Merge branch '833-gitlab-object-storage-use_iam_role' into 'master'

833-gitlab-object-storage-use_iam_role Closes #833 See merge request platform-one/big-bang/bigbang!1028

Merge branch '833-gitlab-object-storage-use_iam_role' into 'master'
5f4ebf8a · Ryan Garcia · 6b4a6ece · 1d3fe499 · 5f4ebf8a · 5f4ebf8a
Commit 5f4ebf8a authored 3 years ago by Ryan Garcia
--- a/chart/templates/gitlab/secret-objectstore.yaml
+++ b/chart/templates/gitlab/secret-objectstore.yaml
 {{- if or .Values.addons.gitlab.enabled .Values.addons.gitlabRunner.enabled }}
 {{- if .Values.addons.gitlab.objectStorage.endpoint }}
+{{- if and (ne .Values.addons.gitlab.objectStorage.iamProfile "") (ne .Values.addons.gitlab.objectStorage.accessKey "") }}{{- fail "Must choose to use an IAM profile OR an AWS accessKey/accessSecret at .Values.addons.gitlab.objectStorage" }}{{- end }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -10,8 +11,12 @@ stringData:
    rails: |-
      provider: AWS
      region: {{ .Values.addons.gitlab.objectStorage.region }}
+      {{- if ne .Values.addons.gitlab.objectStorage.iamProfile "" }}
+      use_iam_profile: true
+      {{- else if eq .Values.addons.gitlab.objectStorage.iamProfile "" }}
      aws_access_key_id: {{ .Values.addons.gitlab.objectStorage.accessKey }}
      aws_secret_access_key: {{ .Values.addons.gitlab.objectStorage.accessSecret }}
+      {{- end }}
      {{- if eq .Values.addons.gitlab.objectStorage.type "minio" }}
      aws_signature_version: 4
      host: {{ regexReplaceAll "http(s{0,1})://(.*):(\\d+)" .Values.addons.gitlab.objectStorage.endpoint "${2}" }}
@@ -29,8 +34,10 @@ stringData:
        {{- else }}
        bucket: gitlab-registry
        {{- end }}
+        {{- if eq .Values.addons.gitlab.objectStorage.iamProfile "" }}
        accesskey: {{ .Values.addons.gitlab.objectStorage.accessKey }}
        secretkey: {{ .Values.addons.gitlab.objectStorage.accessSecret }}
+        {{- end }}
        region: {{ .Values.addons.gitlab.objectStorage.region }}
        {{- if eq .Values.addons.gitlab.objectStorage.type "s3" }}
        v4auth: true
@@ -43,8 +50,10 @@ stringData:
        {{- end }}
    backups: |-
      [default]
+      {{- if eq .Values.addons.gitlab.objectStorage.iamProfile "" }} 
      access_key = {{ .Values.addons.gitlab.objectStorage.accessKey }}
      secret_key = {{ .Values.addons.gitlab.objectStorage.accessSecret }}
+      {{- end }}
      bucket_location = {{ .Values.addons.gitlab.objectStorage.region }}
      host_bucket = %(bucket)s.{{ regexReplaceAll "http(s*)://" .Values.addons.gitlab.objectStorage.endpoint "" }}
      multipart_chunk_size_mb = 128

--- a/chart/templates/gitlab/values.yaml
+++ b/chart/templates/gitlab/values.yaml
 {{- if .Values.addons.gitlab.enabled }}
 {{- include "values-secret" (dict "root" $ "package" .Values.addons.gitlab "name" "gitlab" "defaults" (include "bigbang.defaults.gitlab" .)) }}
 {{- end }}
-
+{{- if and (ne .Values.addons.gitlab.objectStorage.iamProfile "") (ne .Values.addons.gitlab.objectStorage.accessKey "") }}{{- fail "Must choose to use an IAM profile OR an AWS accessKey/accessSecret at .Values.addons.gitlab.objectStorage" }}{{- end }}
 {{- define "bigbang.defaults.gitlab" -}}
 # hostname is deprecated and replaced with domain. But if hostname exists then use it.
 {{- $domainName := default .Values.domain .Values.hostname }}
@@ -40,6 +40,10 @@ registry:
  storage:
    secret: gitlab-object-storage
    key: registry
+  {{- if ne .Values.addons.gitlab.objectStorage.iamProfile "" }}
+  annotations: 
+    iam.amazonaws.com/role: {{ .Values.addons.gitlab.objectStorage.iamProfile }}
+  {{- end }}
 {{- end }}

 {{- if .Values.istio.enabled }}
@@ -56,9 +60,22 @@ gitlab:
        config:
          secret: gitlab-object-storage
          key: backups
+    {{- if ne .Values.addons.gitlab.objectStorage.iamProfile "" }}
+    annotations: 
+      iam.amazonaws.com/role: {{ .Values.addons.gitlab.objectStorage.iamProfile }}
+    {{- end }}
  {{- end }}
  gitlab-exporter:
    enabled: {{ .Values.monitoring.enabled }}
+  {{- if ne .Values.addons.gitlab.objectStorage.iamProfile "" }}
+  webservice:
+    annotations: 
+      iam.amazonaws.com/role: {{ .Values.addons.gitlab.objectStorage.iamProfile }}
+  sidekiq:
+    annotations: 
+      iam.amazonaws.com/role: {{ .Values.addons.gitlab.objectStorage.iamProfile }}
+  {{- end }}
+
  {{- if .Values.istio.enabled }}
  migrations:
    annotations:
@@ -227,4 +244,8 @@ global:
    {{- end }}
  {{- end }}

+{{- if ne .Values.addons.gitlab.objectStorage.iamProfile "" }}
+use_iam_profile: true
+{{- end }}
+
 {{- end -}}
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -602,7 +602,7 @@ addons:
    git:
      repo: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab.git
      path: "./chart"
-      tag: "5.3.1-bb.3"
+      tag: "5.3.1-bb.4"

    # -- Flux reconciliation overrides specifically for the Gitlab Package
    flux: {}
@@ -655,6 +655,7 @@ addons:
      region: ""

      # -- Access key for connecting to object storage endpoint.
+      # -- If using accessKey and accessSecret, the iamProfile must be left as an empty string: ""
      accessKey: ""

      # -- Secret key for connecting to object storage endpoint.
@@ -665,6 +666,11 @@ addons:
      # Example: "prod" will produce "prod-gitlab-bucket"
      bucketPrefix: ""

+      # -- NOTE: Current bug with AWS IAM Profiles and Object Storage where only artifacts are stored. Fixed in Gitlab 14.5
+      # -- Name of AWS IAM profile to use.
+      # -- If using an AWS IAM profile, the accessKey and accessSecret values must be left as empty strings eg: ""
+      iamProfile: ""
+
    # -- Values to passthrough to the gitlab chart: https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab.git
    values: {}