diff --git a/chart/templates/clusterrole.yaml b/chart/templates/clusterrole.yaml index 58d8b6f..b1619da 100644 --- a/chart/templates/clusterrole.yaml +++ b/chart/templates/clusterrole.yaml @@ -1,7 +1,7 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ .Values.runnerNamespace }} + name: {{ .Values.sandboxNamespace }} rules: - apiGroups: [""] resources: ["configmaps", "pods", "pods/attach", "secrets", "services"] diff --git a/chart/templates/namespace.yaml b/chart/templates/namespace.yaml index 7ea7184..220d410 100644 --- a/chart/templates/namespace.yaml +++ b/chart/templates/namespace.yaml @@ -1,6 +1,4 @@ apiVersion: v1 kind: Namespace metadata: - name: {{ .Values.runnerNamespace }} - labels: - istio-injection: enabled + name: {{ .Values.sandboxNamespace }} diff --git a/chart/templates/rolebinding.yaml b/chart/templates/rolebinding.yaml index ecc1a34..54dac25 100644 --- a/chart/templates/rolebinding.yaml +++ b/chart/templates/rolebinding.yaml @@ -1,13 +1,13 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ .Values.runnerNamespace }} - namespace: {{ .Values.runnerNamespace }} + name: {{ .Values.sandboxNamespace }} + namespace: {{ .Values.sandboxNamespace }} subjects: - kind: ServiceAccount - name: default + name: {{ .Values.serviceAccountName }} namespace: gitlab-runner roleRef: apiGroup: "" kind: ClusterRole - name: {{ .Values.runnerNamespace }} + name: {{ .Values.sandboxNamespace }} diff --git a/chart/templates/uds-package-sandbox.yaml b/chart/templates/uds-package-sandbox.yaml new file mode 100644 index 0000000..ede2986 --- /dev/null +++ b/chart/templates/uds-package-sandbox.yaml @@ -0,0 +1,37 @@ +apiVersion: uds.dev/v1alpha1 +kind: Package +metadata: + name: gitlab-runner-sandbox + namespace: {{ .Values.sandboxNamespace }} +spec: + network: + allow: + - direction: Egress + selector: + uds/network-access-gitlab: "true" + remoteNamespace: gitlab + remoteSelector: + app: webservice + port: 8181 + + - direction: Ingress + selector: + uds/network-access-gitlab: "true" + remoteNamespace: gitlab-runner + remoteSelector: + app: gitlab-runner + + {{- range .Values.customSandbox }} + - direction: {{ .direction }} + selector: + {{ .selector | toYaml | nindent 10 }} + {{- if not .remoteGenerated }} + remoteNamespace: {{ .remoteNamespace }} + remoteSelector: + {{ .remoteSelector | toYaml | nindent 10 }} + port: {{ .port }} + {{- else }} + remoteGenerated: {{ .remoteGenerated }} + {{- end }} + description: {{ .description }} + {{- end }} diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml index fcbcb5d..5e2ed73 100644 --- a/chart/templates/uds-package.yaml +++ b/chart/templates/uds-package.yaml @@ -4,28 +4,47 @@ metadata: name: gitlab-runner namespace: {{ .Release.Namespace }} spec: + monitor: + - selector: + app: gitlab-runner + targetPort: 9252 + portName: metrics + description: Metrics + network: allow: - direction: Egress - podLabels: + selector: app: gitlab-runner remoteNamespace: gitlab - remotePodLabels: + remoteSelector: app: webservice port: 8181 - - direction: Ingress - remoteGenerated: IntraNamespace - - - direction: Egress - remoteGenerated: IntraNamespace - - direction: Egress podLabels: app: gitlab-runner - remoteNamespace: {{ .Values.runnerNamespace }} + remoteGenerated: KubeAPI - direction: Egress - podLabels: + selector: app: gitlab-runner - remoteGenerated: KubeAPI + remoteNamespace: {{ .Values.sandboxNamespace }} + remoteSelector: + uds/network-access-gitlab: "true" + + # Custom rules for unanticipated scenarios + {{- range .Values.custom }} + - direction: {{ .direction }} + selector: + {{ .selector | toYaml | nindent 10 }} + {{- if not .remoteGenerated }} + remoteNamespace: {{ .remoteNamespace }} + remoteSelector: + {{ .remoteSelector | toYaml | nindent 10 }} + port: {{ .port }} + {{- else }} + remoteGenerated: {{ .remoteGenerated }} + {{- end }} + description: {{ .description }} + {{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index 3ff29af..629027c 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -1 +1,10 @@ -runnerNamespace: "gitlab-runner-sandbox" +sandboxNamespace: "gitlab-runner-sandbox" +serviceAccountName: "gitlab-runner" +custom: [] + # - direction: Egress + # remoteGenerated: Anywhere + # description: "Egress from to external GitLab" +customSandbox: [] + # - direction: Egress + # remoteGenerated: Anywhere + # description: "Egress from to external GitLab" diff --git a/tasks.yaml b/tasks.yaml index 75dcbb2..3ad7bfc 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -1,11 +1,11 @@ includes: - dependencies: ./tasks/dependencies.yaml - test: ./tasks/test.yaml - - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/create.yaml - - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/lint.yaml - - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/pull.yaml - - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/deploy.yaml - - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/setup.yaml + - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/create.yaml + - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/lint.yaml + - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/pull.yaml + - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/deploy.yaml + - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/setup.yaml tasks: - name: default diff --git a/tasks/publish.yaml b/tasks/publish.yaml index 0ac0b92..56ae5e5 100644 --- a/tasks/publish.yaml +++ b/tasks/publish.yaml @@ -1,6 +1,6 @@ includes: - - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/create.yaml - - publish: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/publish.yaml + - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/create.yaml + - publish: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/publish.yaml tasks: - name: package diff --git a/values/common-values.yaml b/values/common-values.yaml index 358db5c..dbbb28a 100644 --- a/values/common-values.yaml +++ b/values/common-values.yaml @@ -1,7 +1,14 @@ unregisterRunners: true + +# Create a non-default service account with the name gitlab-runner with minimal permissions rbac: - create: false + create: true + generatedServiceAccountName: gitlab-runner + rules: + - apiGroups: [""] + resources: [""] + verbs: [""] runners: secret: gitlab-gitlab-runner-secret @@ -25,6 +32,7 @@ runners: "pipeline_id" = "${CI_PIPELINE_ID}" "uds/user" = "${UDS_RUN_AS_USER}" "uds/group" = "${UDS_RUN_AS_GROUP}" + "uds/network-access-gitlab" = "true" [runners.kubernetes.helper_container_security_context] run_as_non_root = true run_as_user = 1001 @@ -43,6 +51,11 @@ securityContext: capabilities: drop: ["ALL"] +service: + enabled: true +metrics: + enabled: true + resources: limits: diff --git a/values/config-values.yaml b/values/config-values.yaml index efe9c2d..e0d7264 100644 --- a/values/config-values.yaml +++ b/values/config-values.yaml @@ -1 +1,2 @@ -runnerNamespace: "###ZARF_VAR_JOB_RUNNER_NAMESPACE###" +sandboxNamespace: "###ZARF_VAR_JOB_RUNNER_NAMESPACE###" +serviceAccountName: "gitlab-runner"