Create Air-Gap / offline / limited connectivity Demo for Dependency Scanning

Problem to solve

We want to be able to show our current progress on having dependency scanning work in an offline environment.

In this instance offline environment is sometimes called intranet, local area network (lan), limited connectivity, or "air-gapped." We mean that there can be one, or more, servers and services running in a network that can talk to one another but have zero, or perhaps very restricted access to the internet. Assume anything within the GitLab instance and supporting infratrusture (private maven repository for example) can be accessed via local network connection. Assume any files from the internet must come in via physical media (USB drive, hard drive).

Audience

Sales, Customer Success and 1 customer representative

Outcome / Deliverables

  • 1-3 Videos
    • full unedited, no waiting version, and highlights/edited if needed)
  • 4 demo/test Environments
    • Environment Empty - shared (work with team / QA to get access)
    • Environment GitLab Project - shared (work with team / QA to get access)
    • Environment Ready for Dependency Scan Install
    • Environment Dependency Scan Enabled
  • 1 live demo to be scheduled by @tstadelhofer

Requirements

  • There will be a live demos TBD on if they may leverage recorded material
  • Live and recorded demos must use a very limited connectivity environment, in this case we are planning to use GCP with a jump box, we must have a way to show (prove) it’s limited connectivity and allow the customer to review this proof. For example we run a script that reaches out on common GitLab ports, then show firewall logs. Customers should be able to review the ports we chose to test and ask for additional ones if needed.
    • Nicole's Note - We are currently going forward with doing this for the GCP setup we have with jump box / bastion server. @meks will work to verify this is OK on quality's side and @NicoleSchwartz did confirm with the customer that this is an acceptable demo environment.
  • Live and recorded demos must cover The full process of setup, configuration, and running the specified scanner on a GitLan air-gap instance (with a project)
    • Setup Scanner, Configure Scanner, made a code change and submit MR, show results of MR in all applicable areas such as pipeline, MR, dashboard, vulnerability information, and remediation if applicable
  • Live demos must include everyone for all parts of the demo script above so questions can be asked (for example, Engineering, Quality, Product) We will need to review the notes and make sure we can have reps appropriate for each demo
  • Live Demo - As many environments as are needed should be setup so we can jump over each part that is time consuming.

Notes

Note: It is OK to fail! if you are only able to get through a specific number of steps, thats OK, record that, walk through the troubleshooting, and that is your video. We then will make an issue to address the difficulties you encountered! It is VERY important to verbalize everything you are doing.

Note: Always follow the script, and ideally note (possibly even flash up the script and actually state what step you are starting) when you go from one script step to the next so we can record when in the video people can jump to for specific spots.

Note: Always clearly note what documentation you are following and where it is located, it should be publicly accessible even if it's an MR or a public GitLab project. Add ANY documentation used to #210056 (closed)

Note: I fully understand this will be a long video as I require you to download things live.

Note: While recording, follow the script, and use only the user facing directions (as you run into issues note them and make sure to suggest and submit MRs for improvements as needed) and record the process making it available on GitLab unfiltered unpublished

Steps

VIDEO

  • Grab a pre-configured GCP environment with GitLab and a project installed
  • Don't do any advance work, do it all (downloads etc) as part of the video
  • Setup & Prove Airgap
    • Script that we run to access internet resources assorted ports
    • See the firewall logs in the google cloud instance.
  • Show setup & config
    • Follow the user documentation to prepare (download, put in correct locations) to install and configure Dependency Scanning in this environment. Make sure to follow the documentation we have, make notes about what needs to be improved in the documentation around this process as you go (and do after the demo). The engineer who worked on the code should NOT be the one walking through the steps, but ideally could be present to answer questions.
    • Everything up until now is what is considered the Environment Ready for Dependency Scan Install
    • Follow the steps to install and setup Dependency Scanning and then enable it in an offline environment. Make sure to follow the documentation we have, make notes about what needs to be improved in the documentation around this process as you go (and do after the demo). The engineer who worked on the code should NOT be the one walking through the steps, but ideally could be present to answer questions.
  • Submit code to the project as an MR and have a pipeline run
    • this should trigger the Dependency Scanning job to run in your offline environment.
  • Show results of pipeline
    • Pipeline Results
    • Merge Request results
    • Dashboard results
    • Vulnerability details (links will fail)
    • Remediation (nicole expects to fail- Will Air-gap Suggested Solution work? test it and find out, note if it does not (and update user documentation to say so as well!))
  • Show if applicable proof env didn’t call out during
    • Show firewall logs
  • This is now Environment Dependency Scan Enabled

POST VIDEO prep work

You should have 1 long videos

Editing

  • make a copy of your long video, and remove all the areas where you are waiting, condense it as short as possible.
  • You should have 1 "no waiting" and 1 "long" video now
  • Upload the long and no waiting videos to a youtube unfiltered playlist as unlisted

Live Meeting Prep

Contact your group, quality and PM (slack your group and #wg_secure-airgap-deployments) - have them review the video playlist - make sure to provide links to public instructions you used.

Make sure @tstadelhofer has scheduled live Q&A time on the calendar

Have all needed demo environments up and ready for the meeting (for cooking show style being able to show it at various stages)

Make sure there is an agenda for the meeting so people can ask questions (in advance, and during)

Make sure Quality, Engineering, Management and Product are present.

Live Meeting

Note: Hopefully people had 1-2 business days to watch the full videos if desired and are ready to ask you to show or explain or test certain things they are concerned about.

Engineering

  • Possibly kick off an MR in Environment Dependency Scan Enabled depending how long the demo pipeline takes the the meeting starts so it's ready in
  • Ask if everyone would like to have you show/do any test on Environment Ready for Dependency Scan Install.
  • Have the Environment Ready for Dependency Scan Install demo environment open to walk through any questions or concerns. This could be a long demo - it is likely you'll need to proceed through install and setup of Dependency Scanning live here, and that's expected and OK. What we want to avoid doing is having to wait on the results of a pipeline, skip to Environment Dependency Scan Enabled after kicking off a pipeline as needed.
  • Now you are in Environment Dependency Scan Enabled. Be prepared to start MRs (have some ready that will product a result) also have at least 1 MR that has already run so you can jump to that completed pipeline.

Make note after this meeting if any of the used test/demo environment needs to be trashed and rebuilt as a result of the demo

What does success look like, and how can we measure that?

Quality and CS should sign off in this document after watching both the videos and live Q&A

Links / references

It would be good to work with Quality on this effort as they are going to setup demo environment and projects to run tests. - #207063 (closed)

Edited by Nicole Schwartz