Skip to content

Commit

Permalink
feat: run gitlab init containers as privileged for copying CA trust (#…
Browse files Browse the repository at this point in the history
…130)

* trying non-root user again

* removing webservice from path

* keys

* morrrr webservice

* adding policy exemption for gitlab certificates container -- removing legacy workaround

* alllll the file permissions

* sudo make me a file

* trying a more specific level

* sudo for days

* adjusting the exemption

* nuclear option

* less sudo

* removing duplicates

* remove unused exemptions
  • Loading branch information
blancharda authored Jun 26, 2024
1 parent 011db86 commit 5b4031e
Show file tree
Hide file tree
Showing 6 changed files with 45 additions and 31 deletions.
29 changes: 24 additions & 5 deletions bundles/uds-core-swf/uds-bundle.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,11 @@ metadata:
# x-release-please-end
architecture: amd64

x-gitlab-init-security-context: &gitlab-init-security-context
privileged: true
readOnlyRootFilesystem: false
runAsUser: 0

packages:
# Zarf init
- name: init
Expand Down Expand Up @@ -267,11 +272,6 @@ packages:
path: ../../build
ref: 0.0.2

# Additional manifests needed (TODO - remove)
- name: additional-manifests-2
path: ../../build
ref: 0.0.2

# Gitlab
- name: gitlab-redis
repository: ghcr.io/defenseunicorns/packages/uds/dev-redis
Expand Down Expand Up @@ -312,6 +312,25 @@ packages:
- path: global.certificates.customCAs
value:
- secret: ca-secret
- path: gitlab.webservice.init.containerSecurityContext
value: *gitlab-init-security-context
- path: gitlab.toolbox.init.containerSecurityContext
value: *gitlab-init-security-context
- path: gitlab.sidekiq.init.containerSecurityContext
value: *gitlab-init-security-context
## gitlab-migrations failed to init as root
# - path: gitlab.migrations.init.containerSecurityContext
# value: *gitlab-init-security-context
## gitlab-shell crashed on startup as root
# - path: gitlab.gitlab-shell.init.containerSecurityContext
# value: *gitlab-init-security-context
- path: gitlab.gitlab-pages.init.containerSecurityContext
value: *gitlab-init-security-context
- path: gitlab.gitlab-exporter.init.containerSecurityContext
value: *gitlab-init-security-context
- path: gitlab.gitaly.init.containerSecurityContext
value: *gitlab-init-security-context

variables:
- name: MIGRATIONS_RESOURCES
description: "Gitlab Migrations Resources"
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: uds.dev/v1alpha1
kind: Exemption
metadata:
name: gitlab-certificates
namespace: uds-policy-exemptions
spec:
exemptions:
- policies:
- DisallowPrivileged
- RequireNonRootUser
matcher:
namespace: gitlab
name: ".*"
title: "gitlab exemptions"
description: "Gitlab's certificates container needs write access to the following paths in order to load custom CA certificates:
- `/usr/share/pki/ca-trust-source/anchors/`
- `/etc/pki/ca-trust/extracted/openssl/`
- `/etc/pki/ca-trust/extracted/java/`
- `/etc/pki/ca-trust/extracted/edk2/`"

This file was deleted.

4 changes: 2 additions & 2 deletions packages/additional-manifests/zarf.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,9 @@ components:
manifests:
- name: pepr-policy-exemptions
files:
# TODO -- see README for details
# - pepr-policy-exemptions/nutanix-csi-exemptions.yaml
- pepr-policy-exemptions/nutanix-csi-exemptions.yaml
- pepr-policy-exemptions/metallb-exemptions.yaml
- pepr-policy-exemptions/gitlab-exemptions.yaml
- name: mattermost-ca-secret
required: true
manifests:
Expand Down
1 change: 0 additions & 1 deletion tasks.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@ tasks:
- task: create:namespaces-package
- task: create:object-store-packages
- task: create:additional-manifests-package
- task: create:additional-manifests-package-2
- task: create:init-package
- task: create:bundle

Expand Down
6 changes: 0 additions & 6 deletions tasks/create.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -50,12 +50,6 @@ tasks:
description: Create package create additional manifests needed.
actions:
- cmd: ./uds zarf package create ./packages/additional-manifests --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build

# TODO - remove when multiple exemptions can be applied at once
- name: additional-manifests-package-2
description: Create package create additional manifests needed.
actions:
- cmd: ./uds zarf package create ./packages/additional-manifests/pepr-policy-exemptions/tmp-csi-exemption --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build

- name: init-package
description: Create init package with Nutanix CSI driver.
Expand Down

0 comments on commit 5b4031e

Please sign in to comment.