Support SSH by deploying our forked NGINX objects from the GitLab Charts
Summary
Enables SSH support by deploying our forked NGINX objects from the GitLab Helm chart. A user can still use external NGINX by setting nginx-ingress.enabled=false
.
Closes #179 (closed)
Changes
- Reconciles forked NGINX objects from the GitLab Helm chart
- Adds a custom SecurityContextConstraints object giving the NGINX ingress controller pods proper permissions in OpenShift environments
Notes
- The RBAC manifests were taken from the GitLab Helm Charts.
- The NGINX SecurityContextConstraints object was taken from the NGINX Ingress Operator. Some helpful links:
- Source definition of NGINX Ingress Operator's SCC
- Source definition of NGINX Ingress Operator's RBAC (not used in this MR, but good to have as a reference to compare to the RBAC manifests in our charts)
- Source definition of a SCC
- Managing SCCs in OpenShift
- Managing security context constraints
Test instructions
Follow installation docs. For the GitLab CR to apply, use something like:
apiVersion: apps.gitlab.com/v1beta1
kind: GitLab
metadata:
name: gitlab
spec:
chart:
version: "4.11.3"
values:
global:
hosts:
domain: yourdomain.com
certmanager-issuer:
email: youremail.com
This CR is slightly different from the one in our docs because it doesn't require setting global.ingress.class
.
Log into the instance, add your SSH key under Preferences, and attempt to clone a project over SSH.
Note: this was tested on both OpenShift and 'vanilla' K8s.
To do
-
Add tests -
Remove NGINX Operator manifests and documentation references -
Support not deploying the NGINX objects if nginx-ingress.enabled=false
. -
Ensure namePrefix
/ release naming in the new manifests works as expected when the release name is not justgitlab
-
Investigate why the GitLab operator controller endlessly loops saying it updated
a variety of objects -
Investigate why GetBoolValue("nginx-ingress.enabled")
comes back asnil
instead of not present, since it doesn't appear to be set anywhere. (This is causing issues setting a default value since we rely onerr != nil
to mean the value was not configured at all) -
Consider installingexternal-dns
in the OpenShift CI cluster so DNS works (now that NGINX spins up a Service of type LoadBalancer for each MR commit)Note: if this is undesirable, maybe we consider disabling the deployment of forked NGINX resources in CI and just rely on our NGINX operator.- Addressed this by disabling bundled NGINX only for CI, and instead using the CI cluster's NGINX instance.
-
Only apply SCC on OpenShift
Closes #58 (closed)
Edited by Mitchell Nielsen