-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Code ingress with git #611
Conversation
deployment/secure_research_environment/setup/Setup_SRE_WebApp_Servers.ps1
Outdated
Show resolved
Hide resolved
deployment/secure_research_environment/setup/Setup_SRE_WebApp_Servers.ps1
Outdated
Show resolved
Hide resolved
deployment/secure_research_environment/cloud_init/cloud-init-gitlab-external.template.yaml
Outdated
Show resolved
Hide resolved
deployment/secure_research_environment/cloud_init/cloud-init-gitlab-external.template.yaml
Outdated
Show resolved
Hide resolved
…ngress, within cw20/Test A sandbox Progress during call on 2020-04-23 Co-authored-by: jack89roberts <jack89roberts@users.noreply.github.com> Co-authored-by: jemrobinson <jemrobinson@users.noreply.github.com> Co-authored-by: nbarlowATI <nbarlowATI@users.noreply.github.com>
Co-authored-by: jemrobinson <jemrobinson@users.noreply.github.com> Co-authored-by: nbarlowATI <nbarlowATI@users.noreply.github.com> Co-authored-by: ots22 <ots22@users.noreply.github.com>
Adds a user on gitlab internal that can be used to ingress repos from gitlab external: * Config and setup changed to add secrets for username, password and API token (stored in keyvault). * gitlab-rails commands in cloud init to add the user and generate the token. By default the username is "external" with email "external@<gitlab-domain-host>", e.g. external@cw20.dsgroupdev.co.uk. The email isn't valid/used but the gitlab server will only accept new users from the given domain.
Needs testing. Also renames some parameters and secrets to make the distinction between external and internal clearer.
…rnal Also add creation of "approved" and "unapproved" groups on gitlab external
For local gitlab testing on my laptop only - not a secret valid for anything in safe haven.
…load to GitlabExternal VM via blob storage
…ment.template.ps1 idempotent by removing CAP/RAP settings
- Add rules for outbound connections identity server - Remove inbound RDP rule - Add inbound rule for session host
$null = Get-AzNetworkSecurityRuleConfig -Name $Name -NetworkSecurityGroup $NetworkSecurityGroup -ErrorVariable notExists -ErrorAction SilentlyContinue | ||
$rule = Get-AzNetworkSecurityRuleConfig -Name $Name -NetworkSecurityGroup $NetworkSecurityGroup -ErrorVariable notExists -ErrorAction SilentlyContinue |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Didn't we say we were going to put the refactor of this and related functions into it's own PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, sorry, this commit probably shouldn't have ended up on this branch - I'll make a separate PR for this.
The absence of this rule was blocking RDP connections between the APP session host and the DSVM, since this NSG is applied to the DATA subnet. There is almost certainly something more fundamentally wrong, but this patch means that if this branch is deployed (e.g. in a test environment), it won't cause this issue.
Closing this PR as it is out-of-date and includes several changes that are already incorporated into master. I've migrated the most important changes to 264-code-ingress-gitlab and will make a PR from there once tested. |
JR: This PR is out-of-date and includes several changes that are already incorporated into master. I've migrated the most important changes to 264-code-ingress-gitlab and will make a PR from there once tested.
The overall concept is shown in the diagram:
gitlab-ingress.pdf
Key:
An Admin (via a script) creates a snapshot of a single commit of the requested repo, and also creates a new repo on a GitLab instance (the "Reviewer" or "External" GitLab) that is only visible to Reviewers. Once two Reviewers approve, the snapshot is made available on the ("Internal") GitLab (the same as used by Users), under the user "Ingress."
The workflow is as follows:
Closes #257. Closes #264.