diff --git a/bundles/uds-core-swf/uds-bundle.yaml b/bundles/uds-core-swf/uds-bundle.yaml index f57041c7..c022b4f7 100644 --- a/bundles/uds-core-swf/uds-bundle.yaml +++ b/bundles/uds-core-swf/uds-bundle.yaml @@ -8,6 +8,11 @@ metadata: # x-release-please-end architecture: amd64 +x-gitlab-init-security-context: &gitlab-init-security-context + privileged: true + readOnlyRootFilesystem: false + runAsUser: 0 + packages: # Zarf init - name: init @@ -267,11 +272,6 @@ packages: path: ../../build ref: 0.0.2 - # Additional manifests needed (TODO - remove) - - name: additional-manifests-2 - path: ../../build - ref: 0.0.2 - # Gitlab - name: gitlab-redis repository: ghcr.io/defenseunicorns/packages/uds/dev-redis @@ -312,6 +312,25 @@ packages: - path: global.certificates.customCAs value: - secret: ca-secret + - path: gitlab.webservice.init.containerSecurityContext + value: *gitlab-init-security-context + - path: gitlab.toolbox.init.containerSecurityContext + value: *gitlab-init-security-context + - path: gitlab.sidekiq.init.containerSecurityContext + value: *gitlab-init-security-context + ## gitlab-migrations failed to init as root + # - path: gitlab.migrations.init.containerSecurityContext + # value: *gitlab-init-security-context + ## gitlab-shell crashed on startup as root + # - path: gitlab.gitlab-shell.init.containerSecurityContext + # value: *gitlab-init-security-context + - path: gitlab.gitlab-pages.init.containerSecurityContext + value: *gitlab-init-security-context + - path: gitlab.gitlab-exporter.init.containerSecurityContext + value: *gitlab-init-security-context + - path: gitlab.gitaly.init.containerSecurityContext + value: *gitlab-init-security-context + variables: - name: MIGRATIONS_RESOURCES description: "Gitlab Migrations Resources" diff --git a/packages/additional-manifests/pepr-policy-exemptions/gitlab-exemptions.yaml b/packages/additional-manifests/pepr-policy-exemptions/gitlab-exemptions.yaml new file mode 100644 index 00000000..b2fca575 --- /dev/null +++ b/packages/additional-manifests/pepr-policy-exemptions/gitlab-exemptions.yaml @@ -0,0 +1,19 @@ +apiVersion: uds.dev/v1alpha1 +kind: Exemption +metadata: + name: gitlab-certificates + namespace: uds-policy-exemptions +spec: + exemptions: + - policies: + - DisallowPrivileged + - RequireNonRootUser + matcher: + namespace: gitlab + name: ".*" + title: "gitlab exemptions" + description: "Gitlab's certificates container needs write access to the following paths in order to load custom CA certificates: + - `/usr/share/pki/ca-trust-source/anchors/` + - `/etc/pki/ca-trust/extracted/openssl/` + - `/etc/pki/ca-trust/extracted/java/` + - `/etc/pki/ca-trust/extracted/edk2/`" diff --git a/packages/additional-manifests/pepr-policy-exemptions/tmp-csi-exemption/zarf.yaml b/packages/additional-manifests/pepr-policy-exemptions/tmp-csi-exemption/zarf.yaml deleted file mode 100644 index 79d648b8..00000000 --- a/packages/additional-manifests/pepr-policy-exemptions/tmp-csi-exemption/zarf.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/defenseunicorns/zarf/main/zarf.schema.json - -# TODO -- see README above for details on when to remove -kind: ZarfPackageConfig -metadata: - name: additional-manifests-2 - description: "Installs additional needed manifests" - architecture: "amd64" - version: "0.0.2" - -components: - - name: pepr-policy-exemptions - required: true - manifests: - - name: pepr-policy-exemptions - files: - - ../nutanix-csi-exemptions.yaml diff --git a/packages/additional-manifests/zarf.yaml b/packages/additional-manifests/zarf.yaml index 04b40b71..c1a2f081 100644 --- a/packages/additional-manifests/zarf.yaml +++ b/packages/additional-manifests/zarf.yaml @@ -30,9 +30,9 @@ components: manifests: - name: pepr-policy-exemptions files: - # TODO -- see README for details - # - pepr-policy-exemptions/nutanix-csi-exemptions.yaml + - pepr-policy-exemptions/nutanix-csi-exemptions.yaml - pepr-policy-exemptions/metallb-exemptions.yaml + - pepr-policy-exemptions/gitlab-exemptions.yaml - name: mattermost-ca-secret required: true manifests: diff --git a/tasks.yaml b/tasks.yaml index 53f071dc..ec94f547 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -14,7 +14,6 @@ tasks: - task: create:namespaces-package - task: create:object-store-packages - task: create:additional-manifests-package - - task: create:additional-manifests-package-2 - task: create:init-package - task: create:bundle diff --git a/tasks/create.yaml b/tasks/create.yaml index 7e474d1b..6fc40b56 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -50,12 +50,6 @@ tasks: description: Create package create additional manifests needed. actions: - cmd: ./uds zarf package create ./packages/additional-manifests --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build - - # TODO - remove when multiple exemptions can be applied at once - - name: additional-manifests-package-2 - description: Create package create additional manifests needed. - actions: - - cmd: ./uds zarf package create ./packages/additional-manifests/pepr-policy-exemptions/tmp-csi-exemption --confirm --no-progress --architecture=${ARCH} --skip-sbom --output ./build - name: init-package description: Create init package with Nutanix CSI driver.