Thanks, a few folks in Secure are asking about Openshift (eg gitlab-org/gitlab#281816 (closed) and gitlab-org/gitlab#287702 (closed) ), so I would be very interested in working alongside you. Do you envisage a persistent environment, or something we can spin up/down?
Not sure yet, didn't have a chance to dive deep into the OpenShift yet unfortunately and getting familiar with Kubernetes overall Hope to get more details next week when start to focus on this - https://gitlab.com/gitlab-org/quality/team-tasks/-/issues/745
As far as I understand talking with Nick, if it's like Helm Chart, then some stateful components will need to be built outside(like Database, Redis) and for this we could probably use GET and other stateless components will be spun up with GitLab Chart itself. But need to learn more. Sorry for lacking details
Thanks, @willmeek and @niskhakova! I'm wondering if you have any ETA for this to be addressed. I understand the upcoming holidays period and other priorities might push this work further to the beginning of next year so I'd like to make sure I account for that to plan our related work in Secure.
Olivier, this is in progress. So far we've been able to add clusters using Openshift to the cloud-native GCP project.
A huge pre-requisite of this is that we need a domain registered, hence why we're using this project rather than a quality project. If we wanted a cluster to live in the secure project we would similarly need a domain registered.
The next step is to install GitLab onto the cluster. I was hoping to at least have this up and running before signing off for the holidays/F+F day.
@willmeek A nuance here about fuzz testing is it should be coverage-guided fuzz testing. We also have API fuzz testing, which that repo is not covering.
@willmeek yes, there is one here that can be used. I suspect that one will fail since we have the known issue already about root usage for API fuzz testing
Had another question - were there runs for the other SAST languages in addition to the Ruby one? Not sure if they all pass or if there are some that have issues.
I added Ruby as a SAST smoke test. Others could be added, I'd set up the environment so that folks might bring across projects when they're working on the non-root dockerfiles of the analyzer images.
Can you help me find if there are issues created for each of the above failures or scanner support? I'm struggling to find them all. If we can find all the issues, I think we could either add them as related issues to this one and/or update the table above with them.
Reason I'm asking is because we're getting more external requests around timelines and want to make sure I communicate the right info and can point them to issues to watch for the latest.
@kerr.sam we're going about it a different way, we have an epic that basically says get Openshift working and will keep adding issues to it each time we make a change, and test, and fail.
@stkerrthis issue doesn't address OpenShift directly, but allowing Container Scanning (Clair) to run as a non-root user should help, if not get it to run without problem on OpenShift.