gitlab-qa 8.14.0 → 8.14.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/.gitlab/ci/jobs/airgapped.gitlab-ci.yml +4 -4
  3. data/Gemfile.lock +1 -1
  4. data/lib/gitlab/qa/component/gitaly_cluster.rb +2 -1
  5. data/lib/gitlab/qa/scenario/test/instance/airgapped.rb +61 -9
  6. data/lib/gitlab/qa/version.rb +1 -1
  7. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 222f774a1b76d96311b8f50d198073376ec3a1c3728a85c181df3c7334635cc2
4
- data.tar.gz: 76038a8e5fb395209798fae12d58b29b297d4ea7b62b1227867b48547fa832e8
3
+ metadata.gz: b7fcc8c586127f3c1883786b303610fd2360293a4e2ee2727225a0f50a865947
4
+ data.tar.gz: 7928dcd357359e99bc3e8c921bf3cda138d1cf5dee9746760a097c34c92be323
5
5
  SHA512:
6
- metadata.gz: b52cf9e0f2e4ac6b7650c08cbbdc20428cf97dcb8ec4425c10d5b20c5b0b60c324336f6b39c82c01ff6ccb3a0ecc934204288dc76ceb1f677dfb7f55da73fca5
7
- data.tar.gz: e315e743dfd37f56cde0e7eff20ae757a7bb8f254cdea861871f22fffb36e58061bbe93a213036207efc685899ad04886374e7fd497ea4bf4b31251d1b1c0071
6
+ metadata.gz: 65877f46a7c942ada94490ffcbdcdc74f757cc51000879e4f5030030fcbd0fb59e5be9f8ebd1550d0effe332cad61ff043eb7f8434aaddc72b6094d269048850
7
+ data.tar.gz: 837d053e553827cd507ba10e12056ae8bb8dbe32b22903f89c5eb67e59f57230a561897e34eb97f6ba67b5b67b8d66562a773c5fc487525ca1a0c83a006656d9
data/.gitlab/ci/jobs/airgapped.gitlab-ci.yml CHANGED
@@ -5,9 +5,10 @@ ce:airgapped:
5
5
  - .high-capacity
6
6
  - .ce-variables
7
7
  - .rspec-report-opts
8
+ parallel: 10
8
9
  variables:
9
10
  QA_SCENARIO: "Test::Instance::Airgapped"
10
- QA_RSPEC_TAGS: "--tag smoke"
11
+ QA_RSPEC_TAGS: "--tag '~github' --tag '~skip_live_env'"
11
12
 
12
13
  ee:airgapped:
13
14
  extends:
@@ -16,8 +17,7 @@ ee:airgapped:
16
17
  - .high-capacity
17
18
  - .ee-variables
18
19
  - .rspec-report-opts
20
+ parallel: 10
19
21
  variables:
20
22
  QA_SCENARIO: "Test::Instance::Airgapped"
21
- QA_RSPEC_TAGS: "--tag smoke"
22
-
23
-
23
+ QA_RSPEC_TAGS: "--tag '~github' --tag '~skip_live_env'"
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- gitlab-qa (8.14.0)
4
+ gitlab-qa (8.14.1)
5
5
  activesupport (~> 6.1)
6
6
  gitlab (~> 4.18.0)
7
7
  http (~> 5.0)
data/lib/gitlab/qa/component/gitaly_cluster.rb CHANGED
@@ -6,7 +6,7 @@ module Gitlab
6
6
  class GitalyCluster
7
7
  class GitalyClusterConfig
8
8
  attr_accessor :gitlab_name, :network, :airgapped_network,
9
- :praefect_node_name, :praefect_port,
9
+ :praefect_node_name, :praefect_port, :praefect_ip,
10
10
  :primary_node_name, :primary_node_port,
11
11
  :secondary_node_name, :secondary_node_port,
12
12
  :tertiary_node_name, :tertiary_node_port,
@@ -90,6 +90,7 @@ module Gitlab
90
90
  end
91
91
 
92
92
  @praefect_node = praefect(release)
93
+ config.praefect_ip = praefect_node.ip_address
93
94
  Runtime::Logger.info("Gitaly Cluster Ready")
94
95
  end
95
96
 
data/lib/gitlab/qa/scenario/test/instance/airgapped.rb CHANGED
@@ -7,31 +7,37 @@ module Gitlab
7
7
  module Instance
8
8
  class Airgapped < Scenario::Template
9
9
  require 'resolv'
10
- attr_reader :config, :gitlab_air_gap_commands
10
+ attr_reader :config, :gitlab_air_gap_commands, :iptables_restricted_network, :airgapped_network_name
11
11
 
12
12
  def initialize
13
+ # Uses https://docs.docker.com/engine/reference/commandline/network_create/#network-internal-mode
14
+ @airgapped_network_name = 'airgapped'
15
+ # Uses iptables to deny all network traffic, with a number of exceptions for required ports and IPs
16
+ @iptables_restricted_network = 'test'
13
17
  @config = Component::GitalyCluster::GitalyClusterConfig.new(
18
+ gitlab_name: "gitlab-airgapped-#{SecureRandom.hex(4)}",
14
19
  airgapped_network: true,
15
- network: 'airgapped'
20
+ network: airgapped_network_name
16
21
  )
17
22
  end
18
23
 
19
24
  def perform(release, *rspec_args)
20
25
  Component::Gitlab.perform do |gitlab|
21
- cluster = Component::GitalyCluster.perform do |cluster|
26
+ Component::GitalyCluster.perform do |cluster|
22
27
  cluster.config = @config
23
- cluster.instance
28
+ # we need to get an IP for praefect before proceeding so it cannot be run in parallel with gitlab
29
+ cluster.instance(true).join
24
30
  end
25
31
  gitlab.name = config.gitlab_name
26
32
  gitlab.release = release
27
- gitlab.airgapped_network = true
28
- gitlab.network = config.network
33
+ gitlab.network = iptables_restricted_network # we use iptables to restrict access on the gitlab instance
34
+ gitlab.runner_network = config.network
35
+ gitlab.exec_commands = airgap_gitlab_commands
36
+ gitlab.skip_availability_check = true
29
37
  gitlab.omnibus_configuration << gitlab_omnibus_configuration
30
- gitlab.skip_availability_check = true # airgapped environment cannot be pinged to check health
31
38
  rspec_args << "--" unless rspec_args.include?('--')
32
39
  rspec_args << %w[--tag ~orchestrated]
33
40
  gitlab.instance do
34
- cluster.join
35
41
  Component::Specs.perform do |specs|
36
42
  specs.suite = 'Test::Instance::Airgapped'
37
43
  specs.release = gitlab.release
@@ -45,9 +51,55 @@ module Gitlab
45
51
 
46
52
  private
47
53
 
54
+ def airgap_gitlab_commands
55
+ gitlab_ip = Resolv.getaddress('gitlab.com')
56
+ gitlab_registry_ip = Resolv.getaddress(QA::Release::COM_REGISTRY)
57
+ dev_gitlab_registry_ip = Resolv.getaddress(QA::Release::DEV_REGISTRY.split(':')[0])
58
+ praefect_ip = config.praefect_ip
59
+ @commands = <<~AIRGAP_AND_VERIFY_COMMAND.split(/\n+/)
60
+ # Should not fail before airgapping due to eg. DNS failure
61
+ # Ping and wget check
62
+ apt-get update && apt-get install -y iptables ncat
63
+ if ncat -zv -w 10 #{gitlab_ip} 80; then echo 'Airgapped connectivity check passed.'; else echo 'Airgapped connectivity check failed - should be able to access gitlab_ip'; exit 1; fi;
64
+
65
+ echo "Checking regular connectivity..." \
66
+ && wget --retry-connrefused --waitretry=1 --read-timeout=15 --timeout=10 -t 2 http://registry.gitlab.com > /dev/null 2>&1 \
67
+ && (echo "Regular connectivity wget check passed." && exit 0) || (echo "Regular connectivity wget check failed." && exit 1)
68
+
69
+ iptables -P INPUT DROP && iptables -P OUTPUT DROP
70
+ iptables -A INPUT -i lo -j ACCEPT && iptables -A OUTPUT -o lo -j ACCEPT # LOOPBACK
71
+ iptables -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
72
+ iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
73
+
74
+ # Jenkins on port 8080 and 50000
75
+ iptables -A OUTPUT -p tcp -m tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT \
76
+ && iptables -A OUTPUT -p tcp -m tcp --dport 50000 -m state --state NEW,ESTABLISHED -j ACCEPT
77
+ iptables -A OUTPUT -p tcp -m tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
78
+ iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
79
+ iptables -A OUTPUT -p tcp -m tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
80
+ iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
81
+
82
+ # some exceptions to allow runners access network https://gitlab.com/gitlab-org/gitlab-qa/-/issues/700
83
+ iptables -A OUTPUT -p tcp -d #{gitlab_registry_ip} -j ACCEPT
84
+ iptables -A OUTPUT -p tcp -d #{dev_gitlab_registry_ip} -j ACCEPT
85
+ # allow access to praefect node
86
+ iptables -A OUTPUT -p tcp -d #{praefect_ip} -j ACCEPT
87
+
88
+ # Should now fail to ping gitlab_ip, port 22/80 should be open
89
+ if ncat -zv -w 10 #{gitlab_ip} 80; then echo 'Airgapped connectivity check failed - should not be able to access gitlab_ip'; exit 1; else echo 'Airgapped connectivity check passed.'; fi;
90
+ if ncat -zv -w 10 127.0.0.1 22; then echo 'Airgapped connectivity port 22 check passed.'; else echo 'Airgapped connectivity port 22 check failed.'; exit 1; fi;
91
+ if ncat -zv -w 10 127.0.0.1 80; then echo 'Airgapped connectivity port 80 check passed.'; else echo 'Airgapped connectivity port 80 check failed.'; exit 1 ; fi;
92
+ if ncat -zv -w 10 #{gitlab_registry_ip} 80; then echo 'Airgapped connectivity port gitlab_registry_ip check passed.'; else echo 'Airgapped connectivity port 80 check failed.'; exit 1; fi;
93
+
94
+ echo "Checking airgapped connectivity..." \
95
+ && wget --retry-connrefused --waitretry=1 --read-timeout=15 --timeout=10 -t 2 http://registry.gitlab.com > /dev/null 2>&1 \
96
+ && (echo "Airgapped network faulty. Connectivity wget check failed." && exit 1) || (echo "Airgapped network confirmed. Connectivity wget check passed." && exit 0)
97
+ AIRGAP_AND_VERIFY_COMMAND
98
+ end
99
+
48
100
  def gitlab_omnibus_configuration
49
101
  <<~OMNIBUS
50
- external_url 'http://#{config.gitlab_name}.#{config.network}';
102
+ external_url 'http://#{config.gitlab_name}.#{iptables_restricted_network}';
51
103
 
52
104
  git_data_dirs({
53
105
  'default' => {
data/lib/gitlab/qa/version.rb CHANGED
@@ -2,6 +2,6 @@
2
2
 
3
3
  module Gitlab
4
4
  module QA
5
- VERSION = '8.14.0'
5
+ VERSION = '8.14.1'
6
6
  end
7
7
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: gitlab-qa
3
3
  version: !ruby/object:Gem::Version
4
- version: 8.14.0
4
+ version: 8.14.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - GitLab Quality
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2022-12-15 00:00:00.000000000 Z
11
+ date: 2022-12-16 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: climate_control