Gitlab blueprint

blueprints/third-party-solutions/README.md

@@ -26,4 +26,10 @@ The blueprints in this folder show how to automate installation of specific thir
 
 <a href="./f5-bigip/" title="F5 BigIP"><img src="./phpipam/diagram.png" align="left" width="320px"></a> <p style="margin-left: 340px">These examples show how to deploy F5 BigIP-VE load balancers in GCP.</p>
 
+<br clear="left">
+
+### Gitlab
+
+<a href="./gitlab/" title="Gitlab"><img src="./gitlab/diagram.png" align="left" width="320px"></a> <p style="margin-left: 340px">This blueprint show how to deploy a Gitlab instance in GCP. The architecture is based on the reference described in the official documentation available at this [link](https://docs.gitlab.com/ee/administration/reference_architectures/1k_users.html) with managed services such as Cloud SQL, Memorystore and Cloud Storage.</p>
+
 <br clear="left">

blueprints/third-party-solutions/gitlab/assets/cloud-config.yaml

@@ -0,0 +1,118 @@
+#cloud-config
+
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# https://hub.docker.com/r/nginx/nginx/
+# https://nginx.io/manual/toc/#installation
+
+write_files:
+  - path: /var/lib/docker/daemon.json
+    permissions: '0644'
+    owner: root
+    content: |
+      {
+        "live-restore": true,
+        "storage-driver": "overlay2",
+        "log-driver": "gcplogs",
+        "log-opts": {
+          "gcp-meta-name": "gitlab-0",
+          "max-size": "1024m"
+        }
+      }
+  - path: /tmp/gitlab/config/gitlab.rb
+    permissions: '0600'
+    owner: root
+    content: |
+      ${gitlab_rb}
+  - path: /tmp/gitlab/ssl/${gitlab_cert_name}.key
+    permissions: '0600'
+    owner: root
+    content: |
+      ${gitlab_ssl_key}
+  - path: /tmp/gitlab/ssl/${gitlab_cert_name}.crt
+    permissions: '0600'
+    owner: root
+    content: |
+      ${gitlab_ssl_crt}
+  - path: /tmp/gitlab/sshd_config
+    permissions: '0644'
+    owner: root
+    content: |
+      ${gitlab_sshd_config}
+
+  - path: /etc/systemd/system/gitlab-data.service
+    permissions: '0644'
+    owner: root
+    content: |
+      [Unit]
+      Description=Gitlab data disk
+      ConditionPathExists=/dev/disk/by-id/google-data
+      Before=gitlab.service
+      [Service]
+      Type=oneshot
+      ExecStart=/bin/mkdir -p /run/gitlab
+      ExecStart=/bin/bash -c \
+        "/bin/lsblk -fn -o FSTYPE \
+          /dev/disk/by-id/google-data |grep ext4 \
+        || mkfs.ext4 -m 0 -F -E lazy_itable_init=0,lazy_journal_init=0,discard \
+          /dev/disk/by-id/google-data"
+      ExecStart=/bin/bash -c \
+        "mount |grep /run/gitlab \
+        || mount -t ext4 /dev/disk/by-id/google-data /run/gitlab"
+      ExecStart=/sbin/resize2fs /dev/disk/by-id/google-data
+      ExecStart=/bin/mkdir -p /run/gitlab/config
+      ExecStart=/bin/mkdir -p /run/gitlab/ssl
+      ExecStart=/bin/mv /tmp/gitlab/config/gitlab.rb /run/gitlab/config/gitlab.rb
+      ExecStart=/bin/mv /tmp/gitlab/sshd_config /run/gitlab/sshd_config
+      ExecStart=/bin/bash -c "base64 -d -i /tmp/gitlab/ssl/${gitlab_cert_name}.key > /run/gitlab/ssl/${gitlab_cert_name}.key"
+      ExecStart=/bin/bash -c "base64 -d -i /tmp/gitlab/ssl/${gitlab_cert_name}.crt > /run/gitlab/ssl/${gitlab_cert_name}.crt"
+      RemainAfterExit=true
+
+  # https://docs.gitlab.com/ee/install/docker.html#pre-configure-docker-container
+
+  - path: /etc/systemd/system/gitlab.service
+    permissions: '0644'
+    owner: root
+    content: |
+      [Unit]
+      Description=Start gitlab container
+      After=gitlab-data.service gcr-online.target docker.socket
+      Wants=gitlab-data.service gcr-online.target docker.socket docker-events-collector.service
+      [Service]
+      Environment="HOME=/home/gitlab"
+      ExecStartPre=/usr/bin/docker-credential-gcr configure-docker
+      ExecStartPre=mkdir -p /run/gitlab
+      ExecStart=/usr/bin/docker run --rm --name=gitlab  \
+        --hostname ${gitlab_config.hostname} \
+        --shm-size 256m \
+        --env GITLAB_OMNIBUS_CONFIG="" \
+        --publish 443:443 \
+        --publish 80:80 \
+        --publish 2222:2222 \
+        -v /run/gitlab/config:/etc/gitlab \
+        -v /run/gitlab/ssl:/etc/gitlab/ssl \
+        -v /run/gitlab/logs:/var/log/gitlab \
+        -v /run/gitlab/data:/var/opt/gitlab \
+        -v /run/gitlab/sshd_config:/assets/sshd_config \
+        gitlab/gitlab-ce
+      ExecStop=/usr/bin/docker stop gitlab
+
+runcmd:
+  - systemctl start node-problem-detector
+  - iptables -I INPUT 1 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+  - iptables -I INPUT 1 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+  - iptables -I INPUT 1 -p tcp -m tcp --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
+  - systemctl daemon-reload
+  - systemctl start gitlab

blueprints/third-party-solutions/gitlab/assets/config.rb.tpl

@@ -0,0 +1,118 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# /etc/gitlab/gitlab.rb
+
+external_url "https://${hostname}"
+letsencrypt['enable'] = false
+nginx['redirect_http_to_https'] = true
+
+# https://docs.gitlab.com/omnibus/settings/redis.html
+gitlab_rails['redis_enable_client'] = false
+gitlab_rails['redis_host'] = '${redis.host}'
+gitlab_rails['redis_port'] = ${redis.port}
+# TODO: use auth
+# gitlab_rails['redis_password'] = nil
+redis['enable'] = false
+
+# https://docs.gitlab.com/omnibus/settings/database.html#using-a-non-packaged-postgresql-database-management-server
+postgresql['enable'] = false
+gitlab_rails['db_adapter'] = 'postgresql'
+gitlab_rails['db_encoding'] = 'utf8'
+gitlab_rails['db_host'] = '${cloudsql.host}'
+gitlab_rails['db_port'] = 5432
+gitlab_rails['db_password'] = '${cloudsql.password}'
+
+# https://docs.gitlab.com/ee/administration/object_storage.html#google-cloud-storage-gcs
+# Consolidated object storage configuration
+gitlab_rails['object_store']['enabled'] = true
+gitlab_rails['object_store']['proxy_download'] = true
+gitlab_rails['object_store']['connection'] = {
+  'provider'                   => 'Google',
+  'google_project'             => '${project_id}',
+  'google_application_default' => true
+}
+# full example using the consolidated form
+# https://docs.gitlab.com/ee/administration/object_storage.html#full-example-using-the-consolidated-form-and-amazon-s3
+gitlab_rails['object_store']['objects']['artifacts']['bucket'] = '${prefix}-gitlab-artifacts'
+gitlab_rails['object_store']['objects']['external_diffs']['bucket'] = '${prefix}-gitlab-mr-diffs'
+gitlab_rails['object_store']['objects']['lfs']['bucket'] = '${prefix}-gitlab-lfs'
+gitlab_rails['object_store']['objects']['uploads']['bucket'] = '${prefix}-gitlab-uploads'
+gitlab_rails['object_store']['objects']['packages']['bucket'] = '${prefix}-gitlab-packages'
+gitlab_rails['object_store']['objects']['dependency_proxy']['bucket'] = '${prefix}-gitlab-dependency-proxy'
+gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = '${prefix}-gitlab-terraform-state'
+gitlab_rails['object_store']['objects']['pages']['bucket'] = '${prefix}-gitlab-pages'
+
+# SAML configuration
+# https://docs.gitlab.com/ee/integration/saml.html
+%{ if saml != null }
+gitlab_rails['omniauth_enabled'] = true
+gitlab_rails['omniauth_external_providers'] = ['saml']
+# create new user in case of sign in with SAML provider
+gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
+# do not force approval from admins for newly created users
+gitlab_rails['omniauth_block_auto_created_users'] = false
+# automatically link a first-time SAML sign-in with existing GitLab users if their email addresses match
+gitlab_rails['omniauth_auto_link_saml_user'] = true
+# Force user redirection to SAML
+# To bypass the auto sign-in setting, append ?auto_sign_in=false in the sign in URL, for example: https://gitlab.example.com/users/sign_in?auto_sign_in=false.
+%{ if saml.forced }
+gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
+%{ endif }
+# SHA1 Fingerprint
+gitlab_rails['omniauth_providers'] = [
+  {
+    name: "saml",
+    label: "SAML",
+    args: {
+      assertion_consumer_service_url: "https://${hostname}/users/auth/saml/callback",
+      idp_cert_fingerprint: '${saml.idp_cert_fingerprint}',
+      idp_sso_target_url: '${saml.sso_target_url}',
+      issuer: "https://${hostname}",
+      name_identifier_format: "${saml.name_identifier_format}"
+    }
+  }
+]
+%{ endif }
+
+
+# mail configuration
+%{ if mail.sendgrid != null }
+gitlab_rails['smtp_enable'] = true
+gitlab_rails['smtp_address'] = "smtp.sendgrid.net"
+gitlab_rails['smtp_port'] = 587
+gitlab_rails['smtp_user_name'] = "apikey"
+gitlab_rails['smtp_password'] = "${mail.sendgrid.api_key}"
+gitlab_rails['smtp_domain'] = "smtp.sendgrid.net"
+gitlab_rails['smtp_authentication'] = "plain"
+gitlab_rails['smtp_enable_starttls_auto'] = true
+gitlab_rails['smtp_tls'] = false
+# If use Single Sender Verification You must configure from. If not fail
+# 550 The from address does not match a verified Sender Identity. Mail cannot be sent until this error is resolved.
+# Visit https://sendgrid.com/docs/for-developers/sending-email/sender-identity/ to see the Sender Identity requirements
+%{ if try(mail.sendgrid.email_from != null, false) }
+gitlab_rails['gitlab_email_from'] = '${mail.sendgrid.email_from}'
+%{ endif }
+%{ if try(mail.sendgrid.email_reply_to != null, false) }
+gitlab_rails['email_reply_to'] = '${mail.sendgrid.email_reply_to}'
+%{ endif }
+%{ endif }
+
+
+gitlab_rails['gitlab_shell_ssh_port'] = 2222
+# gitlab_sshd['enable'] = true
+# gitlab_sshd['listen_address'] = '[::]:2222'
+
+# https://docs.gitlab.com/omnibus/installation/index.html#set-up-the-initial-password
+# gitlab_rails['initial_root_password'] = '<my_strong_password>'

blueprints/third-party-solutions/gitlab/assets/sshd_config

@@ -0,0 +1,27 @@
+Port 2222
+ChallengeResponseAuthentication no
+HostKey /etc/gitlab/ssh_host_rsa_key
+HostKey /etc/gitlab/ssh_host_ecdsa_key
+HostKey /etc/gitlab/ssh_host_ed25519_key
+Protocol 2
+PermitRootLogin no
+PasswordAuthentication no
+MaxStartups 100:30:200
+AllowUsers git
+PrintMotd no
+PrintLastLog no
+PubkeyAuthentication yes
+AuthorizedKeysFile %h/.ssh/authorized_keys /gitlab-data/ssh/authorized_keys
+AuthorizedKeysCommand /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-keys-check git %u %k
+AuthorizedKeysCommandUser git
+
+# With "UsePAM yes" the "!" is seen as a password disabled account and not fully locked so ssh public key login works
+# Please make sure that the account is created without passwordlogin ("*" in /etc/shadow) or configure pam.
+# Issue #5891 https://gitlab.com/gitlab-org/omnibus-gitlab
+UsePAM no
+
+# Disabling use DNS in ssh since it tends to slow connecting
+UseDNS no
+
+# Enable the use of Git protocol v2
+AcceptEnv GIT_PROTOCOL