Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.22.1 < 8.0.0
- , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-simp_gitlab', '0.7.0'
Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
- Description
- Setup
- Usage
- Reference
- Limitations
- Development
Description
This module provides profiles for integrating GitLab Omnibus with SIMP.
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
It is designed to be used within a larger SIMP ecosystem, but it can be used independently:
- When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
- If used as an independent module, all SIMP-managed security subsystems are
disabled by default and must be explicitly opted into by administrators.
Please review the parameters in
simp/simp_options
for details.
If you run into problems, please let us know by filing an issue at https://simp-project.atlassian.net/.
Setup
What simp_gitlab
affects
This module is a profile that integrates Gitlab with SIMP. It makes extensive
use of the component module puppet/gitlab
. It is important to
note that puppet-gitlab
configures the GitLab Omnibus's /etc/gitlab/gitlab.rb
and runs gitlab-ctl reconfigure
.
As a profile module, simp_gitlab
has a few functions:
- Integrate SIMP and SIMP's global catalysts with GitLab Omnibus
- Supported SIMP Options (global catalysts):
-
simp_options::trusted_nets
-
simp_options::firewall
-
simp_options::pki
-
simp_options::ldap::*
-
- Intentionally unimplemented:
simp_options::selinux
: The GitLab Omnibus installer appears to handle SELinux correctlysimp_options::tcpwrappers
: Nothing in Omnibus is linked to TCP Wrappersimp_options::auditing
: Nothing in Omnibus needs special auditd logic
- Deferred:
simp_options::syslog
(not clear that we want to support this outside ofee
)
- SIMP integrations:
- Open access for a local
git
SSH user- set up a SIMP
pam::access::rule
to permit GitLab's localgit
user - configures
sshd
such that the GitLab's localgit
user's SSH authorized keys file path is managed only by the GitLab Omnibus installer.
- set up a SIMP
- The postfix service that comes with GitLab Omnibus is disabled in favor
of the SIMP
postfix
module.
- Open access for a local
- Supported SIMP Options (global catalysts):
- Ensure that GitLab Omnibus can be installed without internet access
- This requires a local mirror of the Gitlab repositories
- Simplify GitLab configuration for common scenarios
- GitLab
- GitLab + Omnibus version of NGINX
- Let's Encrypt
- Mattermost
- GitLab CI runner
- Intentionally unimplemented:
- Prometheus
- (Omnibus's integrated Prometheus app monitoring requires Gitlab Omnibus to be installed within a docker container)
- GitLab CI Runner (docker)
- Prometheus
- Permit customization of GitLab Omnibus
- Satisfy as many compliance-relevant criteria as possible
Setup Requirements
Supported GitLab versions
This module was last tested with GitLab Community Edition 14.0.0. It may work for other GitLab versions. You can verify it works for a specific version by executing the acceptance tests with that version.
Isolated network requirements
If using this module from an isolated network, ensure that package and repo
management are disabled from the module, and that the gitlab-ce
or
gitlab-ee
package is installed. Be sure that the $simp_gitlab::edition
parameter is set to the correct edition.
Upgrade caveats
Upgrade to 0.7.0
simp_gitlab version 0.7.0 now defaults simp_gitlab::allow_fips
to true, as
the version of GitLab this module was tested with, 14.0.0, supports FIPS mode.
This will allow you to install and configure GitLab on FIPS_enabled servers,
but not affect existing GitLab servers configured by earlier versions of this
module.
Upgrade to 0.6.0
simp_gitlab version 0.6.0 introduced a new mechanism for setting the GitLab
root user password upon initial installation of GitLab. As a side effect,
by default, the password will be automatically set to the value of
simp_gitlab::gitlab_root_password
, unless the (empty) marker file
/etc/gitlab/.root_password_set
exists or the parameter
simp_gitlab::set_gitlab_root_password
is set to false
. If during an
upgrade of this module you forget to disable this automation or just want
to reset the GitLab root password, simply run
/usr/local/sbin/change_gitlab_root_password <new_password>
manually.
You do not need to know the previous password to set the new password.
Upgrade to 0.3.0
Upgrading from simp_gitlab 0.2.0 to 0.3.0 requires you to copy the authorized key file
from /etc/ssh/local_keys/git
to /var/opt/gitlab/.ssh/authorized_keys
. Alternately
you can re-add your deployment keys in the gitlab interface.
See the CHANGELOG entries for version 0.3.0 for more details.
Beginning with simp_gitlab
The most basic GitLab usage within a SIMP-managed infrastructure where all
simp_options::
are present:
include 'simp_gitlab'
Usage
A basic GitLab setup using PKI
class { 'simp_gitlab':
trusted_nets => [
'10.0.0.0/8',
'192.168.21.21',
'192.168.21.22',
'127.0.0.1/32',
],
pki => 'simp',
firewall => true,
}
Passing custom parameters to puppet-gitlab
Parameters for puppet/gitlab
can be passed in directly using the
(Hash) $simp_gitlab::gitlab_options
parameter.
Warning: $simp_gitlab::gitlab_options
parameters that conflict with the
rest of simp_gitlab
may lead to undefined behavior / broken systems.
Hint: Many of the data structures used by puppet/gitlab
's
parameters are documented at
https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-config-template/gitlab.rb.template
# Name the local git user account `gitlab` (instead of the default `git`)
class { 'simp_gitlab':
trusted_nets => $simp_options::trusted_nets
pki => 'simp',
firewall => true,
gitlab_options => {
'user' => {
'username' => 'gitlab',
'group' => 'gitlab',
}
},
}
Configuring Nginx
simp_gitlab
configures the GitLab's internal Nginx server to look for
additional .conf
files under /etc/gitlab/nginx/conf.d/
.
If you need to configure the main Nginx server, use a file
resource from your
own profiles to establish a new .conf
file.
Reference
See REFERENCE.md for API documentation.
Further Reference for munging GitLab Omnibus
- GitLab Omnibus
- documentation: https://docs.gitlab.com/omnibus/README.html
- architecture: https://docs.gitlab.com/omnibus/architecture/README.html
- source: https://gitlab.com/gitlab-org/omnibus-gitlab
- optional services:
- Mattermost (chat): https://docs.gitlab.com/omnibus/gitlab-mattermost/README.html
- Prometheus (monitoring): https://docs.gitlab.com/ce/administration/monitoring/prometheus/index.html
- GitLab Docker images: https://docs.gitlab.com/omnibus/docker/README.html
- puppet/gitlab component module:
- Security & compliance
GitLab LDAP integration reference
GitLab LDAP Setup has detailed information about configuring GitLab to authenticate users using LDAP. Within this section, there are two sub-sections especially of interest when debugging LDAP connection problems:
Limitations
SIMP PKI management does not support Let's Encrypt
simp_gitlab
PKI management does not yet support the use of Let's Encrypt
within GitLab. At this time, if you want to use Let's Encrypt, you will need to
disable SIMP management of PKI by setting simp_gitlab::pki
to false
and
then manage the certificates manually.
Gitlab's LDAP TLS is configured to re-use Omnibus' trusted-certs/
instead of ca_file
simp_gitlab
configures the GitLab Rails server LDAP TLS settings to use the
Omnibus trusted_certs (built from /etc/gitlab/trusted-certs
) instead of its
own ca_file
option.
The LDAP ca_file
setting is known to cause problems elsewhere in GitLab
SSL. There is a (currently undocumented)
workaround to these issues: GitLab's LDAP TLS will re-use
the GitLab Omnibus trusted-certificates/
directory―but only when the LDAP
ca_file
option has not been set
The drawback to this solution is that GitLab's LDAP client must share the same TLS settings as GitLab's web server―which is something that we try to keep distinct, as there could be situations in which their configurations legitimately vary.
GitLab
Puppet runs can fail if GitLab Omnibus's internal services don't start in time
Note: These are limitations of upstream components
-
The Exec that runs
gitlab-ctl reconfigure
may take a long time start its internal services, particularly during the first run that installs GitLab. These services are internal to the GitLab Omnibus installation and are not registered with the host OS or the Puppet providers forservice
. It is possible for the services to take so long to start in the background that dependencies withinpuppet-gitlab
will fail.In these cases, it should be sufficient to simply run Puppet again after the services finish starting (status with
gitlab-ctl status
). -
If the GitLab Omnibus package is already installed but the
gitlab-runsvdir
service is stopped, the service will not start and catalog compilation will fail.
Puppet runs can fail if gitlab-rails console load times out
Exec[set_gitlab_root_password]
will fail if the gitlab-rails console does not
come up within the time configured by simp_gitlab::rails_console_load_timeout
.
If this happens, set the GitLab root password by running
/usr/local/sbin/change_gitlab_root_password <new_password>
manually, and then
run puppet again.
Nessus scans may incorrectly report CRIME vulnerability in GitLab
This is almost certainly a false positive―GitLab configures compression to 0
when HTTPS is enabled.
- See https://docs.gitlab.com/ce/security/crime_vulnerability.html for details.
Redis log warnings
Right now, redis logs these warnings (running in beaker/vagrant VMs):
# WARNING overcommit_memory is set to 0! Background save may fail under low
memory condition. To fix this issue add 'vm.overcommit_memory = 1' to
/etc/sysctl.conf and then reboot or run the command 'sysctl
vm.overcommit_memory=1' for this to take effect.
# WARNING you have Transparent Huge Pages (THP) support enabled in your kernel.
This will create latency and memory usage issues with Redis. To fix this issue
run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as
root, and add it to your /etc/rc.local in order to retain the setting after
a reboot. Redis must be restarted after THP is disabled.
Development
Please read our Contribution Guide.
Acceptance tests
This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:
bundle install
bundle exec rake beaker:suites
Please refer to the SIMP Beaker Helpers documentation for more information.
Environment variable TEST_GITLAB_CE_VERSION
TEST_GITLAB_CE_VERSION
is an environment variable that can be used
to specify the version of gitlab-ce to use in the acceptance tests.
When set, it must either a version string for a specific gitlab-ce
package version or 'latest' to indicate the latest available version.
When unset, the latest version is tested.
TEST_GITLAB_CE_VERSION=13.11.5 bundle exec rake beaker:suites
Environment variable TRUSTED_NETS
TRUSTED_NETS
is an environment variable that may contain a comma-delimited
list of trusted networks to add to the gitlab SUT's firewall.
TRUSTED_NETS=192.168.11.0/24,10.0.2.2 bundle exec rake beaker:suites
Note: if the TRUSTED_NETS
configuration is too broad, it may cause
some acceptance tests (for denied clients) to fail.
Manually inspecting the SUT GitLab server with a web browser
Each nodeset in spec/acceptance/nodesets/
contains a commented-out
forwarded_ports:
section. If you want to use a web browser to manually
inspect the SUT GitLab server during any of the tests, uncomment this section
and add the NAT network router's IP address to the TRUSTED_NETS
variable.
For example:
TRUSTED_NETS=10.0.2.2 BEAKER_destroy=no bundle exec rake beaker:suites
Then, in a browser on the host machine, navigate to https://127.0.0.1:<port>
,
where <port>
is the forwarded port for the test being executed, i.e.,
8080, 8443, or 8777.
Note: If you need to login as the administrator to the GitLab instance,
use the login of root
and the password found on the GitLab server host at
/opt/puppetlabs/puppet/cache/simp/environments/production/simp_autofiles/gen_passwd/simp_gitlab_server.<your domain>
.
Interactive debugging using pry
Setting the environment variable PRY=yes
will cause the acceptance tests to
drop into a pry console under certain circumstances (usually just before
failures in examples with complex or hard-to-debug state). This will
effectively pause the test, to allow you to debug.
TRUSTED_NETS=10.0.2.2 BEAKER_destroy=no PRY=yes bundle exec rake beaker:suites
Reference
Table of Contents
Classes
Public Classes
simp_gitlab
: SIMP Profile for managing GitLab
Private Classes
simp_gitlab::config
: Manage additional GitLab-related configurationsimp_gitlab::config::firewall
: Manage firewall for external GitLab accesssimp_gitlab::config::pki
: Manage PKI configurationsimp_gitlab::install
: Install, initially configure and bring up a GitLab instance
Functions
simp_gitlab::omnibus_config::gitlab
: Compile a hash of settings for thegitlab
class parameters, using SIMP settingssimp_gitlab::omnibus_config::gitlab_rails
: Compile a hash of settings for thegitlab::gitlab_rails
parameter, using SIMP settingssimp_gitlab::omnibus_config::gitlab_shell
: Compile a hash of settings for thegitlab::shell
parameter, using SIMP settingssimp_gitlab::omnibus_config::mattermost
: Compile a hash of settings for thegitlab::mattermost
parameter, using SIMP settingssimp_gitlab::omnibus_config::nginx
: Compile a hash of settings for thegitlab::nginx
parameter, using SIMP settings
Data types
Simp_Gitlab::Stroolean
: Valid PKI management options
Classes
simp_gitlab
Welcome to SIMP!
This module is a component of the System Integrity Management Platform, a managed security compliance framework built on Puppet.
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
-
When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
-
If used independently, all SIMP-managed security subsystems are disabled by default, and must be explicitly opted into by administrators. Please review the parameters (e.g.,
$trusted_nets
,$pki
) for details.
Parameters
The following parameters are available in the simp_gitlab
class:
trusted_nets
denied_nets
external_url
tcp_listen_port
firewall
pki
app_pki_external_source
app_pki_dir
app_pki_key
app_pki_cert
app_pki_ca
edition
two_way_ssl_validation
ldap_verify_certificates
ssl_verify_depth
ssl_protocols
gitlab_options
cipher_suite
ldap
ldap_uri
ldap_active_directory
ldap_base_dn
ldap_bind_dn
ldap_bind_pw
ldap_user_filter
ldap_group_base
manage_package
package_ensure
set_gitlab_root_password
gitlab_root_password
rails_console_load_timeout
allow_fips
trusted_nets
Data type: Simplib::Netlist
A list of subnets (in CIDR notation) that should be permitted access
Default value: simplib::lookup('simp_options::trusted_nets', {'default_value' => ['127.0.0.1/32'] })
denied_nets
Data type: Simplib::Netlist
A list of subnets (in CIDR notation) that should be explicitly denied access
Default value: []
external_url
Data type: Simplib::Uri
External URL of Gitlab. By default, this will be 'https://' if
$pki
is set and 'http://' if it is false
.
Default value: $pki
tcp_listen_port
Data type: Simplib::Port
The port upon which to listen for regular TCP connections. By default
this will be '80'
if HTTPS is disabled and '443'
if HTTPS is enabled.
Default value: $pki
firewall
Data type: Boolean
If true
, manage firewall rules to accommodate simp_gitlab
Default value: simplib::lookup('simp_options::firewall', {'default_value' => false})
pki
Data type: Simp_gitlab::Stroolean
-
If
'simp'
, includesimp/pki
and usepki::copy
to manage application certs in /etc/pki/simp_apps/gitlab/x509 -
If
true
, do not includesimp/pki
, but still usepki::copy
to manage certs in /etc/pki/simp_apps/gitlab/x509 -
If
false
, do not includesimp/pki
and do not usepki::copy
to manage certs. You will need to appropriately assign a subset of:$app_pki_dir
$app_pki_key
$app_pki_cert
$app_pki_ca
Default value: simplib::lookup('simp_options::pki', { 'default_value' => false })
app_pki_external_source
Data type: String
-
If
$pki
is 'simp' ortrue
, this is the directory from which certs will be copied, viapki::copy
. -
If
$pki
isfalse
, this variable has no effect.
Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' })
app_pki_dir
Data type: Stdlib::Absolutepath
This variable controls the basepath of $app_pki_key
, $app_pki_cert
,
$app_pki_ca
, $app_pki_ca_dir
, and $app_pki_crl
.
Default value: '/etc/pki/simp_apps/gitlab/x509'
app_pki_key
Data type: Stdlib::Absolutepath
Full path of the private SSL key file.
Default value: "${app_pki_dir}/private/${facts['fqdn']}.pem"
app_pki_cert
Data type: Stdlib::Absolutepath
Full path of the public SSL certificate.
Default value: "${app_pki_dir}/public/${facts['fqdn']}.pub"
app_pki_ca
Data type: Stdlib::Absolutepath
Full path of the the SSL CA certificate.
Default value: "${app_pki_dir}/cacerts/cacerts.pem"
edition
Data type: Enum['ce','ee']
The Gitlab Omnibus edition to install.
Default value: 'ce'
two_way_ssl_validation
Data type: Boolean
When true
, server and clients will require mutual TLS authentication.
Default value: false
ldap_verify_certificates
Data type: Boolean
When true
, SSL LDAP connections must use certificates signed by a known
CA.
Default value: true
ssl_verify_depth
Data type: Integer[1]
Sets the verification depth in the client certificates chain.
Default value: 2
ssl_protocols
Data type: Array[String[1]]
Array of Nginx-compatible SSL/TLS protocols for the web server to accept.
Default value: ['TLSv1.2']
gitlab_options
Data type: Hash
Hash of manually-customized parameters for puppet/gitlab
.
These parameters will be deep-merged with settings generated by this
profile. During the deep merge, the settings in $gitlab_options
will
take precedence.
Default value: {}
cipher_suite
Data type: Array[String[1]]
The cipher suite to use with SSL
Default value: simplib::lookup( 'simp_options::openssl::cipher_suite', { 'default_value' => ['DEFAULT', '!MEDIUM'] })
ldap
Data type: Boolean
If true
, enable LDAP support for Gitlab Omnibus.
Default value: simplib::lookup('simp_options::ldap', {'default_value' => false})
ldap_uri
Data type: Array[Simplib::URI]
List of OpenLDAP server URIs. Note that multiple URIs is an EE feature. @example ['ldap://server1', 'ldaps://server2']
Default value: simplib::lookup('simp_options::ldap::uri', {'default_value' => []})
ldap_active_directory
Data type: Boolean
This setting specifies if LDAP server is Active Directory LDAP server. For non AD servers it skips the AD specific queries. If your LDAP server is not AD, set this to false.
Default value: false
ldap_base_dn
Data type: String[3]
Base where we can search for users
@example ou=People,dc=gitlab,dc=example
Default value: simplib::lookup('simp_options::ldap::base_dn', {'default_value' => simplib::ldap::domain_to_dn()})
ldap_bind_dn
Data type: String[3]
The DN to use when binding to the LDAP server
Default value: simplib::lookup('simp_options::ldap::bind_dn', {'default_value' => "cn=hostAuth,ou=Hosts,${ldap_base_dn}"})
ldap_bind_pw
Data type: String[1]
The password of the bind user
Default value: simplib::lookup('simp_options::ldap::bind_pw', {'default_value' => "cn=LDAPAdmin,ou=People,${ldap_base_dn}"})
ldap_user_filter
Data type: Optional[String[1]]
Format: RFC 4515 http://tools.ietf.org/search/rfc4515 @example (employeeType=developer)
Default value: undef
ldap_group_base
Data type: Optional[String[3]]
EE only
Default value: undef
manage_package
Data type: Boolean
Whether to manage the gitlab-[ce,ee] package.
Default value: true
package_ensure
Data type: String
The ensure status of the gitlab-[ce,ee] package, when managed by
$manage_gitlab
is true.
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
set_gitlab_root_password
Data type: Boolean
Whether to set the GitLab root password.
- This is HIGHLY recommended, as the root password is not secured during install otherwise. Anyone can navigate the the GitLab URL and set the root password.
Default value: true
gitlab_root_password
Data type: String[16]
GitLab root password to set.
- When set via Hiera, be sure to use eyaml to secure the password.
Default value: simplib::passgen( "simp_gitlab_${trusted['certname']}" )
rails_console_load_timeout
Data type: Integer[60]
Number of seconds to wait for gitlab-rails console to load when setting the GitLab root password.
Default value: 300
allow_fips
Data type: Boolean
Whether to allow the module to install and manage GitLab, when the server has FIPS enabled.
- Only set this to
true
if the version of GitLab you are running supports FIPS mode.
Default value: true
Functions
simp_gitlab::omnibus_config::gitlab
Type: Puppet Language
Compile a hash of settings for the gitlab
class parameters, using SIMP
settings
simp_gitlab::omnibus_config::gitlab()
Compile a hash of settings for the gitlab
class parameters, using SIMP
settings
Returns: Any
Hash of puppet/gitlab
parameters
simp_gitlab::omnibus_config::gitlab_rails
Type: Puppet Language
Compile a hash of settings for the gitlab::gitlab_rails
parameter, using
SIMP settings
simp_gitlab::omnibus_config::gitlab_rails()
Compile a hash of settings for the gitlab::gitlab_rails
parameter, using
SIMP settings
Returns: Any
Hash of settings for the 'gitlab::gitlab_rails' # parameter
simp_gitlab::omnibus_config::gitlab_shell
Type: Puppet Language
Compile a hash of settings for the gitlab::shell
parameter, using
SIMP settings
simp_gitlab::omnibus_config::gitlab_shell()
Compile a hash of settings for the gitlab::shell
parameter, using
SIMP settings
Returns: Any
Hash of settings for the 'gitlab::shell' parameter
simp_gitlab::omnibus_config::mattermost
Type: Puppet Language
Compile a hash of settings for the gitlab::mattermost
parameter, using
SIMP settings
simp_gitlab::omnibus_config::mattermost()
Compile a hash of settings for the gitlab::mattermost
parameter, using
SIMP settings
Returns: Any
Hash of settings for the 'gitlab::mattermost' parameter
simp_gitlab::omnibus_config::nginx
Type: Puppet Language
Compile a hash of settings for the gitlab::nginx
parameter, using
SIMP settings
simp_gitlab::omnibus_config::nginx()
Compile a hash of settings for the gitlab::nginx
parameter, using
SIMP settings
Returns: Any
Hash of settings for the 'gitlab::nginx' parameter
Data types
Simp_Gitlab::Stroolean
Valid PKI management options
Alias of
Variant[Enum['simp'], Boolean]
- Tue Jun 22 2021 Liz Nemsick lnemsick.simp@gmail.com - 0.7.0
- Removed
- Dropped support for Puppet 5
- Changed
simp_gitlab::allow_fips
now defaults to true, as the last version of GitLab this module was tested with, 14.0.0, supports FIPS mode.- This will allow new GitLab installations on servers for which FIPS-mode is enabled, but not affect existing GitLab servers configured by earlier versions of this module.
- Minor README updates
- Clarify versions of GitLab this modules is known to work with and the steps a user can do to verify it works with a different version.
- Remove OBE FIPS-mode failure
- Update GitLab ticket URLs.
- Allow herculesteam/augeasproviders_ssh < 5.0.0
- Allow puppet/gitlab < 8.0.0
- Allow puppetlabs/stdlib < 8.0.0
- Use puppet/chrony in lieu of aboe/chrony, as VoxPupuli has now assumed ownership of this module.
- Thu Jun 17 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 0.7.0
- Ensured support for Puppet 7 in requirements and stdlib
- Thu Jan 07 2021 Liz Nemsick lnemsick.simp@gmail.com - 0.6.1
- Fixed a bug in which the change_gitlab_root_password script did not work for GitLab versions that included Ruby 2.7.x (GitLab 13.6.0 and later).
- Fixed a bug in which the change_gitlab_root_password script emitted a 'WARNING: GitLab is not completely running' error message when GitLab was fully running.
- Sat Dec 19 2020 Chris Tessmer chris.tessmer@onyxpoint.com - 0.6.1
- Maintenance update for module assets
- Thu Oct 29 2020 Liz Nemsick lnemsick.simp@gmail.com - 0.6.0-0
- Updates for GitLab application (12.3.0-13.x) and puppet/gitlab module 6.0.1
- Removed:
- Support for GitLab < 12.3.0.
- TLSv1.1 from the default for
simp_gitlab::ssl_protocols
.
- Changed:
- Set the GitLab root password in a fashion that minimizes coupling of
simp_gitlab
with the internals of thegitlab
module.- Set a throw-away password during initial GitLab package installation using GitLab configuration in /etc/gitlab/gitlab.rb. Setting the password during initial install is the only way to ensure the password is not set by an external user. Otherwise, the first GitLab page that comes up is the page to reset the root password.
- After GitLab initial configuration, set the real root password using a script that implements Gitlab-provided procedures for setting the password.
- IMPORTANT: As a side effect of these changes, upon module upgrade,
the password will be automatically set to the value of
simp_gitlab::gitlab_root_password
, unless the (empty) marker file/etc/gitlab/.root_password_set
exists or the parametersimp_gitlab::set_gitlab_root_password
is set tofalse
. If you forget to disable this automation or just want to reset the GitLab root password, simply run/usr/local/sbin/change_gitlab_root_password <new_password>
manually. You do not need to know the previous password to set the new password.
- Use
chronyd
instead ofntpd
, as GitLab itself useschronyd
andchronyd
is required for EL8. - Use
gitlab
for managing packages again.- Change was only possible once the new mechanism for setting the GitLab root password was implemented.
- Renamed the 'gitlab_monitor' key to 'gitlab_exporter' in the configuration
hash.
- Name change required for GitLab >= 12.3.0.
- No longer set
gitlab::external_port
- The custom port is already appropriately configured via the
gitlab::external_url
. - 'external_port' is no longer a supported GitLab configuration key and
causes
gitlab-ctl reconfigure
to fail.
- The custom port is already appropriately configured via the
simp_gitlab
now fails to compile when the node is in FIPS mode, unlesssimp_gitlab::allow_fips
(a new parameter) is set totrue
.
- Set the GitLab root password in a fashion that minimizes coupling of
- Added:
- Support for EL8.
simp_gitlab
parameters to enable setting the GitLab root passwordset_gitlab_root_password
gitlab_root_password
rails_console_load_timeout
- Script to change the GitLab root password,
/usr/local/sbin/change_gitlab_root_password
. - Disabling of Let's Encrypt usage in GitLab , by default.
- The integration of SIMP PKI management with with Let's Encrypt has not yet been done.
- To use Let's Encrypt, disable SIMP management of PKI by setting
simp_gitlab::pki
tofalse
and then manage the certificates manually.
svckill::ignore
rule for the GitLab service. Since the service is no longer managed by default bygitlab::service
, this prevents the service from being inadvertently killed when it is unmanaged.- REFERENCE.md documentation.
- Removed:
- Thu Jul 23 2020 Jeanne Greulich jeanne.greulich@onyxpoint.com - 0.5.1-0
- update the upper bound of simplib for SIMP 6.5 release
- Fri Aug 02 2019 Robert Vincent pillarsdotnet@gmail.com - 0.5.0-0
- Drop Puppet 4 support
- Add Puppet 6 support
- Add puppetlabs-stdlib 6 support
- Thu Mar 07 2019 Liz Nemsick lnemsick.simp@gmail.com - 0.4.0-0
- Added missing simp-pki dependency to metadata.json
- Use
generate_pem_hash_links
option of pki_cert_sync to allow the gitlab application to manage the certificate hash links.gitlab reconfigure
generates those hash links. - Added manage_package and package_ensure parameters to simp_gitlab
- Switched from vshn/gitlab 1.13.3 to its replacement puppet/gitlab 3.0.2 and reworked the manifests, as appropriate, to work with the newer module.
- Updated the upper bound of stdlib to < 6.0.0
- Updated a URL in the README.md
- Tue Nov 06 2018 Chris Tessmer chris.tessmer@onyxpoint.com - 0.3.4-0
- Add explicit support for Oracle Linux
- Update badges in README.md
- Wed Oct 24 2018 Trevor Vaughan tvaughan@onyxpoint.com - 0.3.4-0
- Add explicit support for Puppet 5
- Fri Oct 19 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 0.3.4-0
- Updated assets and fixed a setting in the acceptance test so test would run under puppet 5
- Tue Sep 11 2018 Nicholas Markowski nicholas.markowski@onyxpoint.com - 0.3.4-0
- Updated $app_pki_external_source to accept any string. This matches the functionality of pki::copy.
- Fri Sep 07 2018 Liz Nemsick lnemsick.simp@gmail.com - 0.3.4-0
- Drop Hiera 4 support
- Fri Jul 13 2018 Chris Tessmer chris.tessmer@onyxpoint.com - 0.3.3
- Disable usage ping
- Thu Jun 14 2018 Nick Miller nick.miller@onyxpoint.com - 0.3.2
- Update systemd fixtures and CI assets
- Tue May 15 2018 Liz Nemsick lnemsick.simp@gmail.com - 0.3.2
- Expand the range of the augeasproviders_ssh module dependency to allow 3.x versions.
- Wed Mar 28 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 0.3.1
- Updated README to note that authorized key files need to be copied when upgrading from version 0.2.0.
- Wed Feb 28 2018 Liz Nemsick lnemsick.simp@gmail.com - 0.3.0
- Drop support for CentOS 6 in order to cleanly solve an intermittent problem in which the GitLab local user's authorized keys lock file could not be created.
- Modify sshd authorized keys file configuration so that the GitLab installer can manage the GitLab local user's authorized keys file and the directory in which it resides, independent of Puppet. Prior to this, both the GitLab installer (via Chef) and Puppet were simultaneously, but independently, managing the ownership, permissions, and selinux contexts of that authorized keys file and its directory. Since the desired settings for the directory were different, intermittent problems such as the GitLab user not being able to create its authorized keys lock file arose.
- Fri Dec 29 2017 Chris Tessmer chris.tessmer@onyxpoint.com - 0.3.0
- Configure LDAP TLS to use the Omnibus'
trusted-certs/
instead of the LDAPca_file
setting (see https://gitlab.com/gitlab-org/gitlab-ce/issues/37254#note_3894021) - Add
ldap_verify_certificates
parameter - Add
ldap_ssl_protocols
parameter - Fixed LDAP provider name sanitation
- Update deprecated LDAP encryption configurations for GitLab 9.4+
- Add acceptance tests for LDAP authentication
- Document acceptance test features
- Removed unused
syslog
parameter
- Wed Apr 26 2017 Chris Tessmer chris.tessmer@onyxpoint.com - 0.2.0
- Manage PAM access and SSH keys for local Git Omnibus
git
user - Update static assets
- Wed Apr 26 2017 SIMP Team <simp-project.com> - 0.1.0
- This is the initial code for a
simp_gitlab
module, which installs GitLab Omnibus and incorporates it into SIMP.
Dependencies
- puppet/chrony (>= 1.0.0 < 2.0.0)
- herculesteam/augeasproviders_ssh (>= 2.5.0 < 5.0.0)
- puppet/gitlab (>= 6.0.1 < 8.0.0)
- puppetlabs/stdlib (>= 6.6.0 < 8.0.0)
- simp/iptables (>= 6.5.3 < 7.0.0)
- simp/pam (>= 6.8.2 < 7.0.0)
- simp/pki (>= 6.2.0 < 7.0.0)
- simp/postfix (>= 5.5.0 < 6.0.0)
- simp/simplib (>= 4.6.0 < 5.0.0)
- simp/ssh (>= 6.11.0 < 7.0.0)
- simp/svckill (>= 3.6.1 < 4.0.0)
simp_gitlab - SIMP profiles for GitLab Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.