From c9b82fbdfebd7ba1d86822031add4097d91b278a Mon Sep 17 00:00:00 2001 From: DJ Mountney Date: Thu, 7 Dec 2017 16:18:22 -0800 Subject: [PATCH] Initial Commit for the Shell Chart Add necessary to integrate shell into the unicon and omnibus containers Set better defaults for the shell secrets in unicorn Add default object for shell config in unicorn Default the omnibus internal api to an object Enable gitlab-shell in the tests Default the correct port in shell for unicorn Require the secret to be created ahead of time for now Point nginx at the shell port for ssh Point shell to the correct unicorn server Use a more recent unicon version to try an fix some link issues Add the git group to filesystem security context Add some support for futuer host key persistence, add shell healthcheck Update shell container Use newest versions of the containers Add in changes from master --- .gitlab-ci.yml | 7 ++ .../gitlab-shell/templates/_helpers.tpl | 28 ++++++++ .../gitlab-shell/templates/configmap.yml | 50 ++++++++++++++ .../gitlab-shell/templates/deployment.yaml | 55 ++++++++++++++-- .../gitlab-shell/templates/service.yaml | 2 +- charts/gitlab/charts/gitlab-shell/values.yaml | 17 ++++- .../charts/omnibus/templates/_helpers.tpl | 16 ++++- .../charts/omnibus/templates/configmap.yaml | 13 ++++ .../charts/omnibus/templates/service.yaml | 6 ++ charts/gitlab/charts/omnibus/values.yaml | 5 +- charts/gitlab/charts/sidekiq/values.yaml | 2 +- .../charts/unicorn/templates/configmap.yml | 66 +++++++++++++++++++ .../charts/unicorn/templates/deployment.yaml | 10 +++ charts/gitlab/charts/unicorn/values.yaml | 5 +- doc/INSTALL.md | 13 +++- values.yaml | 7 +- 16 files changed, 283 insertions(+), 19 deletions(-) create mode 100644 charts/gitlab/charts/gitlab-shell/templates/configmap.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index d64ec34b5e..f54e47583a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -238,6 +238,8 @@ production: --set nginx.ingress.hosts[1].name="registry$DOMAIN" \ --set nginx.ingress.hosts[1].serviceName="registry" \ --set nginx.ingress.hosts[1].servicePort="registry" \ + --set nginx.shell.name="gitlab-shell" \ + --set nginx.shell.port="ssh" \ --set nginx.ingress.tls[0].secretName=helm-charts-win-tls \ --set nginx.ingress.tls[0].hosts[0]="gitlab$DOMAIN" \ --set nginx.ingress.tls[0].hosts[1]="registry$DOMAIN" \ @@ -262,6 +264,11 @@ production: --set gitlab.unicorn.redis.password.key=redis-password \ --set gitlab.unicorn.psql.serviceName=omnibus \ --set gitlab.unicorn.psql.password="$ROOT_PASSWORD" \ + --set gitlab.unicorn.shell.secret=gitlab-shell-secret \ + --set gitlab.unicorn.shell.key=secret \ + --set gitlab.gitlab-shell.enabled=true \ + --set gitlab.gitlab-shell.secret_token.secret=gitlab-shell-secret \ + --set gitlab.gitlab-shell.secret_token.key=secret \ --set gitlab.omnibus.enabled=true \ --set gitlab.omnibus.service.type=NodePort \ --set gitlab.omnibus.external_url="https://gitlab$DOMAIN" \ diff --git a/charts/gitlab/charts/gitlab-shell/templates/_helpers.tpl b/charts/gitlab/charts/gitlab-shell/templates/_helpers.tpl index f0d83d2edb..3ce63a2cc8 100644 --- a/charts/gitlab/charts/gitlab-shell/templates/_helpers.tpl +++ b/charts/gitlab/charts/gitlab-shell/templates/_helpers.tpl @@ -14,3 +14,31 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- $name := default .Chart.Name .Values.nameOverride -}} {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} {{- end -}} + +{{/* +Return the unicorn hostname +If the unicorn host is provided, it will use that, otherwise it will fallback +to the service name +*/}} +{{- define "shell.unicorn.host" -}} +{{- if .Values.unicorn.host -}} +{{- .Values.unicorn.host -}} +{{- else -}} +{{- $name := default "unicorn" .Values.unicorn.serviceName -}} +{{- printf "%s-%s" .Release.Name $name -}} +{{- end -}} +{{- end -}} + +{{/* +Return the redis hostname +If the postgresql host is provided, it will use that, otherwise it will fallback +to the service name +*/}} +{{- define "shell.redis.host" -}} +{{- if .Values.redis.host -}} +{{- .Values.redis.host -}} +{{- else -}} +{{- $name := default "omnibus" .Values.redis.serviceName -}} +{{- printf "%s-%s" .Release.Name $name -}} +{{- end -}} +{{- end -}} diff --git a/charts/gitlab/charts/gitlab-shell/templates/configmap.yml b/charts/gitlab/charts/gitlab-shell/templates/configmap.yml new file mode 100644 index 0000000000..4ddf5e8022 --- /dev/null +++ b/charts/gitlab/charts/gitlab-shell/templates/configmap.yml @@ -0,0 +1,50 @@ +{{- if .Values.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }} + labels: + app: {{ template "fullname" . }} +data: + config.yml.erb: | + # GitLab user. git by default + user: git + + # Url to gitlab instance. Used for api calls. Should end with a slash. + gitlab_url: "http://{{ template "shell.unicorn.host" . }}:{{ default 8080 .Values.unicorn.port }}/" + + secret_file: /etc/gitlab-secrets/.gitlab_shell_secret + + http_settings: + self_signed_cert: false + + # File used as authorized_keys for gitlab user + auth_file: "/home/git/.ssh/authorized_keys" + + # Redis settings used for pushing commit notices to gitlab + redis: + host: {{ template "shell.redis.host" . }} + port: {{ default 6379 .Values.redis.port }} + pass: "<%= File.read("/etc/gitlab-redis/password") %>" + database: nil + namespace: resque:gitlab + + # Log file. + # Default is gitlab-shell.log in the root directory. + log_file: "/var/log/gitlab-shell/gitlab-shell.log" + + # Log level. INFO by default + log_level: INFO + + # Audit usernames. + # Set to true to see real usernames in the logs instead of key ids, which is easier to follow, but + # incurs an extra API call on every gitlab-shell command. + audit_usernames: false + + <% if ENV['CUSTOM_HOOKS_DIR'] %> + # Parent directory for global custom hook directories (pre-receive.d, update.d, post-receive.d) + # Default is hooks in the gitlab-shell directory. + custom_hooks_dir: "<%= ENV['CUSTOM_HOOKS_DIR'] %>" + <% end %> +# Leave this here - This line denotes end of block to the parser. +{{- end }} diff --git a/charts/gitlab/charts/gitlab-shell/templates/deployment.yaml b/charts/gitlab/charts/gitlab-shell/templates/deployment.yaml index e0ac60df43..32926425d5 100644 --- a/charts/gitlab/charts/gitlab-shell/templates/deployment.yaml +++ b/charts/gitlab/charts/gitlab-shell/templates/deployment.yaml @@ -15,23 +15,64 @@ spec: labels: app: {{ template "name" . }} release: {{ .Release.Name }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yml") . | sha256sum }} spec: + securityContext: + fsGroup: 1000 containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - containerPort: {{ .Values.service.internalPort }} + env: + - name: CONFIG_TEMPLATE_DIRECTORY + value: '/etc/gitlab-shell' + - name: CONFIG_DIRECTORY + value: '/srv/gitlab-shell' + - name: KEYS_DIRECTORY + value: '/etc/ssh/keys' + volumeMounts: + - name: shell-config + mountPath: '/etc/gitlab-shell' + - name: shell-secret + mountPath: '/etc/gitlab-secrets' + readOnly: true + - name: shell-redis + mountPath: '/etc/gitlab-redis' + readOnly: true livenessProbe: - httpGet: - path: / - port: {{ .Values.service.internalPort }} - readinessProbe: - httpGet: - path: / - port: {{ .Values.service.internalPort }} + exec: + command: + - /scripts/healthcheck + initialDelaySeconds: 10 + timeoutSeconds: 3 + periodSeconds: 10 + # readinessProbe: + # httpGet: + # path: / + # port: {{ .Values.service.internalPort }} resources: {{ toYaml .Values.resources | indent 12 }} + volumes: + - name: shell-config + configMap: + name: {{ template "fullname" . }} + - name: shell-secret + secret: + secretName: {{ .Values.secret_token.secret }} + items: + - key: {{ .Values.secret_token.key }} + path: ".gitlab_shell_secret" + defaultMode: 0440 + - name: shell-redis + secret: + secretName: {{ .Values.redis.password.secret }} + items: + - key: {{ .Values.redis.password.key }} + path: password + defaultMode: 0440 {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} diff --git a/charts/gitlab/charts/gitlab-shell/templates/service.yaml b/charts/gitlab/charts/gitlab-shell/templates/service.yaml index 3ff8772341..9c12c9260f 100644 --- a/charts/gitlab/charts/gitlab-shell/templates/service.yaml +++ b/charts/gitlab/charts/gitlab-shell/templates/service.yaml @@ -14,7 +14,7 @@ spec: - port: {{ .Values.service.externalPort }} targetPort: {{ .Values.service.internalPort }} protocol: TCP - name: {{ .Values.service.name }} + name: ssh selector: app: {{ template "name" . }} release: {{ .Release.Name }} diff --git a/charts/gitlab/charts/gitlab-shell/values.yaml b/charts/gitlab/charts/gitlab-shell/values.yaml index 345983764f..09c80d5056 100644 --- a/charts/gitlab/charts/gitlab-shell/values.yaml +++ b/charts/gitlab/charts/gitlab-shell/values.yaml @@ -3,8 +3,8 @@ # Declare variables to be passed into your templates. replicaCount: 1 image: - repository: gitlab/gitlab-shell - tag: stable + repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-shell + tag: b4db3ec0027b461b18ca386da323f1b57b4e014c pullPolicy: IfNotPresent service: name: gitlab-shell @@ -12,6 +12,19 @@ service: externalPort: 22 internalPort: 22 enabled: false +secret_token: + secret: gitlab-shell-secret + key: secret +unicorn: {} + # host: '0.0.0.0' + # serviceName: 'unicorn' + # port: 8080 +redis: + # host: '0.0.0.0' + # serviceName: 'omnibus' + password: + secret: gitlab-redis + key: redis-password resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little diff --git a/charts/gitlab/charts/omnibus/templates/_helpers.tpl b/charts/gitlab/charts/omnibus/templates/_helpers.tpl index 0e8c8b8888..426d7c9936 100644 --- a/charts/gitlab/charts/omnibus/templates/_helpers.tpl +++ b/charts/gitlab/charts/omnibus/templates/_helpers.tpl @@ -17,7 +17,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{/* Return the workhorse auth backend -If the postgresql host is provided, it will use that, otherwise it will fallback +If the backend host is provided, it will use that, otherwise it will fallback to the service name */}} {{- define "workhorse.auth_backend" -}} @@ -29,3 +29,17 @@ to the service name {{- printf "http://%s-%s:%s" .Release.Name $name $port -}} {{- end -}} {{- end -}} + +{{/* +Return the unicorn internal_api host +If host is specified in the values it will use that. +Else the serviceName will be used +*/}} +{{- define "unicorn.internal_api_host" -}} +{{- if .Values.unicorn.internal_api.host -}} +{{- .Values.unicorn.internal_api.host -}} +{{- else if .Values.unicorn.internal_api.serviceName -}} +{{- $name := default "omnibus" .Values.unicorn.internal_api.serviceName -}} +{{- printf "%s-%s" .Release.Name $name -}} +{{- end -}} +{{- end -}} diff --git a/charts/gitlab/charts/omnibus/templates/configmap.yaml b/charts/gitlab/charts/omnibus/templates/configmap.yaml index f21953a941..1632f99ca7 100644 --- a/charts/gitlab/charts/omnibus/templates/configmap.yaml +++ b/charts/gitlab/charts/omnibus/templates/configmap.yaml @@ -41,6 +41,11 @@ data: gitlab_rails['registry_api_url'] = "http://{{ .Release.Name }}-registry:5000" registry['internal_key'] = File.read("/etc/gitlab-registry/registry-certificate.crt") # gitlab_rails['registry_key_path'] = "/etc/gitlab-registry/registry-certificate.crt" + # Shell related + {{- $apiHost := include "unicorn.internal_api_host" . -}} + {{- if $apiHost }} + gitlab_rails['internal_api_url'] = "http://{{ $apiHost }}:{{ .Values.service.ports.unicorn }}" + {{- end }} ################### # nginx nginx['enable'] = {{ .Values.nginx.enabled }} @@ -68,6 +73,14 @@ data: ################### # gitlab-shell ################### + # gitaly + gitaly['enable'] = {{ .Values.gitaly.enabled }} + gitaly['socket_path'] = nil + gitaly['listen_addr'] = '0.0.0.0:{{ .Values.service.ports.gitaly }}' + {{- if .Values.gitaly.auth_token }} + gitaly['auth_token'] = {{ .Values.gitaly.auth_token }} + {{- end }} + ################### # PostgresQL postgresql['enable'] = {{ .Values.psql.enabled }} postgresql['listen_address'] = '0.0.0.0' diff --git a/charts/gitlab/charts/omnibus/templates/service.yaml b/charts/gitlab/charts/omnibus/templates/service.yaml index 078876b90b..ba73d11501 100644 --- a/charts/gitlab/charts/omnibus/templates/service.yaml +++ b/charts/gitlab/charts/omnibus/templates/service.yaml @@ -47,6 +47,12 @@ spec: protocol: TCP name: og-workhorse {{- end }} + {{- if .Values.gitaly.enabled }} + - port: {{ .Values.service.ports.gitaly }} + targetPort: {{ .Values.service.ports.gitaly }} + protocol: TCP + name: og-gitaly + {{- end }} selector: app: {{ template "name" . }} release: {{ .Release.Name }} diff --git a/charts/gitlab/charts/omnibus/values.yaml b/charts/gitlab/charts/omnibus/values.yaml index 57b0ff9e58..a5e1554cb2 100644 --- a/charts/gitlab/charts/omnibus/values.yaml +++ b/charts/gitlab/charts/omnibus/values.yaml @@ -56,6 +56,9 @@ unicorn: worker: timeout: 60 processes: 2 + internal_api: {} + # host: "0.0.0.0" + # serviceName: "unicorn" workhorse: enabled: false # point to Unicorn @@ -66,7 +69,7 @@ workhorse: gitaly: enabled: false - + # auth_token: nil # registry registry: host: registry.example.local diff --git a/charts/gitlab/charts/sidekiq/values.yaml b/charts/gitlab/charts/sidekiq/values.yaml index bbdd5c4e07..7204bc73f4 100644 --- a/charts/gitlab/charts/sidekiq/values.yaml +++ b/charts/gitlab/charts/sidekiq/values.yaml @@ -3,7 +3,7 @@ # Declare variables to be passed into your templates. image: repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-sidekiq - tag: 75b0daa9b399327212a26065ad16f75844bb85df + tag: a07e8f7858ec848012384fad6a31a9565f8742b8 pullPolicy: IfNotPresent enabled: false redis: diff --git a/charts/gitlab/charts/unicorn/templates/configmap.yml b/charts/gitlab/charts/unicorn/templates/configmap.yml index cace5e0fe0..e31eecabe0 100644 --- a/charts/gitlab/charts/unicorn/templates/configmap.yml +++ b/charts/gitlab/charts/unicorn/templates/configmap.yml @@ -28,5 +28,71 @@ data: [redis] URL = "tcp://{{ template "unicorn.redis.host" . }}:{{ default 6379 .Values.redis.port }}" Password = "<%= File.read("/etc/gitlab-redis/password") %>" + gitlab.yml.erb: | + production: &base + gitlab: + https: false # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details + trusted_proxies: + email_from: example@example.com + email_display_name: GitLab + email_reply_to: noreply@example.com + email_subject_suffix: '' + default_projects_features: + issues: true + merge_requests: true + wiki: true + snippets: true + builds: true + container_registry: true + incoming_email: + enabled: false + artifacts: + enabled: true + lfs: + enabled: true + object_store: + enabled: false + pages: + enabled: false + mattermost: + enabled: false + gravatar: + registry: + gitlab_ci: + ldap: + enabled: false + kerberos: + enabled: false + omniauth: + enabled: false + shared: + gitaly: + client_path: /home/git/gitaly/bin + token: gitalytokengitalytoken + repositories: + storages: # You must have at least a `default` storage path. + default: + path: /var/opt/gitlab/repo + gitaly_address: tcp://omnibus:8075 # TCP connections are supported too (e.g. tcp://host:port) + backup: + path: "tmp/backups" # Relative paths are relative to Rails.root (default: tmp/backups/) + gitlab_shell: + path: /home/git/gitlab-shell/ + hooks_path: /home/git/gitlab-shell/hooks/ + secret_file: /etc/gitlab-shell/.gitlab_shell_secret + upload_pack: true + receive_pack: true + workhorse: + git: + bin_path: /usr/bin/git + webpack: + monitoring: + ip_whitelist: + - 127.0.0.0/8 + sidekiq_exporter: + extra: + rack_attack: + git_basic_auth: + # Leave this here - This line denotes end of block to the parser. {{- end }} diff --git a/charts/gitlab/charts/unicorn/templates/deployment.yaml b/charts/gitlab/charts/unicorn/templates/deployment.yaml index dbbca71f5a..27e3dc181f 100644 --- a/charts/gitlab/charts/unicorn/templates/deployment.yaml +++ b/charts/gitlab/charts/unicorn/templates/deployment.yaml @@ -37,6 +37,9 @@ spec: volumeMounts: - name: unicorn-config mountPath: '/var/opt/gitlab/templates' + - name: unicorn-shell + mountPath: '/etc/gitlab-shell' + readOnly: true - name: unicorn-redis mountPath: '/etc/gitlab-redis' readOnly: true @@ -57,6 +60,13 @@ spec: - name: unicorn-config configMap: name: {{ template "fullname" . }} + - name: unicorn-shell + secret: + secretName: {{ .Values.shell.secret }} + items: + - key: {{ default "secret" .Values.shell.key }} + path: ".gitlab_shell_secret" + defaultMode: 0400 - name: unicorn-redis secret: secretName: {{ .Values.redis.password.secret }} diff --git a/charts/gitlab/charts/unicorn/values.yaml b/charts/gitlab/charts/unicorn/values.yaml index c722316630..c25a8c691c 100644 --- a/charts/gitlab/charts/unicorn/values.yaml +++ b/charts/gitlab/charts/unicorn/values.yaml @@ -4,7 +4,7 @@ replicaCount: 1 image: repository: registry.gitlab.com/gitlab-org/build/cng/gitlab-unicorn - tag: d858c6c3ced96c32cb2b7439edd79cd98e734f36 + tag: afeaa02cd39c81bc997c26838d904609ce03b1b2 pullPolicy: IfNotPresent service: name: unicorn @@ -28,6 +28,9 @@ psql: # database: 'gitlabhq_production' # username: 'gitlab' # password: nil +shell: + secret: gitlab-shell-secret + key: secret resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little diff --git a/doc/INSTALL.md b/doc/INSTALL.md index 0f2f34b3df..2d79cee90f 100644 --- a/doc/INSTALL.md +++ b/doc/INSTALL.md @@ -60,8 +60,8 @@ See [helm][] documentation for installation & initialization. ## Create Secrets -For a functional deployment, three secrets are needed: Certificates, Registry -certificates, and Redis password. +For a functional deployment, these secrets are needed: Certificates, Registry +certificates, Redis password, and GitLab Shell Secret. ### Certificates @@ -110,6 +110,15 @@ $ kubectl create secret generic gitlab-redis --from-literal=redis-password= ./shell_secret +$ kubectl create secret generic gitlab-shell-secret --from-file=secret=shell_secret +``` + ## Configure TODO: add sanitized config yaml file to repo. diff --git a/values.yaml b/values.yaml index 539c03b5b3..52c8c8335b 100644 --- a/values.yaml +++ b/values.yaml @@ -15,9 +15,10 @@ nginx: registry: enabled: false -unicorn: - enabled: false - gitlab: omnibus: enabled: false + unicorn: + enabled: false + gitlab-shell: + enabled: false -- GitLab