Support SSH by deploying our forked NGINX objects from the GitLab Charts

Summary

Enables SSH support by deploying our forked NGINX objects from the GitLab Helm chart. A user can still use external NGINX by setting nginx-ingress.enabled=false.

Closes #179 (closed)

Changes

• Reconciles forked NGINX objects from the GitLab Helm chart
• Adds a custom SecurityContextConstraints object giving the NGINX ingress controller pods proper permissions in OpenShift environments

Notes

• The RBAC manifests were taken from the GitLab Helm Charts.
• The NGINX SecurityContextConstraints object was taken from the NGINX Ingress Operator. Some helpful links:
  • Source definition of NGINX Ingress Operator's SCC
  • Source definition of NGINX Ingress Operator's RBAC (not used in this MR, but good to have as a reference to compare to the RBAC manifests in our charts)
  • Source definition of a SCC
  • Managing SCCs in OpenShift
  • Managing security context constraints

Test instructions

Follow installation docs. For the GitLab CR to apply, use something like:

apiVersion: apps.gitlab.com/v1beta1
kind: GitLab
metadata:
  name: gitlab
spec:
  chart:
    version: "4.11.3"
    values:
      global:
        hosts:
          domain: yourdomain.com
      certmanager-issuer:
        email: youremail.com

This CR is slightly different from the one in our docs because it doesn't require setting global.ingress.class.

Log into the instance, add your SSH key under Preferences, and attempt to clone a project over SSH.

Note: this was tested on both OpenShift and 'vanilla' K8s.

To do

• Add tests
• Remove NGINX Operator manifests and documentation references
• Support not deploying the NGINX objects if nginx-ingress.enabled=false.
• Ensure namePrefix / release naming in the new manifests works as expected when the release name is not just gitlab
• Investigate why the GitLab operator controller endlessly loops saying it updated a variety of objects
• Investigate why GetBoolValue("nginx-ingress.enabled") comes back as nil instead of not present, since it doesn't appear to be set anywhere. (This is causing issues setting a default value since we rely on err != nil to mean the value was not configured at all)
• Consider installing external-dns in the OpenShift CI cluster so DNS works (now that NGINX spins up a Service of type LoadBalancer for each MR commit)
  • Note: if this is undesirable, maybe we consider disabling the deployment of forked NGINX resources in CI and just rely on our NGINX operator.
  • Addressed this by disabling bundled NGINX only for CI, and instead using the CI cluster's NGINX instance.
• Only apply SCC on OpenShift

Closes #58 (closed)