Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create AirGapped preview in Werft #13027

Closed
13 tasks
Tracked by #13026
mrsimonemms opened this issue Sep 16, 2022 · 1 comment
Closed
13 tasks
Tracked by #13026

Create AirGapped preview in Werft #13027

mrsimonemms opened this issue Sep 16, 2022 · 1 comment
Labels
meta: stale This issue/PR is stale and will be closed soon

Comments

@mrsimonemms
Copy link
Contributor

mrsimonemms commented Sep 16, 2022
edited
Loading

Build an automation in Werft that allows for creation of an airgapped Gitpod infrastructure. When deploying to this, the expectation is that the installer will upload all KOTS/Gitpod images to the container registry and pull from there.

There should be both a Werft command (eg, /werft run airgapped-preview) and a checkbox added to all PRs. This will also add an additional preview box under the PR

Requirements

  • Container registry
  • Database
  • Object storage
  • Kubernetes cluster
  • Cloud DNS zone
  • TLS cert configured via LetEncrypt
  • Firewall
    • deny outgoing network traffic to the public internet
    • allow connection to the registry, database, storage
    • No additional limitations on incoming network traffic when compared to the preview environment*
  • GitLab - either:

As a working example, the Azure instance in https://github.com/MrSimonEmms/gitpod-self-hosted-infrastructure. Feel free to use as an example of what I've been doing when testing in Azure.

* Why do we not limit incoming network traffic?

This is a pragmatic decision. Ultimately, the engineer will need to connect to the Gitpod instance hosted on the cluster at some point. If this were a truly airgapped instance, there would be the requirement to connect via a network/VPN. There is a cost in development, maintenance and documentation to this - ultimately, a new Gitpodder will find it tricky to connect to and it doesn't do much to remove developer friction.

Ultimately, the actual test is that the cluster is isolated from pulling things from the public internet. The incoming connection is no different whether it comes from the public internet or via a specific network.

As of 2022-09-16, there have been no documented cases where this approach has not met any of our customers' requirements for an airgapped installation. This pragmatic decision may be revisited in future
@mrsimonemms mrsimonemms mentioned this issue Sep 16, 2022
Closed
3 tasks
@mrsimonemms mrsimonemms changed the title AirGapped Create AirGapped preview in Werft Sep 16, 2022
@mrsimonemms mrsimonemms mentioned this issue Sep 16, 2022
Closed
8 tasks
@stale
Copy link

stale bot commented Dec 16, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the meta: stale This issue/PR is stale and will be closed soon label Dec 16, 2022
@stale stale bot closed this as completed Jun 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
meta: stale This issue/PR is stale and will be closed soon
Projects
No open projects
🚚 Security, Infrastructure, and Delivery Team (SID)
Archived in project
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mrsimonemms