Code ingress with git #611
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
deployment/secure_research_environment/setup/Setup_SRE_WebApp_Servers.ps1
Outdated
Show resolved
Hide resolved
deployment/secure_research_environment/setup/Setup_SRE_WebApp_Servers.ps1
Outdated
Show resolved
Hide resolved
deployment/secure_research_environment/cloud_init/cloud-init-gitlab-external.template.yaml
Outdated
Show resolved
Hide resolved
deployment/secure_research_environment/cloud_init/cloud-init-gitlab-external.template.yaml
Outdated
Show resolved
Hide resolved
…ngress, within cw20/Test A sandbox Progress during call on 2020-04-23 Co-authored-by: jack89roberts <jack89roberts@users.noreply.github.com> Co-authored-by: jemrobinson <jemrobinson@users.noreply.github.com> Co-authored-by: nbarlowATI <nbarlowATI@users.noreply.github.com>
Co-authored-by: jemrobinson <jemrobinson@users.noreply.github.com> Co-authored-by: nbarlowATI <nbarlowATI@users.noreply.github.com> Co-authored-by: ots22 <ots22@users.noreply.github.com>
Adds a user on gitlab internal that can be used to ingress repos from gitlab external: * Config and setup changed to add secrets for username, password and API token (stored in keyvault). * gitlab-rails commands in cloud init to add the user and generate the token. By default the username is "external" with email "external@<gitlab-domain-host>", e.g. external@cw20.dsgroupdev.co.uk. The email isn't valid/used but the gitlab server will only accept new users from the given domain.
Needs testing. Also renames some parameters and secrets to make the distinction between external and internal clearer.
…rnal Also add creation of "approved" and "unapproved" groups on gitlab external
For local gitlab testing on my laptop only - not a secret valid for anything in safe haven.
…load to GitlabExternal VM via blob storage
…ment.template.ps1 idempotent by removing CAP/RAP settings
- Add rules for outbound connections identity server - Remove inbound RDP rule - Add inbound rule for session host
| $null = Get-AzNetworkSecurityRuleConfig -Name $Name -NetworkSecurityGroup $NetworkSecurityGroup -ErrorVariable notExists -ErrorAction SilentlyContinue | ||
| $rule = Get-AzNetworkSecurityRuleConfig -Name $Name -NetworkSecurityGroup $NetworkSecurityGroup -ErrorVariable notExists -ErrorAction SilentlyContinue |
There was a problem hiding this comment.
Didn't we say we were going to put the refactor of this and related functions into it's own PR?
There was a problem hiding this comment.
Yes, sorry, this commit probably shouldn't have ended up on this branch - I'll make a separate PR for this.
The absence of this rule was blocking RDP connections between the APP session host and the DSVM, since this NSG is applied to the DATA subnet. There is almost certainly something more fundamentally wrong, but this patch means that if this branch is deployed (e.g. in a test environment), it won't cause this issue.
|
Closing this PR as it is out-of-date and includes several changes that are already incorporated into master. I've migrated the most important changes to 264-code-ingress-gitlab and will make a PR from there once tested. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
JR: This PR is out-of-date and includes several changes that are already incorporated into master. I've migrated the most important changes to 264-code-ingress-gitlab and will make a PR from there once tested.
The overall concept is shown in the diagram:
gitlab-ingress.pdf
Key:
An Admin (via a script) creates a snapshot of a single commit of the requested repo, and also creates a new repo on a GitLab instance (the "Reviewer" or "External" GitLab) that is only visible to Reviewers. Once two Reviewers approve, the snapshot is made available on the ("Internal") GitLab (the same as used by Users), under the user "Ingress."
The workflow is as follows:
Closes #257. Closes #264.