defenseunicorns/uds-common/.github/actions/save-logs@76287d41ec5f06ecbdd0a6453877a78675aceffe # v0.11.2
+ uses: defenseunicorns/uds-common/.github/actions/save-logs@e3008473beab00b12a94f9fcc7340124338d5c08 # v0.13.1
  with:
  suffix: '${{ matrix.flavor }}-${{ matrix.architecture }}-${{ github.run_id }}-${{ github.run_attempt }}'
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -46,25 +46,25 @@ jobs:
  uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
  - name: Environment setup
- uses: defenseunicorns/uds-common/.github/actions/setup@76287d41ec5f06ecbdd0a6453877a78675aceffe # v0.11.2
+ uses: defenseunicorns/uds-common/.github/actions/setup@e3008473beab00b12a94f9fcc7340124338d5c08 # v0.13.1
  with:
  registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
  registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
  ghToken: ${{ secrets.GITHUB_TOKEN }}
 
  - name: Test
- uses: defenseunicorns/uds-common/.github/actions/test@76287d41ec5f06ecbdd0a6453877a78675aceffe # v0.11.2
+ uses: defenseunicorns/uds-common/.github/actions/test-deploy@e3008473beab00b12a94f9fcc7340124338d5c08 # v0.13.1
  with:
  flavor: ${{ matrix.flavor }}
  type: ${{ matrix.type }}
 
  - name: Debug Output
  if: ${{ always() }}
- uses: defenseunicorns/uds-common/.github/actions/debug-output@76287d41ec5f06ecbdd0a6453877a78675aceffe # v0.11.2
+ uses: defenseunicorns/uds-common/.github/actions/debug-output@e3008473beab00b12a94f9fcc7340124338d5c08 # v0.13.1
 
  - name: Save logs
  if: always()
- uses: defenseunicorns/uds-common/.github/actions/save-logs@76287d41ec5f06ecbdd0a6453877a78675aceffe # v0.11.2
+ uses: defenseunicorns/uds-common/.github/actions/save-logs@e3008473beab00b12a94f9fcc7340124338d5c08 # v0.13.1
  with:
  suffix: ${{ matrix.type }}-${{ matrix.flavor }}-${{ github.run_id }}-${{ github.run_attempt }}
 

diff --git a/.gitignore b/.gitignore
@@ -22,3 +22,6 @@ overlay-values-*
 # Tests
 node_modules/
 .playwright/
+tests/data/gitlab-test-ssh-key
+tests/data/gitlab-test-ssh-key.pub
+tests/data/uds-package-test-*
diff --git a/.yamllint b/.yamllint
@@ -3,7 +3,7 @@ yaml-files:
  - '.yamllint'
 
 ignore:
- - '**/chart/templates**'
+ - '**/charts/**/templates**'
 
 rules:
  anchors: enable

diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml
@@ -75,6 +75,11 @@ packages:
  overrides:
  gitlab:
  uds-gitlab-config:
+ values:
+ - path: ssh.enabled
+ value: true
+ - path: ssh.port
+ value: 2223
  variables:
  - name: GITLAB_SSO_ENABLED
  description: "Boolean to enable or disable sso things"
@@ -90,6 +95,10 @@ packages:
  path: "sso.requiredGroups"
  gitlab:
  values:
+ - path: gitlab.gitlab-shell.enabled
+ value: true
+ - path: global.shell.port
+ value: 2223
  - path: global.psql.host
  value: pg-cluster.postgres.svc.cluster.local
  - path: "global.psql.username"
@@ -132,3 +141,7 @@ packages:
  - name: SHELL_REPLICAS
  description: "Gitlab Shell Min Replicas"
  path: "gitlab.gitlab-shell.minReplicas"
+ uds-gitlab-settings:
+ values:
+ - path: settingsJob.application.enabled_git_access_protocol
+ value: all
diff --git a/chart/.helmignore → charts/config/.helmignore b/chart/.helmignore → charts/config/.helmignore
diff --git a/chart/Chart.yaml → charts/config/Chart.yaml b/chart/Chart.yaml → charts/config/Chart.yaml
diff --git a/chart/templates/gitlab-sso-secret.yaml → ...s/config/templates/gitlab-sso-secret.yaml b/chart/templates/gitlab-sso-secret.yaml → ...s/config/templates/gitlab-sso-secret.yaml
diff --git a/...emplates/postgres-peerauthentication.yaml → ...emplates/postgres-peerauthentication.yaml b/...emplates/postgres-peerauthentication.yaml → ...emplates/postgres-peerauthentication.yaml
diff --git a/chart/templates/postgres-secret.yaml → charts/config/templates/postgres-secret.yaml b/chart/templates/postgres-secret.yaml → charts/config/templates/postgres-secret.yaml
diff --git a/...t/templates/redis-peerauthentication.yaml → ...g/templates/redis-peerauthentication.yaml b/...t/templates/redis-peerauthentication.yaml → ...g/templates/redis-peerauthentication.yaml
diff --git a/chart/templates/redis-secret.yaml → charts/config/templates/redis-secret.yaml b/chart/templates/redis-secret.yaml → charts/config/templates/redis-secret.yaml
diff --git a/chart/templates/sidekiq-pod-monitor.yaml → ...config/templates/sidekiq-pod-monitor.yaml b/chart/templates/sidekiq-pod-monitor.yaml → ...config/templates/sidekiq-pod-monitor.yaml
diff --git a/charts/config/templates/ssh-gateway.yaml b/charts/config/templates/ssh-gateway.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.ssh.enabled }}
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+ name: gitlab-ssh-gateway
+ namespace: istio-tenant-gateway
+spec:
+ selector:
+ app: tenant-ingressgateway
+ servers:
+ - hosts:
+ - gitlab.{{ .Values.domain }}
+ port:
+ name: tcp-ssh
+ number: {{ .Values.ssh.port }}
+ protocol: TCP
+{{- end }}
diff --git a/charts/config/templates/ssh-virtual-service.yaml b/charts/config/templates/ssh-virtual-service.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.ssh.enabled }}
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+ name: gitlab-ssh
+ namespace: {{ .Release.Namespace }}
+spec:
+ gateways:
+ - istio-tenant-gateway/gitlab-ssh-gateway
+ hosts:
+ - gitlab.{{ .Values.domain }}
+ tcp:
+ - match:
+ - port: {{ .Values.ssh.port }}
+ route:
+ - destination:
+ host: gitlab-gitlab-shell.gitlab.svc.cluster.local
+ port:
+ number: {{ .Values.ssh.port }}
+{{- end }}
diff --git a/chart/templates/uds-package.yaml → charts/config/templates/uds-package.yaml b/chart/templates/uds-package.yaml → charts/config/templates/uds-package.yaml
@@ -103,6 +103,17 @@ spec:
  - direction: Ingress
  remoteGenerated: IntraNamespace
 
+ {{- if .Values.ssh.enabled }}
+ - direction: Ingress
+ selector:
+ app: gitlab-shell
+ remoteNamespace: istio-tenant-gateway
+ remoteSelector:
+ app: tenant-ingressgateway
+ port: 2222
+ description: "SSH Ingress"
+ {{- end }}
+
  # ingress from runner only if runner lives in cluster. Otherwise, it goes through the gateway
  {{- if .Values.runner.internal }}
  - direction: Ingress

diff --git a/chart/values.yaml → charts/config/values.yaml b/chart/values.yaml → charts/config/values.yaml
@@ -1,4 +1,9 @@
 domain: "###ZARF_VAR_DOMAIN###"
+
+ssh:
+ enabled: false
+ port: 2222
+
 sso:
  enabled: true
  protocol: saml

diff --git a/charts/settings/.helmignore b/charts/settings/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/settings/Chart.yaml b/charts/settings/Chart.yaml
@@ -0,0 +1,18 @@
+apiVersion: v2
+name: uds-gitlab-settings
+description: uds-gitlab-settings
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
diff --git a/charts/settings/templates/_settings-pod.tpl b/charts/settings/templates/_settings-pod.tpl
@@ -0,0 +1,43 @@
+# Reusable Pod spec for settings jobs
+{{- define "uds-gitlab-settings.settings-pod" }}
+metadata:
+ labels:
+ app: gitlab
+spec:
+ serviceAccountName: gitlab-settings-sa
+ containers:
+ - name: gitlab-settings
+ image: "{{ .Values.global.kubectl.image.repository }}:{{ .Values.global.kubectl.image.tag }}"
+ command: ["/bin/sh", "-c"]
+ args:
+ - |
+ # Read the JSON file from the mounted application settings secret
+ SETTINGS=$(cat /etc/gitlab-settings/application.json)
+
+ # Dynamically parse each key-value pair in the JSON using yq and construct query parameters
+ QUERY_PARAMS=$(echo $SETTINGS | yq e 'to_entries | map("\(.key)=\(.value)") | join("&")' -)
+
+ # Generate and capture a GitLab token from the GitLab Toolbox Rails Console
+ TOKEN=$(kubectl exec -n gitlab deployment/gitlab-toolbox -- \
+ gitlab-rails runner -e production \
+ "random_token = SecureRandom.hex(32); token = User.find_by_username('root').personal_access_tokens.create(scopes: ['api', 'admin_mode'], name: 'Application Settings Token', expires_at: 1.days.from_now); token.set_token(random_token); token.save!; puts random_token" | tail -n 1)
+
+ # Use the generated token to set GitLab settings
+ kubectl exec -n gitlab deployment/gitlab-toolbox -- \
+ curl --request PUT --header "PRIVATE-TOKEN: $TOKEN" \
+ "http://gitlab-webservice-default.gitlab.svc.cluster.local:8181/api/v4/application/settings?$QUERY_PARAMS"
+
+ # Revoke the token after use
+ kubectl exec -n gitlab deployment/gitlab-toolbox -- \
+ gitlab-rails runner -e production \
+ "token = PersonalAccessToken.find_by_token('$TOKEN'); token.revoke!"
+ volumeMounts:
+ - name: gitlab-settings-volume
+ mountPath: /etc/gitlab-settings
+ readOnly: true
+ restartPolicy: OnFailure
+ volumes:
+ - name: gitlab-settings-volume
+ secret:
+ secretName: gitlab-settings-secret
+{{- end }}
diff --git a/charts/settings/templates/service-account-role.yaml b/charts/settings/templates/service-account-role.yaml
@@ -0,0 +1,40 @@
+{{- if .Values.settingsJob.enabled }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: gitlab-settings-sa
+ namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: gitlab-settings-role
+ namespace: {{ .Release.Namespace }}
+rules:
+ # Only allow exec into the toolbox pod
+ - apiGroups: [""]
+ resources: ["pods/exec"]
+ verbs: ["create"]
+ - apiGroups: [""]
+ resources: ["pods"]
+ verbs: ["list"]
+ - apiGroups: ["apps"]
+ resources: ["deployments"]
+ verbs: ["get"]
+ resourceNames:
+ - gitlab-toolbox
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: gitlab-settings-rolebinding
+ namespace: {{ .Release.Namespace }}
+subjects:
+ - kind: ServiceAccount
+ name: gitlab-settings-sa
+ namespace: {{ .Release.Namespace }}
+roleRef:
+ kind: Role
+ name: gitlab-settings-role
+ apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/charts/settings/templates/settings-cron-job.yaml b/charts/settings/templates/settings-cron-job.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.settingsJob.enabled }}
+# CronJob to reapply settings on schedule
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+ name: gitlab-settings-cronjob
+ namespace: {{ .Release.Namespace }}
+spec:
+ schedule: "{{ .Values.settingsJob.schedule }}"
+ successfulJobsHistoryLimit: 1
+ failedJobsHistoryLimit: 1
+ jobTemplate:
+ spec:
+ ttlSecondsAfterFinished: 30
+ template:
+ {{ include "uds-gitlab-settings.settings-pod" . | indent 8 }}
+{{- end }}
diff --git a/charts/settings/templates/settings-job.yaml b/charts/settings/templates/settings-job.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.settingsJob.enabled }}
+# Job to apply settings immediately on deployment
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: gitlab-settings-job
+ namespace: {{ .Release.Namespace }}
+spec:
+ ttlSecondsAfterFinished: 30
+ template:
+ {{ include "uds-gitlab-settings.settings-pod" . | indent 4 }}
+{{- end }}
diff --git a/charts/settings/templates/settings-secret.yaml b/charts/settings/templates/settings-secret.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.settingsJob.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: gitlab-settings-secret
+ namespace: gitlab
+type: Opaque
+stringData:
+ application.json: {{ .Values.settingsJob.application | toJson | quote }}
+{{- end }}