defenseunicorns · zachariahmiller · May 16, 2024 · May 11, 2024 · May 13, 2024 · May 13, 2024
diff --git a/chart/templates/clusterrole.yaml b/chart/templates/clusterrole.yaml
@@ -1,7 +1,7 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: {{ .Values.runnerNamespace }}
+  name: {{ .Values.sandboxNamespace }}
 rules:
   - apiGroups: [""]
     resources: ["configmaps", "pods", "pods/attach", "secrets", "services"]

diff --git a/chart/templates/namespace.yaml b/chart/templates/namespace.yaml
@@ -1,6 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: {{ .Values.runnerNamespace }}
-  labels:
-    istio-injection: enabled
+  name: {{ .Values.sandboxNamespace }}
diff --git a/chart/templates/rolebinding.yaml b/chart/templates/rolebinding.yaml
@@ -1,13 +1,13 @@
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: {{ .Values.runnerNamespace }}
-  namespace: {{ .Values.runnerNamespace }}
+  name: {{ .Values.sandboxNamespace }}
+  namespace: {{ .Values.sandboxNamespace }}
 subjects:
   - kind: ServiceAccount
-    name: default
+    name: {{ .Values.serviceAccountName }}
     namespace: gitlab-runner
 roleRef:
   apiGroup: ""
   kind: ClusterRole
-  name: {{ .Values.runnerNamespace }}
+  name: {{ .Values.sandboxNamespace }}
diff --git a/chart/templates/uds-package-sandbox.yaml b/chart/templates/uds-package-sandbox.yaml
@@ -0,0 +1,40 @@
+apiVersion: uds.dev/v1alpha1
+kind: Package
+metadata:
+  name: gitlab-runner-sandbox
+  namespace: {{ .Values.sandboxNamespace }}
+spec:
+  network:
+    allow:
+      - direction: Egress
+        selector:
+          uds/network-access-gitlab: "true"
+        remoteNamespace: gitlab
+        remoteSelector:
+          app: webservice
+        port: 8181
+
+      - direction: Ingress
+        selector: 
+          uds/network-access-gitlab: "true"
+        remoteNamespace: gitlab-runner
+        remoteSelector:
+          app: gitlab-runner
+
+      - direction: Egress
+        remoteGenerated: KubeAPI
+
+    {{- range .Values.customSandbox }}
+      - direction: {{ .direction }}
+        selector:
+          {{ .selector | toYaml | nindent 10 }}
+        {{- if not .remoteGenerated }}
+        remoteNamespace: {{ .remoteNamespace }}
+        remoteSelector:
+          {{ .remoteSelector | toYaml | nindent 10 }}
+        port: {{ .port }}
+        {{- else }}
+        remoteGenerated: {{ .remoteGenerated }}
+        {{- end }}
+        description: {{ .description }}
+    {{- end }}
diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml
@@ -4,28 +4,47 @@ metadata:
   name: gitlab-runner
   namespace: {{ .Release.Namespace }}
 spec:
+  monitor:
+    - selector:
+        app: gitlab-runner 
+      targetPort: 9252
+      portName: metrics
+      description: Metrics
+
   network:
     allow:
       - direction: Egress
-        podLabels:
+        selector:
           app: gitlab-runner
         remoteNamespace: gitlab
-        remotePodLabels:
+        remoteSelector:
           app: webservice
         port: 8181
 
-      - direction: Ingress
-        remoteGenerated: IntraNamespace
-
-      - direction: Egress
-        remoteGenerated: IntraNamespace
-
       - direction: Egress
         podLabels:
           app: gitlab-runner
-        remoteNamespace: {{ .Values.runnerNamespace }}
+        remoteGenerated: KubeAPI
 
       - direction: Egress
-        podLabels:
+        selector:
           app: gitlab-runner
-        remoteGenerated: KubeAPI
+        remoteNamespace: {{ .Values.sandboxNamespace }}
+        remoteSelector:
+          uds/network-access-gitlab: "true"
+
+      # Custom rules for unanticipated scenarios
+    {{- range .Values.custom }}
+      - direction: {{ .direction }}
+        selector:
+          {{ .selector | toYaml | nindent 10 }}
+        {{- if not .remoteGenerated }}
+        remoteNamespace: {{ .remoteNamespace }}
+        remoteSelector:
+          {{ .remoteSelector | toYaml | nindent 10 }}
+        port: {{ .port }}
+        {{- else }}
+        remoteGenerated: {{ .remoteGenerated }}
+        {{- end }}
+        description: {{ .description }}
+    {{- end }}
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -1 +1,10 @@
-runnerNamespace: "gitlab-runner-sandbox"
+sandboxNamespace: "gitlab-runner-sandbox"
+serviceAccountName: "gitlab-runner"
+custom: []
+  # - direction: Egress
+  #   remoteGenerated: Anywhere
+  #   description: "Egress from to external GitLab"
+customSandbox: []
+  # - direction: Egress
+  #   remoteGenerated: Anywhere
+  #   description: "Egress from to external GitLab"
@@ -1,11 +1,11 @@
 includes:
   - dependencies: ./tasks/dependencies.yaml
   - test: ./tasks/test.yaml
-  - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/create.yaml
-  - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/lint.yaml
-  - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/pull.yaml
-  - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/deploy.yaml
-  - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/setup.yaml
+  - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/create.yaml
+  - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/lint.yaml
+  - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/pull.yaml
+  - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/deploy.yaml
+  - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/setup.yaml
 
 tasks:
   - name: default

diff --git a/tasks/publish.yaml b/tasks/publish.yaml
@@ -1,6 +1,6 @@
 includes:
-  - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/create.yaml
-  - publish: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/publish.yaml
+  - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/create.yaml
+  - publish: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/publish.yaml
 
 tasks:
   - name: package

diff --git a/values/common-values.yaml b/values/common-values.yaml
@@ -1,7 +1,18 @@
 unregisterRunners: true
 
+
+# Create a non-default service account with the name gitlab-runner with minimal permissions
 rbac:
-  create: false
+  create: true
+  generatedServiceAccountName: gitlab-runner
+  rules:
+    - resources: [""]
+    - apiGroups: [""]
+      resources: [""]
+      verbs: ["*"]
+    - apiGroups: [""]
+      resources: [""]
+      verbs: [""]
 
 runners:
   secret: gitlab-gitlab-runner-secret
@@ -25,6 +36,7 @@ runners:
         "pipeline_id" = "${CI_PIPELINE_ID}"
         "uds/user" = "${UDS_RUN_AS_USER}"
         "uds/group" = "${UDS_RUN_AS_GROUP}"
+        "uds/network-access-gitlab" = "true"
       [runners.kubernetes.helper_container_security_context]
         run_as_non_root = true
         run_as_user = 1001
@@ -43,6 +55,11 @@ securityContext:
   capabilities:
     drop: ["ALL"]
 
+service:
+  enabled: true
+metrics:
+  enabled: true
+
 
 resources:
   limits:

diff --git a/values/config-values.yaml b/values/config-values.yaml
@@ -1 +1,2 @@
-runnerNamespace: "###ZARF_VAR_JOB_RUNNER_NAMESPACE###"
+sandboxNamespace: "###ZARF_VAR_JOB_RUNNER_NAMESPACE###"
+serviceAccountName: "gitlab-runner"