Resolve "Integrate bb-common"

General MR

Summary

This MR migrates the gitlab package to use the bb-common implementations for Istio and NetworkPolicy configurations.

Relevant logs/screenshots

Successfully logged in

Successfully changed avatar image

Successfully pushed git changes

Successfully pushed/pulled from/to registry

❯ docker login registry.dev.bigbang.mil
Username: zcallahan
Password:

WARNING! Your credentials are stored unencrypted in '/home/zach/.docker/config.json'.
Configure a credential helper to remove this warning. See
https://docs.docker.com/go/credential-store/

Login Succeeded
❯ docker pull busybox --platform linux/amd64
docker tag busybox:latest registry.dev.bigbang.mil/test/test1:latest
docker push registry.dev.bigbang.mil/test/test1:latest --platform linux/amd64
docker image rm busybox:latest
docker image rm registry.dev.bigbang.mil/test/test1:latest
docker pull registry.dev.bigbang.mil/test/test1:latest --platform linux/amd64

Using default tag: latest
latest: Pulling from library/busybox
e59838ecfec5: Pull complete
Digest: sha256:d80cd694d3e9467884fcb94b8ca1e20437d8a501096cdf367a5a1918a34fc2fd
Status: Downloaded newer image for busybox:latest
docker.io/library/busybox:latest

i Info → Using --platform pushes only the specified platform manifest of a multi-platform image index.
         Other components, like attestations, will not be included.
         To push the complete multi-platform image, remove the --platform flag.

The push refers to repository [registry.dev.bigbang.mil/test/test1]
e14542cc0629: Pushed
latest: digest: sha256:be49435f6288f9c5cce0357c2006cc266cb5c450dbd6dc8e3a3baec10c46b065 size: 527
Untagged: busybox:latest
Untagged: busybox@sha256:d80cd694d3e9467884fcb94b8ca1e20437d8a501096cdf367a5a1918a34fc2fd
Untagged: registry.dev.bigbang.mil/test/test1:latest
Untagged: registry.dev.bigbang.mil/test/test1@sha256:be49435f6288f9c5cce0357c2006cc266cb5c450dbd6dc8e3a3baec10c46b065
Deleted: sha256:08ef35a1c3f050afbbd64194ffd1b8d5878659f5491567f26d1c814513ae9649
Deleted: sha256:e14542cc062958c3bfada9c260a6ae47bb2906fd8b514999774760710dbce3cb
latest: Pulling from test/test1
bb1275e1a759: Pull complete
Digest: sha256:be49435f6288f9c5cce0357c2006cc266cb5c450dbd6dc8e3a3baec10c46b065
Status: Downloaded newer image for registry.dev.bigbang.mil/test/test1:latest
registry.dev.bigbang.mil/test/test1:latest

Successfully ran a pipeline

Successfully ran helm test

❯ helm test --timeout 10m -n bigbang gitlab
NAME: gitlab
LAST DEPLOYED: Tue Dec 23 22:16:55 2025
NAMESPACE: gitlab
STATUS: deployed
REVISION: 5
TEST SUITE:     allow-egress-from-gitlab-cypress-test-to-anywhere-any-port
Last Started:   Tue Dec 23 16:19:29 2025
Last Completed: Tue Dec 23 16:19:30 2025
Phase:          Succeeded
TEST SUITE:     allow-egress-from-gitlab-script-test-to-anywhere-any-port
Last Started:   Tue Dec 23 16:19:30 2025
Last Completed: Tue Dec 23 16:19:31 2025
Phase:          Succeeded
TEST SUITE:     gitlab-script-sa
Last Started:   Tue Dec 23 16:19:28 2025
Last Completed: Tue Dec 23 16:19:28 2025
Phase:          Succeeded
TEST SUITE:     gitlab-cypress-config
Last Started:   Tue Dec 23 16:19:23 2025
Last Completed: Tue Dec 23 16:19:24 2025
Phase:          Succeeded
TEST SUITE:     gitlab-script-config
Last Started:   Tue Dec 23 16:19:25 2025
Last Completed: Tue Dec 23 16:19:26 2025
Phase:          Succeeded
TEST SUITE:     gitlab-test-pod-exec
Last Started:   Tue Dec 23 16:19:31 2025
Last Completed: Tue Dec 23 16:19:31 2025
Phase:          Succeeded
TEST SUITE:     gitlab-script-role
Last Started:   Tue Dec 23 16:19:26 2025
Last Completed: Tue Dec 23 16:19:26 2025
Phase:          Succeeded
TEST SUITE:     gitlab-test-pod-exec
Last Started:   Tue Dec 23 16:19:32 2025
Last Completed: Tue Dec 23 16:19:32 2025
Phase:          Succeeded
TEST SUITE:     gitlab-script-rolebinding
Last Started:   Tue Dec 23 16:19:27 2025
Last Completed: Tue Dec 23 16:19:27 2025
Phase:          Succeeded
TEST SUITE:     gitlab-registry-test-svc
Last Started:   Tue Dec 23 16:19:24 2025
Last Completed: Tue Dec 23 16:19:25 2025
Phase:          Succeeded
TEST SUITE:     gitlab-webservice-test-svc
Last Started:   Tue Dec 23 16:19:28 2025
Last Completed: Tue Dec 23 16:19:29 2025
Phase:          Succeeded
TEST SUITE:     gitlab-cypress-test
Last Started:   Tue Dec 23 16:19:33 2025
Last Completed: Tue Dec 23 16:24:18 2025
Phase:          Succeeded
TEST SUITE:     gitlab-script-test
Last Started:   Tue Dec 23 16:24:18 2025
Last Completed: Tue Dec 23 16:26:32 2025
Phase:          Succeeded

More to follow...

Umbrella Branch

gitlab-378-integrate-bb-common

Linked Issue

#378 (closed)

Upgrade Notices

The gitlab package has been migrated to bb-common. While steps have been taken to maintain backwards compatibility with existing configurations by translating the old configuration into bb-common's more explicit syntax, Big Bang consumers are encouraged to migrate their values directly as soon as possible. Some appropriate configuration changes when consumers migrate are outlined below.

Database and Storage (S3) Egress

Previously a wide-open (0.0.0.0/0) egress policy was created for the migrations, sidekiq, webservice, and registry pods in the event that upstream.postgresql.install or global.minio.enabled was set to false, indicating that an external database or external object storage was to be used. These policies were not in line with Big Bang's wider security posture and have been removed. In their place, consumers are encouraged to define and use bb-common definitions for their database subnets and storage subnets when an external database or external object storage is to be used:

networkPolicies:
  egress:
    definitions:
      storage-subnets:
        to:
        - ipBlock: <private-s3-endpoint-cidr>
        ports:
        - port: 443
          protocol: TCP
      database-subnets:
        to:
        - ipBlock: <db-subnet> # repeat for each subnet
        ports:
        - port: 5432 # change this port to match your database port
          protocol: TCP
    from:
      migrations: # repeat for registry, webservice, and sidekiq as needed
        to:
          definition:
            database-subnets: true
            storage-subnets: true

Default definitions for database-subnets and storage-subnets are defined globally in Big Bang and passed down to the gitlab package. You're encouraged to override the CIDRs defined there to match your infrastructure. Any changes made at that global level will propagate down into the gitlab package.

Metadata Endpoint Egress

Previously, a toggle was available at the package top-level called use_iam_profile that created an egress policy allowing the webservice, sidekiq, toolbox, and registry pods to access the IMDS endpoint on the instance where those pods were scheduled, allowing them to assume the same role as the instance to perform privileged actions in AWS. This is not a best-practice and is not aligned with the principle of least privilege as other pods scheduled on the same node but in a non-network-policy-enforcing namespace would have this access as well. Users should instead use pod identities or IRSA or some other worload identity-based authorization to allow workloads to access cloud resources with short-lived, workload-scoped credentials.

If gitlab package users insist on using instance profiles, they must explicitly allow the necessary IMDS access:

networkPolicies:
  egress:
    from:
      registry: # repeat for sidekiq, toolbox, and webservice as needed
        to:
          cidr: 
            169.254.169.254/32: true

Ingress Config

bb-common creates a consistent ingress configuration syntax across all Big Bang packages with its routes functionality. Take a look at the routes documentation to understand how to use it to expose various gitlab services.