UNCLASSIFIED - NO CUI

gitlab update to 9.7.0-bb.1

BB_AUTO_MR_TOKENrequested to merge
update-gitlab-tag-9.7.0-bb.1 into master

Package Merge Request

Package Changes

https://repo1.dso.mil/big-bang/product/packages/gitlab/-/blob/9.7.0-bb.1/CHANGELOG.md

Package MR

big-bang/product/packages/gitlab!433 (merged)

For Issue

Closes big-bang/product/packages/gitlab#378 (closed)

Upgrade Notices

The gitlab package has been migrated to bb-common. While steps have been taken to maintain backwards compatibility with existing configurations by translating the old configuration into bb-common's more explicit syntax, Big Bang consumers are encouraged to migrate their values directly as soon as possible. Some appropriate configuration changes when consumers migrate are outlined below.

Database and Storage (S3) Egress

Previously a wide-open (0.0.0.0/0) egress policy was created for the migrations, sidekiq, webservice, and registry pods in the event that upstream.postgresql.install or global.minio.enabled was set to false, indicating that an external database or external object storage was to be used. These policies were not in line with Big Bang's wider security posture and have been removed. In their place, consumers are encouraged to define and use bb-common definitions for their database subnets and storage subnets when an external database or external object storage is to be used:

networkPolicies:
  egress:
    definitions:
      # You probably only want to override the storage-subnets definition 
      # if you're using privatelink or VPC endpoints for your S3 access
      storage-subnets:
        to:
        - ipBlock: 
            cidr: <private-s3-endpoint-cidr>
        ports:
        - port: 443
          protocol: TCP
      database-subnets:
        to:
        - ipBlock: 
            cidr: <db-subnet> # repeat for each subnet
        ports:
        - port: 5432 # change this port to match your database port
          protocol: TCP
    from:
      migrations: # repeat for registry, webservice, and sidekiq as needed
        to:
          definition:
            database-subnets: true
            storage-subnets: true

Default definitions for database-subnets and storage-subnets are defined globally in Big Bang and passed down to the gitlab package. You're encouraged to override the CIDRs defined there to match your infrastructure. Any changes made at that global level will propagate down into the gitlab package.

Metadata Endpoint Egress

Previously, a toggle was available at the package top-level called use_iam_profile that created an egress policy allowing the webservice, sidekiq, toolbox, and registry pods to access the IMDS endpoint on the instance where those pods were scheduled, allowing them to assume the same role as the instance to perform privileged actions in AWS. This is not a best-practice and is not aligned with the principle of least privilege as other pods scheduled on the same node but in a non-network-policy-enforcing namespace would have this access as well. Users should instead use pod identities or IRSA or some other worload identity-based authorization to allow workloads to access cloud resources with short-lived, workload-scoped credentials.

If gitlab package users insist on using instance profiles, they must explicitly allow the necessary IMDS access:

networkPolicies:
  egress:
    from:
      registry: # repeat for sidekiq, toolbox, and webservice as needed
        to:
          cidr: 
            169.254.169.254/32: true

Ingress Config

bb-common creates a consistent ingress configuration syntax across all Big Bang packages with its routes functionality. Take a look at the routes documentation to understand how to use it to expose various gitlab services.

Edited by Zach Callahan

Merge request reports

UNCLASSIFIED - NO CUI