Istio injection required on the Gitlab migrations job when using Istio hardened

Bug

Description

The AuthorizationPolicy allow-intranamespace uses the workload identity mTLS certificate to determine the namespace a request is coming from. Since the Gitlab migration job has the sidecar.istio.io/inject=false annotation, the migration job does not have a sidecar (or mTLS workload identity). This prevents the gitlab migrations job from communicating with Gitlab redis. It then fails the wait-for-deps script check and logs errors where it cannot communicate with redis.

The ideal solution would be to re-enable the Istio sidecar injection for the gitlab migrations job, thus giving it a mTLS certificate for the AuthorizationPolicy to check against. Another (workaround) solution would be to create a new AuthorizationPolicy which fully opens the redis port at the TCP level without checking the mTLS workload identity of the Gitlab migrations job (since there isn't any). This would push the enforcement down to the NetworkPolicy level.

Example policy:

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: allow-any-redis-ingress
  namespace: gitlab
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        ports:
        - "6379"
  selector:
    matchLabels:
      app.kubernetes.io/name: redis

BigBang Version

2.27.0 with gitlab.values.istio.hardened.enabled=true

CC @andrewshoell

added teamDevelopment & Ops label

added community-contribution label

added triage-kind label

added triage-priority label

so this can't be turned on until we can enable native sidecars by default. We are limited on when we can do that by our backwards compatibility support. The story that captures this work is here, please track that.

marked this issue as a duplicate of big-bang/bigbang#2049 (closed)

closed

marked this issue as related to big-bang/bigbang#2049 (closed)

if you want to do this yourself right now, you need to be on k8s 1.29+ (or 1.28 and turn on the native sidecar feature flag). Then add the following values.

istio:
  values:
    pilot:
      env:
        "ENABLE_NATIVE_SIDECARS": "true"
addons:
  gitlab:
    values:
      upgradeCheck:
        annotations:
          sidecar.istio.io/inject: "true"
      shared-secrets:
        annotations:
          sidecar.istio.io/inject: "true"
      gitlab:
        migrations:
          annotations:
            sidecar.istio.io/inject: "true"
      minio:
        jobAnnotations:
          sidecar.istio.io/inject: "true"

assigned to @andrewshoell

changed milestone to %2.29.0

changed iteration to Big Bang Iterations May 28, 2024 - Jun 10, 2024

set weight to 1

mentioned in issue big-bang/bigbang#2049 (closed)

Thank you @andrewshoell. That's what I ended up doing, although I only needed to apply the annotation override on the migrations job, since the others didn't seem to talk to redis.