Merge branch '439-network-policy' into 'main'

network policy update

See merge request platform-one/big-bang/apps/developer-tools/gitlab-runner!17

CHANGELOG.md

@@ -20,6 +20,14 @@
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.26.0-bb.2] - 2021-06-01
+- added network policy docs
+- added helm tests for CI pipeline
+- added pod labels on gitlab jobs by default
+
+## [0.26.0-bb.1] - 2021-05-26
+- bug fix: Permission denied when using cache in gitlab-ci.yml"
+- added documentation
 
 ## [0.26.0-bb.0] - 2021-03-11
 - upgrade to app version 13.9.0 chart version 0.26.0

chart/templates/tests/test-gitlab-runners-allow-egress.yaml

+{{- $bbtests := .Values.bbtests | default dict -}}
+{{- $enabled := (hasKey $bbtests "enabled") -}}
+{{- if $enabled }}
+{{- if and .Values.networkPolicies.enabled .Values.bbtests.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: test-gitlab-runners-allow-egress
+  namespace: {{ .Release.Namespace }}
+spec:
+  policyTypes:
+  - Egress
+  podSelector:
+    matchLabels:
+      app: gitlab-runner-gitlab-runner
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+{{- end }}
+{{- end }}
\ No newline at end of file

chart/values.yaml

@@ -150,7 +150,7 @@ runners:
       [runners.kubernetes.pod_labels]
         "job_id" = "${CI_JOB_ID}"
         "job_name" = "${CI_JOB_NAME}"
-        "pipeline_id" = "${CI_PIPELINE_IID}"
+        "pipeline_id" = "${CI_PIPELINE_ID}"
 
   ## Which executor should be used
   ##

docs/README.md

@@ -17,6 +17,7 @@
         - [Configuration Items](#configuration-items-1)
       - [Global Shared Gitlab Runner](#global-shared-gitlab-runner)
       - [Useful Queries](#useful-queries)
+      - [Network Policies](#network-policies)
       - [Troubleshooting Tips](#troubleshooting-tips)
 
 ### Application Overview
@@ -91,6 +92,33 @@ gitlab-runner-gitlab-runner-858b5c6796-s694b  1/1     Running   0          156m
 - `kubernetes.container_name : "gitlab-runner-gitlab-runner"` to get logs from a specific container
 - `kubernetes.labels.release : "gitlab-runner"` to get logs from all gitlab runners
 
+#### Network Policies
+
+By default, Gitlab Runner will inherit the [network policies](https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab/-/tree/main/chart/templates/bigbang/networkpolicies) from the Gitlab namespace. Until a long-term solution is implemented that works for all Platform One teams, Gitlab Runner users may manually create their own network policies for the Gitlab Runner pods. For example:
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: runner-allow-egress
+  namespace: gitlab
+spec:
+  policyTypes:
+  - Egress
+  podSelector:
+    matchLabels:
+      app: gitlab-runner-gitlab-runner
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+```
+
+**Note:** By default, the Big Bang Gitlab Runner package is configured to pull kubernetes executor images from registry1.dso.mil. Also, the gitlab-runner pod will require egress to the kube-apiserver in order to create pods for CI jobs.
+
 #### Troubleshooting Tips
 
 The gitlab-runner is configured to clone the repository from the gitlab webservice via the "clone_url" setting so the runner clones from the same endpoint it uses to register with the gitlab webservice API which is the gitlab-webservice kubernetes service in the gitlab namespace.

tests/test-values.yml

@@ -5,8 +5,12 @@ imagePullSecrets:
 runners:
   protected: false
 
+networkPolicies:
+  enabled: true
+  
 # Cypress testing values
 bbtests:
+  enabled: true
   cypress:
     artifacts: true
     secretEnvs: