Add firewall rules to workspaces (!126283) · Merge requests · GitLab.org / GitLab

Vishal Tak requested to merge vtak/network_policy into master Jul 13, 2023

What does this MR do and why?

Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/411379+

Add firewall rules for ingress/egress traffic to/from a workspace.

Corresponding GA4K issue - Update remote development configuration protobu... (gitlab-org/cluster-integration/gitlab-agent!1043 - merged)

Data for Database Review

Migration output

➜  gitlab git:(vtak/network_policy) ✗ bin/rails db:migrate
main: == [advisory_lock_connection] object_id: 224180, pg_backend_pid: 52761
main: == 20230725085120 UpdateRemoteDevelopmentAgentConfigsForFirewallRules: migrating 
main: -- transaction_open?()
main:    -> 0.0000s
main: -- add_column(:remote_development_agent_configs, :network_policy_enabled, :boolean, {:default=>true, :null=>false})
main:    -> 0.0052s
main: -- add_column(:remote_development_agent_configs, :gitlab_workspaces_proxy_namespace, :text, {:default=>"gitlab-workspaces", :null=>false})
main:    -> 0.0027s
main: -- transaction_open?()
main:    -> 0.0000s
main: -- transaction_open?()
main:    -> 0.0000s
main: -- execute("ALTER TABLE remote_development_agent_configs\nADD CONSTRAINT check_72947a4495\nCHECK ( char_length(gitlab_workspaces_proxy_namespace) <= 63 )\nNOT VALID;\n")
main:    -> 0.0014s
main: -- execute("SET statement_timeout TO 0")
main:    -> 0.0002s
main: -- execute("ALTER TABLE remote_development_agent_configs VALIDATE CONSTRAINT check_72947a4495;")
main:    -> 0.0009s
main: -- execute("RESET statement_timeout")
main:    -> 0.0002s
main: == 20230725085120 UpdateRemoteDevelopmentAgentConfigsForFirewallRules: migrated (0.1263s) 

main: == [advisory_lock_connection] object_id: 224180, pg_backend_pid: 52761
ci: == [advisory_lock_connection] object_id: 224540, pg_backend_pid: 52763
ci: == 20230725085120 UpdateRemoteDevelopmentAgentConfigsForFirewallRules: migrating 
ci: -- transaction_open?()
ci:    -> 0.0000s
ci: -- add_column(:remote_development_agent_configs, :network_policy_enabled, :boolean, {:default=>true, :null=>false})
ci:    -> 0.0024s
ci: -- add_column(:remote_development_agent_configs, :gitlab_workspaces_proxy_namespace, :text, {:default=>"gitlab-workspaces", :null=>false})
ci:    -> 0.0018s
ci: -- transaction_open?()
ci:    -> 0.0000s
ci: -- transaction_open?()
ci:    -> 0.0000s
ci: -- execute("ALTER TABLE remote_development_agent_configs\nADD CONSTRAINT check_72947a4495\nCHECK ( char_length(gitlab_workspaces_proxy_namespace) <= 63 )\nNOT VALID;\n")
ci:    -> 0.0009s
ci: -- execute("SET statement_timeout TO 0")
ci:    -> 0.0004s
ci: -- execute("ALTER TABLE remote_development_agent_configs VALIDATE CONSTRAINT check_72947a4495;")
ci:    -> 0.0021s
ci: -- execute("RESET statement_timeout")
ci:    -> 0.0004s
ci: == 20230725085120 UpdateRemoteDevelopmentAgentConfigsForFirewallRules: migrated (0.0354s) 

ci: == [advisory_lock_connection] object_id: 224540, pg_backend_pid: 52763

Rollback output

Main DB

➜  gitlab git:(vtak/network_policy) ✗ bin/rails db:rollback:main STEP=1
main: == [advisory_lock_connection] object_id: 223900, pg_backend_pid: 53831
main: == 20230725085120 UpdateRemoteDevelopmentAgentConfigsForFirewallRules: reverting 
main: -- transaction_open?()
main:    -> 0.0000s
main: -- remove_column(:remote_development_agent_configs, :gitlab_workspaces_proxy_namespace, {:if_exists=>true})
main:    -> 0.0905s
main: -- remove_column(:remote_development_agent_configs, :network_policy_enabled, {:if_exists=>true})
main:    -> 0.0025s
main: == 20230725085120 UpdateRemoteDevelopmentAgentConfigsForFirewallRules: reverted (0.1194s) 

main: == [advisory_lock_connection] object_id: 223900, pg_backend_pid: 53831

CI DB

➜  gitlab git:(vtak/network_policy) ✗ bin/rails db:rollback:ci STEP=1  
ci: == [advisory_lock_connection] object_id: 223840, pg_backend_pid: 54384
ci: == 20230725085120 UpdateRemoteDevelopmentAgentConfigsForFirewallRules: reverting 
ci: -- transaction_open?()
ci:    -> 0.0000s
ci: -- remove_column(:remote_development_agent_configs, :gitlab_workspaces_proxy_namespace, {:if_exists=>true})
ci:    -> 0.0892s
ci: -- remove_column(:remote_development_agent_configs, :network_policy_enabled, {:if_exists=>true})
ci:    -> 0.0022s
ci: == 20230725085120 UpdateRemoteDevelopmentAgentConfigsForFirewallRules: reverted (0.1363s) 

ci: == [advisory_lock_connection] object_id: 223840, pg_backend_pid: 54384

Queries

No new/existing queries are created/updated.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Jul 26, 2023 by Vishal Tak

Add firewall rules to workspaces