From f246390dacc6804a43cc4fdbde2cdd1b83e9fa35 Mon Sep 17 00:00:00 2001 From: Wayne Starr Date: Wed, 3 Jul 2024 16:51:53 -0600 Subject: [PATCH 01/11] feat: redis password secret creation and valkey testing --- .github/workflows/tag-and-release.yaml | 10 +++++----- bundle/uds-bundle.yaml | 24 +++++++++++++++++++++--- chart/templates/redis-secret.yaml | 10 ++++++++++ chart/values.yaml | 2 ++ src/dev-secrets/redis-secret.yaml | 8 -------- src/dev-secrets/zarf.yaml | 17 ----------------- 6 files changed, 38 insertions(+), 33 deletions(-) create mode 100644 chart/templates/redis-secret.yaml delete mode 100644 src/dev-secrets/redis-secret.yaml diff --git a/.github/workflows/tag-and-release.yaml b/.github/workflows/tag-and-release.yaml index d3c4bbf8..43abfa25 100644 --- a/.github/workflows/tag-and-release.yaml +++ b/.github/workflows/tag-and-release.yaml @@ -52,21 +52,21 @@ jobs: uses: defenseunicorns/uds-common/.github/actions/playwright@0901c37366f37fea586768c79708e14e964e714e # v0.6.1 - name: Build Package - run: uds run -f tasks/publish.yaml build-package --set FLAVOR=${{ matrix.flavor }} + run: uds run -f tasks/publish.yaml build-package --set FLAVOR=${{ matrix.flavor }} --no-progress - name: Build Bundle - run: uds run -f tasks/publish.yaml build-test-bundle --set FLAVOR=${{ matrix.flavor }} + run: uds run -f tasks/publish.yaml build-test-bundle --set FLAVOR=${{ matrix.flavor }} --no-progress - name: Test Package if: ${{ runner.arch != 'ARM64' }} - run: uds run -f tasks/publish.yaml test-package --set FLAVOR=${{ matrix.flavor }} + run: uds run -f tasks/publish.yaml test-package --set FLAVOR=${{ matrix.flavor }} --no-progress - name: Publish Package - run: uds run -f tasks/publish.yaml publish-package --set FLAVOR=${{ matrix.flavor }} + run: uds run -f tasks/publish.yaml publish-package --set FLAVOR=${{ matrix.flavor }} --no-progress - name: Publish Bundle if: ${{ matrix.flavor == 'upstream' }} - run: uds run -f tasks/publish.yaml publish-test-bundle --set FLAVOR=${{ matrix.flavor }} + run: uds run -f tasks/publish.yaml publish-test-bundle --set FLAVOR=${{ matrix.flavor }} --no-progress - name: Debug Output if: ${{ always() }} diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml index 4855470a..fabaca86 100644 --- a/bundle/uds-bundle.yaml +++ b/bundle/uds-bundle.yaml @@ -26,9 +26,27 @@ packages: description: "Configure postgres using CRs via the uds-postgres-config chart" path: postgresql - - name: dev-redis - repository: ghcr.io/defenseunicorns/packages/uds/dev-redis - ref: 0.0.2 + - name: valkey + repository: ghcr.io/defenseunicorns/packages/uds/valkey + ref: 7.2.5-uds.1 + overrides: + valkey: + uds-valkey-config: + values: + - path: custom + value: + - direction: Ingress + selector: + app.kubernetes.io/name: valkey + remoteNamespace: gitlab + port: 6379 + description: "Ingress from GitLab" + - path: copyPassword + value: + enabled: true + namespace: gitlab + secretName: gitlab-redis + secretKey: password - name: dev-secrets path: ../ diff --git a/chart/templates/redis-secret.yaml b/chart/templates/redis-secret.yaml new file mode 100644 index 00000000..c41628ad --- /dev/null +++ b/chart/templates/redis-secret.yaml @@ -0,0 +1,10 @@ +{{- if ne .Values.redis.password "" }} +apiVersion: v1 +kind: Secret +metadata: + name: gitlab-redis + namespace: {{ .Release.Namespace }} +type: kubernetes.io/opaque +stringData: + password: {{ .Values.redis.password }} +{{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index f1cb57eb..cf25aa7a 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -12,6 +12,8 @@ storage: namespace: dev-minio port: 9000 redis: + password: "" + # Set to false to use external redis internal: true selector: diff --git a/src/dev-secrets/redis-secret.yaml b/src/dev-secrets/redis-secret.yaml deleted file mode 100644 index 551c4aaf..00000000 --- a/src/dev-secrets/redis-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: gitlab-redis - namespace: gitlab -type: kubernetes.io/opaque -stringData: - password: "###ZARF_VAR_REDIS_PASSWORD###" diff --git a/src/dev-secrets/zarf.yaml b/src/dev-secrets/zarf.yaml index 2333ffbf..c8d97109 100644 --- a/src/dev-secrets/zarf.yaml +++ b/src/dev-secrets/zarf.yaml @@ -27,20 +27,3 @@ components: - name: gitlab-minio files: - "minio-secret.yaml" - - name: redis-password - required: true - actions: - onDeploy: - before: - - cmd: ./zarf tools kubectl get secret -n dev-redis redis --template='{{ index .data "redis-password" }}' | base64 -d - mute: true - setVariables: - - name: REDIS_PASSWORD - sensitive: true - - name: gitlab-redis - required: true - manifests: - - name: gitlab-redis - namespace: gitlab - files: - - redis-secret.yaml From f803bd12dd745ca6adaab3f7a45bac0f82e6b9c7 Mon Sep 17 00:00:00 2001 From: Wayne Starr Date: Mon, 8 Jul 2024 13:50:07 -0600 Subject: [PATCH 02/11] add docs and update config --- bundle/uds-bundle.yaml | 24 ++++++++++++++++++++---- bundle/uds-config.yaml | 16 ---------------- docs/configuration.md | 36 ++++++++++++++++++++++++++++++++---- zarf.yaml | 2 +- 4 files changed, 53 insertions(+), 25 deletions(-) diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml index fabaca86..653ab1c8 100644 --- a/bundle/uds-bundle.yaml +++ b/bundle/uds-bundle.yaml @@ -21,10 +21,21 @@ packages: overrides: postgres-operator: uds-postgres-config: - variables: - - name: POSTGRESQL - description: "Configure postgres using CRs via the uds-postgres-config chart" - path: postgresql + values: + - path: postgresql + value: + enabled: true # Set to false to not create the PostgreSQL resource + teamId: "uds" + volume: + size: "10Gi" + numberOfInstances: 2 + users: + gitlab.gitlab: [] # database owner + databases: + gitlabdb: gitlab.gitlab + version: "13" + ingress: + remoteGenerated: Anywhere - name: valkey repository: ghcr.io/defenseunicorns/packages/uds/valkey @@ -71,6 +82,11 @@ packages: description: "Array of group names that grant admin role gitlab when saml protocol is active." path: "sso.adminGroups" gitlab: + values: + - path: global.psql.host + value: pg-cluster.postgres.svc.cluster.local + - path: global.redis.host + value: valkey-master.valkey.svc.cluster.local variables: - name: GITLAB_SSO_ENABLED description: "Boolean to enable or disable sso things" diff --git a/bundle/uds-config.yaml b/bundle/uds-config.yaml index 4e681b26..e3cd8e0f 100644 --- a/bundle/uds-config.yaml +++ b/bundle/uds-config.yaml @@ -13,23 +13,7 @@ variables: - name: uds-gitlab-uploads - name: uds-gitlab-registry - name: uds-gitlab-tmp - postgres-operator: - postgresql: - enabled: true # Set to false to not create the PostgreSQL resource - teamId: "uds" - volume: - size: "10Gi" - numberOfInstances: 2 - users: - gitlab.gitlab: [] # database owner - databases: - gitlabdb: gitlab.gitlab - version: "13" - ingress: - remoteGenerated: Anywhere gitlab: - gitlab_redis_endpoint: "redis-master.dev-redis.svc.cluster.local" - gitlab_db_endpoint: "pg-cluster.postgres.svc.cluster.local" DISABLE_REGISTRY_REDIRECT: "true" GITLAB_PAGES_ENABLED: true GITLAB_ADMIN_GROUPS: ["/GitLab Admin", "/UDS Core/Admin"] diff --git a/docs/configuration.md b/docs/configuration.md index 329bcd96..547423d1 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -17,12 +17,12 @@ GitLab uses Postgres as its backing database service and supports the [common da ### Manual Database Connection -If you are using the UDS Postgres Operator or another external database that uses usernames/passwords you can use the following Helm overrides to configure it: +If you are using the [UDS Postgres Operator](https://github.com/defenseunicorns/uds-package-postgres-operator/) or another external database that uses usernames/passwords you can use the following Helm overrides to configure it: #### `uds-gitlab-config` chart: > [!IMPORTANT] -> The `postgres.password` setting is not applicable when using the UDS Postgres Operator package or when supplying a secret manually. +> The `postgres.password` setting is not applicable when using the UDS Postgres Operator package or when supplying a secret manually! - `postgres.password` - provides a password to generate a secret to pass to GitLab @@ -30,14 +30,42 @@ If you are using the UDS Postgres Operator or another external database that use #### `gitlab` chart: > [!IMPORTANT] -> The `global.psql.password.secret` setting is not applicable when providing a password to the `uds-gitlab-config` chart manually. +> The `global.psql.password.secret` and `global.psql.password.key` settings are not applicable when providing a password to the `uds-gitlab-config` chart manually. - `global.psql.username` - provides the username to use when connecting to the database (i.e. `gitlab.gitlab`) -- `global.psql.password.secret` - provides the secret that contains the database password (i.e. `gitlab.gitlab.pg-cluster.credentials.postgresql.acid.zalan.do`) +- `global.psql.password.secret` - provides the secret that contains the database password (defaults to `gitlab-postgres`) +- `global.psql.password.key` - provides the secret key that contains the database password (defaults to `password`) - `global.psql.host` - provides the endpoint to use to connect to the database (i.e. `pg-cluster.postgres.svc.cluster.local`) +- `global.psql.port` - provides the port to use to connect to the database (defaults to `5432`) ### IAM Roles for Service Accounts The Software Factory team has not yet tested IRSA with AWS RDS - there is an open issue linked below with further linked issues to test this that could act as a starting point to implement: https://github.com/defenseunicorns/uds-software-factory/issues/45 + +## Redis / Valkey + +GitLab uses Redis as a key value store for caching, job queueing and more and supports external providers (such as Elasticache) as well as the [UDS Valkey](https://github.com/defenseunicorns/uds-package-valkey/) package to provide the service. + +### Manual Database Connection + +You can use the following Helm overrides to configure a connection to Redis / Valkey: + +#### `uds-gitlab-config` chart: + +> [!IMPORTANT] +> The `redis.password` setting is not applicable when using the UDS Valkey package or when supplying a secret manually! + +- `redis.password` - provides a password to generate a secret to pass to GitLab + +#### `gitlab` chart: + +> [!IMPORTANT] +> The `global.redis.auth.secret` and `global.redis.auth.key` settings are not applicable when providing a password to the `uds-gitlab-config` chart manually. + +- `global.redis.auth.secret` - provides the secret that contains the key value store password (defaults to `gitlab-redis`) +- `global.redis.auth.key` - provides the key within the secret that contains the key value store password (defaults to `password`) +- `global.redis.scheme` - provides the scheme to use to connect to the key value store (i.e. `redis` or `rediss`) +- `global.redis.host` - provides the endpoint to use to connect to the key value store (i.e. `pg-cluster.postgres.svc.cluster.local`) +- `global.redis.port` - provides the port to use to connect to the key value store (defaults to `6379`) diff --git a/zarf.yaml b/zarf.yaml index b18e111c..6c3fa9d8 100644 --- a/zarf.yaml +++ b/zarf.yaml @@ -15,7 +15,7 @@ variables: - name: BUCKET_SUFFIX default: "" - name: GITLAB_REDIS_ENDPOINT - default: "redis-master" + default: "" - name: GITLAB_REDIS_SCHEME default: "redis" - name: GITLAB_DB_NAME From f5b7676832a5177ee8148a19393e07799fe99e57 Mon Sep 17 00:00:00 2001 From: Wayne Starr Date: Mon, 8 Jul 2024 14:55:09 -0600 Subject: [PATCH 03/11] upgrade to postgres 14 --- bundle/uds-bundle.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml index 653ab1c8..db3b0e85 100644 --- a/bundle/uds-bundle.yaml +++ b/bundle/uds-bundle.yaml @@ -33,7 +33,7 @@ packages: gitlab.gitlab: [] # database owner databases: gitlabdb: gitlab.gitlab - version: "13" + version: "14" ingress: remoteGenerated: Anywhere From 909108cd243a5763048a3c00495004d24b9d3237 Mon Sep 17 00:00:00 2001 From: Wayne Starr Date: Mon, 8 Jul 2024 15:17:36 -0600 Subject: [PATCH 04/11] add upstream flavor --- bundle/uds-bundle.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml index db3b0e85..90e1fc65 100644 --- a/bundle/uds-bundle.yaml +++ b/bundle/uds-bundle.yaml @@ -39,7 +39,7 @@ packages: - name: valkey repository: ghcr.io/defenseunicorns/packages/uds/valkey - ref: 7.2.5-uds.1 + ref: 7.2.5-uds.1-upstream overrides: valkey: uds-valkey-config: From 97063d7efd25932f1cd026156bb3febc1d7ceec4 Mon Sep 17 00:00:00 2001 From: Wayne Starr Date: Mon, 8 Jul 2024 15:52:11 -0600 Subject: [PATCH 05/11] fix valkey egress --- chart/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index cf25aa7a..cb09bf3d 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -17,8 +17,8 @@ redis: # Set to false to use external redis internal: true selector: - app.kubernetes.io/name: redis - namespace: dev-redis + app.kubernetes.io/name: valkey + namespace: valkey port: 6379 postgres: password: "" From 8b01ade9f34194ae55728e471e418fb69ded5c58 Mon Sep 17 00:00:00 2001 From: Wayne Starr Date: Mon, 8 Jul 2024 17:56:24 -0600 Subject: [PATCH 06/11] update ingress and peerauth exceptions --- bundle/uds-bundle.yaml | 4 ++-- .../templates/postgres-peerauthentication.yaml | 17 +++++++++++++++++ chart/templates/redis-peerauthentication.yaml | 17 +++++++++++++++++ 3 files changed, 36 insertions(+), 2 deletions(-) create mode 100644 chart/templates/postgres-peerauthentication.yaml create mode 100644 chart/templates/redis-peerauthentication.yaml diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml index 90e1fc65..d08c031b 100644 --- a/bundle/uds-bundle.yaml +++ b/bundle/uds-bundle.yaml @@ -17,7 +17,7 @@ packages: - name: postgres-operator repository: ghcr.io/defenseunicorns/packages/uds/postgres-operator - ref: 1.10.1-uds.4-upstream + ref: 1.12.2-uds.0-upstream overrides: postgres-operator: uds-postgres-config: @@ -35,7 +35,7 @@ packages: gitlabdb: gitlab.gitlab version: "14" ingress: - remoteGenerated: Anywhere + - remoteNamespace: gitlab - name: valkey repository: ghcr.io/defenseunicorns/packages/uds/valkey diff --git a/chart/templates/postgres-peerauthentication.yaml b/chart/templates/postgres-peerauthentication.yaml new file mode 100644 index 00000000..c9caa969 --- /dev/null +++ b/chart/templates/postgres-peerauthentication.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.postgres.internal (.Capabilities.APIVersions.Has "security.istio.io/v1beta1") }} +apiVersion: "security.istio.io/v1beta1" +kind: PeerAuthentication +metadata: + name: postgres-peerauthentication-exception + namespace: {{ .Release.Namespace }} +spec: + mtls: + mode: STRICT + selector: + matchLabels: + {{ .Values.postgres.selector }} + portLevelMtls: + # Postgres exception to support GitLab dependency init containers + {{ .Values.postgres.port }}: + mode: PERMISSIVE +{{- end }} diff --git a/chart/templates/redis-peerauthentication.yaml b/chart/templates/redis-peerauthentication.yaml new file mode 100644 index 00000000..fe8d2600 --- /dev/null +++ b/chart/templates/redis-peerauthentication.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.redis.internal (.Capabilities.APIVersions.Has "security.istio.io/v1beta1") }} +apiVersion: "security.istio.io/v1beta1" +kind: PeerAuthentication +metadata: + name: redis-peerauthentication-exception + namespace: {{ .Release.Namespace }} +spec: + mtls: + mode: STRICT + selector: + matchLabels: + {{ .Values.redis.selector }} + portLevelMtls: + # Redis/Valkey exception to support GitLab dependency init containers + {{ .Values.redis.port }}: + mode: PERMISSIVE +{{- end }} From bc1c6eaac249c86747f46d1a7e6763056c98513b Mon Sep 17 00:00:00 2001 From: Wayne Starr Date: Mon, 8 Jul 2024 18:56:44 -0600 Subject: [PATCH 07/11] peerauth helm template --- chart/templates/postgres-peerauthentication.yaml | 6 +++--- chart/templates/redis-peerauthentication.yaml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/chart/templates/postgres-peerauthentication.yaml b/chart/templates/postgres-peerauthentication.yaml index c9caa969..47c61c18 100644 --- a/chart/templates/postgres-peerauthentication.yaml +++ b/chart/templates/postgres-peerauthentication.yaml @@ -2,14 +2,14 @@ apiVersion: "security.istio.io/v1beta1" kind: PeerAuthentication metadata: - name: postgres-peerauthentication-exception - namespace: {{ .Release.Namespace }} + name: gitlab-postgres-peerauthentication-exception + namespace: {{ .Values.postgres.namespace }} spec: mtls: mode: STRICT selector: matchLabels: - {{ .Values.postgres.selector }} + {{ .Values.postgres.selector | toYaml }} portLevelMtls: # Postgres exception to support GitLab dependency init containers {{ .Values.postgres.port }}: diff --git a/chart/templates/redis-peerauthentication.yaml b/chart/templates/redis-peerauthentication.yaml index fe8d2600..1cf18684 100644 --- a/chart/templates/redis-peerauthentication.yaml +++ b/chart/templates/redis-peerauthentication.yaml @@ -2,14 +2,14 @@ apiVersion: "security.istio.io/v1beta1" kind: PeerAuthentication metadata: - name: redis-peerauthentication-exception - namespace: {{ .Release.Namespace }} + name: gitlab-redis-peerauthentication-exception + namespace: {{ .Values.redis.namespace }} spec: mtls: mode: STRICT selector: matchLabels: - {{ .Values.redis.selector }} + {{ .Values.redis.selector | toYaml }} portLevelMtls: # Redis/Valkey exception to support GitLab dependency init containers {{ .Values.redis.port }}: From c3f107bedbe743efa7c386064a21adbd6a402f2a Mon Sep 17 00:00:00 2001 From: Wayne Starr Date: Tue, 9 Jul 2024 12:10:29 -0600 Subject: [PATCH 08/11] update pgo --- bundle/uds-bundle.yaml | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml index d08c031b..2c18e39e 100644 --- a/bundle/uds-bundle.yaml +++ b/bundle/uds-bundle.yaml @@ -17,7 +17,7 @@ packages: - name: postgres-operator repository: ghcr.io/defenseunicorns/packages/uds/postgres-operator - ref: 1.12.2-uds.0-upstream + ref: 1.12.2-uds.1-upstream overrides: postgres-operator: uds-postgres-config: @@ -85,6 +85,10 @@ packages: values: - path: global.psql.host value: pg-cluster.postgres.svc.cluster.local + - path: "global.psql.username" + value: "gitlab.gitlab" + - path: "global.psql.password.secret" + value: "gitlab.gitlab.pg-cluster.credentials.postgresql.acid.zalan.do" - path: global.redis.host value: valkey-master.valkey.svc.cluster.local variables: @@ -121,11 +125,3 @@ packages: - name: SHELL_REPLICAS description: "Gitlab Shell Min Replicas" path: "gitlab.gitlab-shell.minReplicas" - - name: POSTGRES_USERNAME - description: "Gitlab Postgres Username" - path: "global.psql.username" - default: "gitlab.gitlab" - - name: POSTGRES_SECRET_REF - description: "Gitlab Postgres Password Secret Ref" - path: "global.psql.password.secret" - default: "gitlab.gitlab.pg-cluster.credentials.postgresql.acid.zalan.do" From 8e49c58f8b1a423cd9b9b28b3708a825ed1c45ca Mon Sep 17 00:00:00 2001 From: Wayne Starr Date: Tue, 9 Jul 2024 15:10:26 -0600 Subject: [PATCH 09/11] add peerauth shim --- bundle/uds-bundle.yaml | 4 ++++ .../postgres-peerauthentication.yaml | 15 +++++++++++++++ src/peer-auth-shim/redis-peerauthentication.yaml | 15 +++++++++++++++ src/peer-auth-shim/zarf.yaml | 14 ++++++++++++++ tasks/dependencies.yaml | 1 + 5 files changed, 49 insertions(+) create mode 100644 src/peer-auth-shim/postgres-peerauthentication.yaml create mode 100644 src/peer-auth-shim/redis-peerauthentication.yaml create mode 100644 src/peer-auth-shim/zarf.yaml diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml index 2c18e39e..1452a054 100644 --- a/bundle/uds-bundle.yaml +++ b/bundle/uds-bundle.yaml @@ -63,6 +63,10 @@ packages: path: ../ ref: 0.1.0 + - name: dev-peer-auth-shim + path: ../ + ref: 0.1.0 + - name: gitlab path: ../ # x-release-please-start-version diff --git a/src/peer-auth-shim/postgres-peerauthentication.yaml b/src/peer-auth-shim/postgres-peerauthentication.yaml new file mode 100644 index 00000000..e63a8b5e --- /dev/null +++ b/src/peer-auth-shim/postgres-peerauthentication.yaml @@ -0,0 +1,15 @@ +apiVersion: "security.istio.io/v1beta1" +kind: PeerAuthentication +metadata: + name: gitlab-postgres-peerauthentication-shim-exception + namespace: postgres +spec: + mtls: + mode: STRICT + selector: + matchLabels: + cluster-name: pg-cluster + portLevelMtls: + # Postgres exception to support GitLab dependency init containers + 5432: + mode: PERMISSIVE diff --git a/src/peer-auth-shim/redis-peerauthentication.yaml b/src/peer-auth-shim/redis-peerauthentication.yaml new file mode 100644 index 00000000..754495be --- /dev/null +++ b/src/peer-auth-shim/redis-peerauthentication.yaml @@ -0,0 +1,15 @@ +apiVersion: "security.istio.io/v1beta1" +kind: PeerAuthentication +metadata: + name: gitlab-redis-peerauthentication-shim-exception + namespace: valkey +spec: + mtls: + mode: STRICT + selector: + matchLabels: + app.kubernetes.io/name: valkey + portLevelMtls: + # Redis/Valkey exception to support GitLab dependency init containers + 6379: + mode: PERMISSIVE diff --git a/src/peer-auth-shim/zarf.yaml b/src/peer-auth-shim/zarf.yaml new file mode 100644 index 00000000..4cca69ab --- /dev/null +++ b/src/peer-auth-shim/zarf.yaml @@ -0,0 +1,14 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json +kind: ZarfPackageConfig +metadata: + name: dev-peer-auth-shim + version: "0.1.0" + +components: + - name: gitlab-peer-auth-shim + required: true + manifests: + - name: gitlab-peer-auth-shim + files: + - "postgres-peerauthentication.yaml" + - "redis-peerauthentication.yaml" diff --git a/tasks/dependencies.yaml b/tasks/dependencies.yaml index 8c8d8fbf..e74987c5 100644 --- a/tasks/dependencies.yaml +++ b/tasks/dependencies.yaml @@ -10,3 +10,4 @@ tasks: actions: - cmd: ./uds zarf package create src/dev-secrets/ --confirm --no-progress --architecture=${{ .inputs.architecture }} --skip-sbom ${{ .inputs.options }} - cmd: ./uds zarf package create src/namespace/ --confirm --no-progress --architecture=${{ .inputs.architecture }} --skip-sbom ${{ .inputs.options }} + - cmd: ./uds zarf package create src/peer-auth-shim/ --confirm --no-progress --architecture=${{ .inputs.architecture }} --skip-sbom ${{ .inputs.options }} From 3eba15c3a4fefb61f854da727728e5246a541aeb Mon Sep 17 00:00:00 2001 From: Wayne Starr Date: Tue, 9 Jul 2024 16:02:23 -0600 Subject: [PATCH 10/11] fix redis connection for old package --- bundle/uds-bundle.yaml | 6 ++++++ src/peer-auth-shim/zarf.yaml | 1 + 2 files changed, 7 insertions(+) diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml index 1452a054..00a0cdca 100644 --- a/bundle/uds-bundle.yaml +++ b/bundle/uds-bundle.yaml @@ -85,6 +85,12 @@ packages: - name: GITLAB_ADMIN_GROUPS description: "Array of group names that grant admin role gitlab when saml protocol is active." path: "sso.adminGroups" + # TODO: (@WSTARR) The below two overrides will no longer be needed after the next release + - path: redis.namespace + value: valkey + - path: redis.selector + value: + app.kubernetes.io/name: valkey gitlab: values: - path: global.psql.host diff --git a/src/peer-auth-shim/zarf.yaml b/src/peer-auth-shim/zarf.yaml index 4cca69ab..ebc845a3 100644 --- a/src/peer-auth-shim/zarf.yaml +++ b/src/peer-auth-shim/zarf.yaml @@ -1,4 +1,5 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json +# TODO: (@WSTARR) This will no longer be needed after the next release of GitLab kind: ZarfPackageConfig metadata: name: dev-peer-auth-shim From 66bacd1bea90c08ff22ab3e09f96d5cf4f985571 Mon Sep 17 00:00:00 2001 From: Wayne Starr Date: Tue, 9 Jul 2024 16:20:08 -0600 Subject: [PATCH 11/11] update runners and values --- .github/workflows/tag-and-release.yaml | 2 +- .github/workflows/test.yaml | 2 +- bundle/uds-bundle.yaml | 3 ++- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/tag-and-release.yaml b/.github/workflows/tag-and-release.yaml index 43abfa25..7bdaab64 100644 --- a/.github/workflows/tag-and-release.yaml +++ b/.github/workflows/tag-and-release.yaml @@ -23,7 +23,7 @@ jobs: needs: tag-new-version if: ${{ needs.tag-new-version.outputs.release_created == 'true' }} # TODO: (@WSTARR) since we don't run the tests on arm currently we don't need to use the 8 core - runs-on: ${{ matrix.architecture == 'arm64' && 'uds-ubuntu-arm64-4-core' || 'uds-ubuntu-big-boy-8-core' }} + runs-on: ${{ matrix.architecture == 'arm64' && 'uds-swf-ubuntu-arm64-4-core' || 'uds-swf-ubuntu-big-boy-8-core' }} name: Publish ${{ matrix.flavor }} ${{ matrix.architecture }} timeout-minutes: 40 strategy: diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 42dc4e6f..43048835 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -34,7 +34,7 @@ permissions: jobs: run-test: name: ${{ matrix.type }} ${{ matrix.flavor }} - runs-on: uds-ubuntu-big-boy-8-core + runs-on: uds-swf-ubuntu-big-boy-8-core timeout-minutes: 25 strategy: matrix: diff --git a/bundle/uds-bundle.yaml b/bundle/uds-bundle.yaml index 00a0cdca..6daa8627 100644 --- a/bundle/uds-bundle.yaml +++ b/bundle/uds-bundle.yaml @@ -85,7 +85,8 @@ packages: - name: GITLAB_ADMIN_GROUPS description: "Array of group names that grant admin role gitlab when saml protocol is active." path: "sso.adminGroups" - # TODO: (@WSTARR) The below two overrides will no longer be needed after the next release + values: + # TODO: (@WSTARR) The below two overrides will no longer be needed after the next release - path: redis.namespace value: valkey - path: redis.selector