gitlab-qa 8.14.0 → 8.14.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 222f774a1b76d96311b8f50d198073376ec3a1c3728a85c181df3c7334635cc2
-  data.tar.gz: 76038a8e5fb395209798fae12d58b29b297d4ea7b62b1227867b48547fa832e8
+  metadata.gz: b7fcc8c586127f3c1883786b303610fd2360293a4e2ee2727225a0f50a865947
+  data.tar.gz: 7928dcd357359e99bc3e8c921bf3cda138d1cf5dee9746760a097c34c92be323
 SHA512:
-  metadata.gz: b52cf9e0f2e4ac6b7650c08cbbdc20428cf97dcb8ec4425c10d5b20c5b0b60c324336f6b39c82c01ff6ccb3a0ecc934204288dc76ceb1f677dfb7f55da73fca5
-  data.tar.gz: e315e743dfd37f56cde0e7eff20ae757a7bb8f254cdea861871f22fffb36e58061bbe93a213036207efc685899ad04886374e7fd497ea4bf4b31251d1b1c0071
+  metadata.gz: 65877f46a7c942ada94490ffcbdcdc74f757cc51000879e4f5030030fcbd0fb59e5be9f8ebd1550d0effe332cad61ff043eb7f8434aaddc72b6094d269048850
+  data.tar.gz: 837d053e553827cd507ba10e12056ae8bb8dbe32b22903f89c5eb67e59f57230a561897e34eb97f6ba67b5b67b8d66562a773c5fc487525ca1a0c83a006656d9

data/.gitlab/ci/jobs/airgapped.gitlab-ci.yml

@@ -5,9 +5,10 @@ ce:airgapped:
     - .high-capacity
     - .ce-variables
     - .rspec-report-opts
+  parallel: 10
   variables:
     QA_SCENARIO: "Test::Instance::Airgapped"
-    QA_RSPEC_TAGS: "--tag smoke"
+    QA_RSPEC_TAGS: "--tag '~github' --tag '~skip_live_env'"
 
 ee:airgapped:
   extends:
@@ -16,8 +17,7 @@ ee:airgapped:
     - .high-capacity
     - .ee-variables
     - .rspec-report-opts
+  parallel: 10
   variables:
     QA_SCENARIO: "Test::Instance::Airgapped"
-    QA_RSPEC_TAGS: "--tag smoke"
-
-
+    QA_RSPEC_TAGS: "--tag '~github' --tag '~skip_live_env'"

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    gitlab-qa (8.14.0)
+    gitlab-qa (8.14.1)
       activesupport (~> 6.1)
       gitlab (~> 4.18.0)
       http (~> 5.0)

data/lib/gitlab/qa/component/gitaly_cluster.rb

@@ -6,7 +6,7 @@ module Gitlab
       class GitalyCluster
         class GitalyClusterConfig
           attr_accessor :gitlab_name, :network, :airgapped_network,
-                        :praefect_node_name, :praefect_port,
+                        :praefect_node_name, :praefect_port, :praefect_ip,
                         :primary_node_name, :primary_node_port,
                         :secondary_node_name, :secondary_node_port,
                         :tertiary_node_name, :tertiary_node_port,
@@ -90,6 +90,7 @@ module Gitlab
           end
 
           @praefect_node = praefect(release)
+          config.praefect_ip = praefect_node.ip_address
           Runtime::Logger.info("Gitaly Cluster Ready")
         end
 

data/lib/gitlab/qa/scenario/test/instance/airgapped.rb

@@ -7,31 +7,37 @@ module Gitlab
         module Instance
           class Airgapped < Scenario::Template
             require 'resolv'
-            attr_reader :config, :gitlab_air_gap_commands
+            attr_reader :config, :gitlab_air_gap_commands, :iptables_restricted_network, :airgapped_network_name
 
             def initialize
+              # Uses https://docs.docker.com/engine/reference/commandline/network_create/#network-internal-mode
+              @airgapped_network_name = 'airgapped'
+              # Uses iptables to deny all network traffic, with a number of exceptions for required ports and IPs
+              @iptables_restricted_network = 'test'
               @config = Component::GitalyCluster::GitalyClusterConfig.new(
+                gitlab_name: "gitlab-airgapped-#{SecureRandom.hex(4)}",
                 airgapped_network: true,
-                network: 'airgapped'
+                network: airgapped_network_name
               )
             end
 
             def perform(release, *rspec_args)
               Component::Gitlab.perform do |gitlab|
-                cluster = Component::GitalyCluster.perform do |cluster|
+                Component::GitalyCluster.perform do |cluster|
                   cluster.config = @config
-                  cluster.instance
+                  # we need to get an IP for praefect before proceeding so it cannot be run in parallel with gitlab
+                  cluster.instance(true).join
                 end
                 gitlab.name = config.gitlab_name
                 gitlab.release = release
-                gitlab.airgapped_network = true
-                gitlab.network = config.network
+                gitlab.network = iptables_restricted_network # we use iptables to restrict access on the gitlab instance
+                gitlab.runner_network = config.network
+                gitlab.exec_commands = airgap_gitlab_commands
+                gitlab.skip_availability_check = true
                 gitlab.omnibus_configuration << gitlab_omnibus_configuration
-                gitlab.skip_availability_check = true # airgapped environment cannot be pinged to check health
                 rspec_args << "--" unless rspec_args.include?('--')
                 rspec_args << %w[--tag ~orchestrated]
                 gitlab.instance do
-                  cluster.join
                   Component::Specs.perform do |specs|
                     specs.suite = 'Test::Instance::Airgapped'
                     specs.release = gitlab.release
@@ -45,9 +51,55 @@ module Gitlab
 
             private
 
+            def airgap_gitlab_commands
+              gitlab_ip = Resolv.getaddress('gitlab.com')
+              gitlab_registry_ip = Resolv.getaddress(QA::Release::COM_REGISTRY)
+              dev_gitlab_registry_ip = Resolv.getaddress(QA::Release::DEV_REGISTRY.split(':')[0])
+              praefect_ip = config.praefect_ip
+              @commands = <<~AIRGAP_AND_VERIFY_COMMAND.split(/\n+/)
+                # Should not fail before airgapping due to eg. DNS failure
+                # Ping and wget check
+                apt-get update && apt-get install -y iptables ncat
+                if ncat -zv -w 10 #{gitlab_ip} 80; then echo 'Airgapped connectivity check passed.'; else echo 'Airgapped connectivity check failed - should be able to access gitlab_ip'; exit 1; fi;
+
+                echo "Checking regular connectivity..." \
+                  && wget --retry-connrefused --waitretry=1 --read-timeout=15 --timeout=10 -t 2 http://registry.gitlab.com > /dev/null 2>&1 \
+                  && (echo "Regular connectivity wget check passed." && exit 0) || (echo "Regular connectivity wget check failed." && exit 1)
+
+                iptables -P INPUT DROP && iptables -P OUTPUT DROP
+                iptables -A INPUT -i lo -j ACCEPT && iptables -A OUTPUT -o lo -j ACCEPT # LOOPBACK
+                iptables -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+                iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+                # Jenkins on port 8080 and 50000
+                iptables -A OUTPUT -p tcp -m tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT \
+                  && iptables -A OUTPUT -p tcp -m tcp --dport 50000 -m state --state NEW,ESTABLISHED -j ACCEPT
+                iptables -A OUTPUT -p tcp -m tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
+                iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
+                iptables -A OUTPUT -p tcp -m tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+                iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+
+                # some exceptions to allow runners access network https://gitlab.com/gitlab-org/gitlab-qa/-/issues/700 
+                iptables -A OUTPUT -p tcp -d  #{gitlab_registry_ip} -j ACCEPT
+                iptables -A OUTPUT -p tcp -d  #{dev_gitlab_registry_ip} -j ACCEPT
+                # allow access to praefect node 
+                iptables -A OUTPUT -p tcp -d #{praefect_ip} -j ACCEPT
+
+                # Should now fail to ping gitlab_ip, port 22/80 should be open
+                if ncat -zv -w 10 #{gitlab_ip} 80; then echo 'Airgapped connectivity check failed - should not be able to access gitlab_ip'; exit 1; else echo 'Airgapped connectivity check passed.'; fi;
+                if ncat -zv -w 10 127.0.0.1 22; then echo 'Airgapped connectivity port 22 check passed.'; else echo 'Airgapped connectivity port 22 check failed.'; exit 1;  fi;
+                if ncat -zv -w 10 127.0.0.1 80; then echo 'Airgapped connectivity port 80 check passed.'; else echo 'Airgapped connectivity port 80 check failed.'; exit 1 ; fi;
+                if ncat -zv -w 10 #{gitlab_registry_ip} 80; then echo 'Airgapped connectivity port gitlab_registry_ip check passed.'; else echo 'Airgapped connectivity port 80 check failed.'; exit 1; fi;
+
+                echo "Checking airgapped connectivity..." \
+                  && wget --retry-connrefused --waitretry=1 --read-timeout=15 --timeout=10 -t 2 http://registry.gitlab.com > /dev/null 2>&1 \
+                  && (echo "Airgapped network faulty. Connectivity wget check failed." && exit 1) || (echo "Airgapped network confirmed. Connectivity wget check passed." && exit 0)
+              AIRGAP_AND_VERIFY_COMMAND
+            end
+
             def gitlab_omnibus_configuration
               <<~OMNIBUS
-                external_url 'http://#{config.gitlab_name}.#{config.network}';
+                external_url 'http://#{config.gitlab_name}.#{iptables_restricted_network}';
 
                 git_data_dirs({
                   'default' => {

data/lib/gitlab/qa/version.rb

@@ -2,6 +2,6 @@
 
 module Gitlab
   module QA
-    VERSION = '8.14.0'
+    VERSION = '8.14.1'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: gitlab-qa
 version: !ruby/object:Gem::Version
-  version: 8.14.0
+  version: 8.14.1
 platform: ruby
 authors:
 - GitLab Quality
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-12-15 00:00:00.000000000 Z
+date: 2022-12-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: climate_control