diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2019-11-19 22:11:55 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2019-11-19 22:11:55 +0000 |
| commit | 5a8431feceba47fd8e1804d9aa1b1730606b71d5 (patch) | |
| tree | e5df8e0ceee60f4af8093f5c4c2f934b8abced05 /vendor | |
| parent | 4d477238500c347c6553d335d920bedfc5a46869 (diff) | |
| download | gitlab-ce-5a8431feceba47fd8e1804d9aa1b1730606b71d5.tar.gz | |
Add latest changes from gitlab-org/gitlab@12-5-stable-ee
Diffstat (limited to 'vendor')
| -rw-r--r-- | vendor/aws/cloudformation/eks_cluster.yaml | 340 | ||||
| -rw-r--r-- | vendor/crossplane/values.yaml | 0 | ||||
| -rw-r--r-- | vendor/elastic_stack/values.yaml | 47 | ||||
| -rw-r--r--[-rwxr-xr-x] | vendor/gitignore/C++.gitignore | 0 | ||||
| -rw-r--r--[-rwxr-xr-x] | vendor/gitignore/Java.gitignore | 0 | ||||
| -rw-r--r-- | vendor/ingress/modsecurity.conf | 274 | ||||
| -rw-r--r-- | vendor/project_templates/serverless_framework.tar.gz | bin | 0 -> 92193 bytes |
7 files changed, 661 insertions, 0 deletions
diff --git a/vendor/aws/cloudformation/eks_cluster.yaml b/vendor/aws/cloudformation/eks_cluster.yaml new file mode 100644 index 00000000000..c32f54d66dc --- /dev/null +++ b/vendor/aws/cloudformation/eks_cluster.yaml @@ -0,0 +1,340 @@ +--- +AWSTemplateFormatVersion: "2010-09-09" +Description: GitLab EKS Cluster + +Parameters: + + KubernetesVersion: + Description: The Kubernetes version to install + Type: String + Default: 1.14 + AllowedValues: + - 1.12 + - 1.13 + - 1.14 + + KeyName: + Description: The EC2 Key Pair to allow SSH access to the node instances + Type: AWS::EC2::KeyPair::KeyName + + NodeImageIdSSMParam: + Type: "AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>" + Default: /aws/service/eks/optimized-ami/1.14/amazon-linux-2/recommended/image_id + Description: AWS Systems Manager Parameter Store parameter of the AMI ID for the worker node instances. + + NodeInstanceType: + Description: EC2 instance type for the node instances + Type: String + Default: t3.medium + ConstraintDescription: Must be a valid EC2 instance type + AllowedValues: + - t2.small + - t2.medium + - t2.large + - t2.xlarge + - t2.2xlarge + - t3.nano + - t3.micro + - t3.small + - t3.medium + - t3.large + - t3.xlarge + - t3.2xlarge + - m3.medium + - m3.large + - m3.xlarge + - m3.2xlarge + - m4.large + - m4.xlarge + - m4.2xlarge + - m4.4xlarge + - m4.10xlarge + - m5.large + - m5.xlarge + - m5.2xlarge + - m5.4xlarge + - m5.12xlarge + - m5.24xlarge + - c4.large + - c4.xlarge + - c4.2xlarge + - c4.4xlarge + - c4.8xlarge + - c5.large + - c5.xlarge + - c5.2xlarge + - c5.4xlarge + - c5.9xlarge + - c5.18xlarge + - i3.large + - i3.xlarge + - i3.2xlarge + - i3.4xlarge + - i3.8xlarge + - i3.16xlarge + - r3.xlarge + - r3.2xlarge + - r3.4xlarge + - r3.8xlarge + - r4.large + - r4.xlarge + - r4.2xlarge + - r4.4xlarge + - r4.8xlarge + - r4.16xlarge + - x1.16xlarge + - x1.32xlarge + - p2.xlarge + - p2.8xlarge + - p2.16xlarge + - p3.2xlarge + - p3.8xlarge + - p3.16xlarge + - p3dn.24xlarge + - r5.large + - r5.xlarge + - r5.2xlarge + - r5.4xlarge + - r5.12xlarge + - r5.24xlarge + - r5d.large + - r5d.xlarge + - r5d.2xlarge + - r5d.4xlarge + - r5d.12xlarge + - r5d.24xlarge + - z1d.large + - z1d.xlarge + - z1d.2xlarge + - z1d.3xlarge + - z1d.6xlarge + - z1d.12xlarge + + NodeAutoScalingGroupDesiredCapacity: + Description: Desired capacity of Node Group ASG. + Type: Number + Default: 3 + + NodeVolumeSize: + Description: Node volume size + Type: Number + Default: 20 + + ClusterName: + Description: Unique name for your Amazon EKS cluster. + Type: String + + ClusterRole: + Description: The IAM Role to allow Amazon EKS and the Kubernetes control plane to manage AWS resources on your behalf. + Type: String + + ClusterControlPlaneSecurityGroup: + Description: The security groups to apply to the EKS-managed Elastic Network Interfaces that are created in your worker node subnets. + Type: AWS::EC2::SecurityGroup::Id + + VpcId: + Description: The VPC to use for your EKS Cluster resources. + Type: AWS::EC2::VPC::Id + + Subnets: + Description: The subnets in your VPC where your worker nodes will run. + Type: List<AWS::EC2::Subnet::Id> + +Metadata: + + AWS::CloudFormation::Interface: + ParameterGroups: + - Label: + default: EKS Cluster + Parameters: + - ClusterName + - ClusterRole + - KubernetesVersion + - ClusterControlPlaneSecurityGroup + - Label: + default: Worker Node Configuration + Parameters: + - NodeAutoScalingGroupDesiredCapacity + - NodeInstanceType + - NodeImageIdSSMParam + - NodeVolumeSize + - KeyName + - Label: + default: Worker Network Configuration + Parameters: + - VpcId + - Subnets + +Resources: + + Cluster: + Type: AWS::EKS::Cluster + Properties: + Name: !Sub ${ClusterName} + Version: !Sub ${KubernetesVersion} + RoleArn: !Sub ${ClusterRole} + ResourcesVpcConfig: + SecurityGroupIds: + - !Ref ClusterControlPlaneSecurityGroup + SubnetIds: !Ref Subnets + + NodeInstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + Path: "/" + Roles: + - !Ref NodeInstanceRole + + NodeInstanceRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Principal: + Service: ec2.amazonaws.com + Action: sts:AssumeRole + Path: "/" + ManagedPolicyArns: + - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy + - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy + - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly + + NodeSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Security group for all nodes in the cluster + VpcId: !Ref VpcId + Tags: + - Key: !Sub kubernetes.io/cluster/${ClusterName} + Value: owned + + NodeSecurityGroupIngress: + Type: AWS::EC2::SecurityGroupIngress + DependsOn: NodeSecurityGroup + Properties: + Description: Allow nodes to communicate with each other + GroupId: !Ref NodeSecurityGroup + SourceSecurityGroupId: !Ref NodeSecurityGroup + IpProtocol: -1 + FromPort: 0 + ToPort: 65535 + + NodeSecurityGroupFromControlPlaneIngress: + Type: AWS::EC2::SecurityGroupIngress + DependsOn: NodeSecurityGroup + Properties: + Description: Allow worker Kubelets and pods to receive communication from the cluster control plane + GroupId: !Ref NodeSecurityGroup + SourceSecurityGroupId: !Ref ClusterControlPlaneSecurityGroup + IpProtocol: tcp + FromPort: 1025 + ToPort: 65535 + + ControlPlaneEgressToNodeSecurityGroup: + Type: AWS::EC2::SecurityGroupEgress + DependsOn: NodeSecurityGroup + Properties: + Description: Allow the cluster control plane to communicate with worker Kubelet and pods + GroupId: !Ref ClusterControlPlaneSecurityGroup + DestinationSecurityGroupId: !Ref NodeSecurityGroup + IpProtocol: tcp + FromPort: 1025 + ToPort: 65535 + + NodeSecurityGroupFromControlPlaneOn443Ingress: + Type: AWS::EC2::SecurityGroupIngress + DependsOn: NodeSecurityGroup + Properties: + Description: Allow pods running extension API servers on port 443 to receive communication from cluster control plane + GroupId: !Ref NodeSecurityGroup + SourceSecurityGroupId: !Ref ClusterControlPlaneSecurityGroup + IpProtocol: tcp + FromPort: 443 + ToPort: 443 + + ControlPlaneEgressToNodeSecurityGroupOn443: + Type: AWS::EC2::SecurityGroupEgress + DependsOn: NodeSecurityGroup + Properties: + Description: Allow the cluster control plane to communicate with pods running extension API servers on port 443 + GroupId: !Ref ClusterControlPlaneSecurityGroup + DestinationSecurityGroupId: !Ref NodeSecurityGroup + IpProtocol: tcp + FromPort: 443 + ToPort: 443 + + ClusterControlPlaneSecurityGroupIngress: + Type: AWS::EC2::SecurityGroupIngress + DependsOn: NodeSecurityGroup + Properties: + Description: Allow pods to communicate with the cluster API Server + GroupId: !Ref ClusterControlPlaneSecurityGroup + SourceSecurityGroupId: !Ref NodeSecurityGroup + IpProtocol: tcp + ToPort: 443 + FromPort: 443 + + NodeGroup: + Type: AWS::AutoScaling::AutoScalingGroup + DependsOn: Cluster + Properties: + DesiredCapacity: !Ref NodeAutoScalingGroupDesiredCapacity + LaunchConfigurationName: !Ref NodeLaunchConfig + MinSize: !Ref NodeAutoScalingGroupDesiredCapacity + MaxSize: !Ref NodeAutoScalingGroupDesiredCapacity + VPCZoneIdentifier: !Ref Subnets + Tags: + - Key: Name + Value: !Sub ${ClusterName}-node + PropagateAtLaunch: true + - Key: !Sub kubernetes.io/cluster/${ClusterName} + Value: owned + PropagateAtLaunch: true + UpdatePolicy: + AutoScalingRollingUpdate: + MaxBatchSize: 1 + MinInstancesInService: !Ref NodeAutoScalingGroupDesiredCapacity + PauseTime: PT5M + + NodeLaunchConfig: + Type: AWS::AutoScaling::LaunchConfiguration + Properties: + AssociatePublicIpAddress: true + IamInstanceProfile: !Ref NodeInstanceProfile + ImageId: !Ref NodeImageIdSSMParam + InstanceType: !Ref NodeInstanceType + KeyName: !Ref KeyName + SecurityGroups: + - !Ref NodeSecurityGroup + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + VolumeSize: !Ref NodeVolumeSize + VolumeType: gp2 + DeleteOnTermination: true + UserData: + Fn::Base64: + !Sub | + #!/bin/bash + set -o xtrace + /etc/eks/bootstrap.sh "${ClusterName}" + /opt/aws/bin/cfn-signal --exit-code $? \ + --stack ${AWS::StackName} \ + --resource NodeGroup \ + --region ${AWS::Region} + +Outputs: + + NodeInstanceRole: + Description: The node instance role + Value: !GetAtt NodeInstanceRole.Arn + + ClusterCertificate: + Description: The cluster certificate + Value: !GetAtt Cluster.CertificateAuthorityData + + ClusterEndpoint: + Description: The cluster endpoint + Value: !GetAtt Cluster.Endpoint diff --git a/vendor/crossplane/values.yaml b/vendor/crossplane/values.yaml new file mode 100644 index 00000000000..e69de29bb2d --- /dev/null +++ b/vendor/crossplane/values.yaml diff --git a/vendor/elastic_stack/values.yaml b/vendor/elastic_stack/values.yaml new file mode 100644 index 00000000000..9346c0e25e6 --- /dev/null +++ b/vendor/elastic_stack/values.yaml @@ -0,0 +1,47 @@ +elasticsearch: + enabled: true + cluster: + env: + MINIMUM_MASTER_NODES: "1" + master: + replicas: 2 + client: + replicas: 1 + data: + replicas: 1 + +kibana: + enabled: true + env: + ELASTICSEARCH_HOSTS: http://elastic-stack-elasticsearch-client:9200 + ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: "nginx" + kubernetes.io/tls-acme: "true" + +logstash: + enabled: false + +filebeat: + enabled: true + config: + output.file.enabled: false + output.elasticsearch: + enabled: true + hosts: ["http://elastic-stack-elasticsearch-client:9200"] + +fluentd: + enabled: false + +fluent-bit: + enabled: false + +nginx-ldapauth-proxy: + enabled: false + +elasticsearch-curator: + enabled: false + +elasticsearch-exporter: + enabled: false diff --git a/vendor/gitignore/C++.gitignore b/vendor/gitignore/C++.gitignore index 259148fa18f..259148fa18f 100755..100644 --- a/vendor/gitignore/C++.gitignore +++ b/vendor/gitignore/C++.gitignore diff --git a/vendor/gitignore/Java.gitignore b/vendor/gitignore/Java.gitignore index a1c2a238a96..a1c2a238a96 100755..100644 --- a/vendor/gitignore/Java.gitignore +++ b/vendor/gitignore/Java.gitignore diff --git a/vendor/ingress/modsecurity.conf b/vendor/ingress/modsecurity.conf new file mode 100644 index 00000000000..3a6b5cee2e5 --- /dev/null +++ b/vendor/ingress/modsecurity.conf @@ -0,0 +1,274 @@ +# -- GitLab Customization ---------------------------------------------- +# Based on https://github.com/SpiderLabs/ModSecurity/blob/v3.0.3/modsecurity.conf-recommended +# Our base modsecurity.conf includes some minor customization: +# - `SecRuleEngine` is disabled, defaulting to `DetectionOnly`. Overridable at project-level +# - `SecAuditLogType` is disabled, defaulting to `Serial`. Overridable at project-level +# - `SecStatusEngine` is disabled, to disallow usage reporting +# +# ---------------------------------------------------------------------------- + +# -- Rule engine initialization ---------------------------------------------- + +# Enable ModSecurity, attaching it to every transaction. Use detection +# only to start with, because that minimises the chances of post-installation +# disruption. +# +# SecRuleEngine DetectionOnly + + +# -- Request body handling --------------------------------------------------- + +# Allow ModSecurity to access request bodies. If you don't, ModSecurity +# won't be able to see any POST parameters, which opens a large security +# hole for attackers to exploit. +# +SecRequestBodyAccess On + + +# Enable XML request body parser. +# Initiate XML Processor in case of xml content-type +# +SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \ + "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" + +# Enable JSON request body parser. +# Initiate JSON Processor in case of JSON content-type; change accordingly +# if your application does not use 'application/json' +# +SecRule REQUEST_HEADERS:Content-Type "application/json" \ + "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON" + +# Maximum request body size we will accept for buffering. If you support +# file uploads then the value given on the first line has to be as large +# as the largest file you are willing to accept. The second value refers +# to the size of data, with files excluded. You want to keep that value as +# low as practical. +# +SecRequestBodyLimit 13107200 +SecRequestBodyNoFilesLimit 131072 + +# What do do if the request body size is above our configured limit. +# Keep in mind that this setting will automatically be set to ProcessPartial +# when SecRuleEngine is set to DetectionOnly mode in order to minimize +# disruptions when initially deploying ModSecurity. +# +SecRequestBodyLimitAction Reject + +# Verify that we've correctly processed the request body. +# As a rule of thumb, when failing to process a request body +# you should reject the request (when deployed in blocking mode) +# or log a high-severity alert (when deployed in detection-only mode). +# +SecRule REQBODY_ERROR "!@eq 0" \ +"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" + +# By default be strict with what we accept in the multipart/form-data +# request body. If the rule below proves to be too strict for your +# environment consider changing it to detection-only. You are encouraged +# _not_ to remove it altogether. +# +SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ +"id:'200003',phase:2,t:none,log,deny,status:400, \ +msg:'Multipart request body failed strict validation: \ +PE %{REQBODY_PROCESSOR_ERROR}, \ +BQ %{MULTIPART_BOUNDARY_QUOTED}, \ +BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ +DB %{MULTIPART_DATA_BEFORE}, \ +DA %{MULTIPART_DATA_AFTER}, \ +HF %{MULTIPART_HEADER_FOLDING}, \ +LF %{MULTIPART_LF_LINE}, \ +SM %{MULTIPART_MISSING_SEMICOLON}, \ +IQ %{MULTIPART_INVALID_QUOTING}, \ +IP %{MULTIPART_INVALID_PART}, \ +IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ +FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" + +# Did we see anything that might be a boundary? +# +# Here is a short description about the ModSecurity Multipart parser: the +# parser returns with value 0, if all "boundary-like" line matches with +# the boundary string which given in MIME header. In any other cases it returns +# with different value, eg. 1 or 2. +# +# The RFC 1341 descript the multipart content-type and its syntax must contains +# only three mandatory lines (above the content): +# * Content-Type: multipart/mixed; boundary=BOUNDARY_STRING +# * --BOUNDARY_STRING +# * --BOUNDARY_STRING-- +# +# First line indicates, that this is a multipart content, second shows that +# here starts a part of the multipart content, third shows the end of content. +# +# If there are any other lines, which starts with "--", then it should be +# another boundary id - or not. +# +# After 3.0.3, there are two kinds of types of boundary errors: strict and permissive. +# +# If multipart content contains the three necessary lines with correct order, but +# there are one or more lines with "--", then parser returns with value 2 (non-zero). +# +# If some of the necessary lines (usually the start or end) misses, or the order +# is wrong, then parser returns with value 1 (also a non-zero). +# +# You can choose, which one is what you need. The example below contains the +# 'strict' mode, which means if there are any lines with start of "--", then +# ModSecurity blocked the content. But the next, commented example contains +# the 'permissive' mode, then you check only if the necessary lines exists in +# correct order. Whit this, you can enable to upload PEM files (eg "----BEGIN.."), +# or other text files, which contains eg. HTTP headers. +# +# The difference is only the operator - in strict mode (first) the content blocked +# in case of any non-zero value. In permissive mode (second, commented) the +# content blocked only if the value is explicit 1. If it 0 or 2, the content will +# allowed. +# + +# +# See #1747 and #1924 for further information on the possible values for +# MULTIPART_UNMATCHED_BOUNDARY. +# +SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \ + "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'" + + +# PCRE Tuning +# We want to avoid a potential RegEx DoS condition +# +SecPcreMatchLimit 1000 +SecPcreMatchLimitRecursion 1000 + +# Some internal errors will set flags in TX and we will need to look for these. +# All of these are prefixed with "MSC_". The following flags currently exist: +# +# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded. +# +SecRule TX:/^MSC_/ "!@streq 0" \ + "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" + + +# -- Response body handling -------------------------------------------------- + +# Allow ModSecurity to access response bodies. +# You should have this directive enabled in order to identify errors +# and data leakage issues. +# +# Do keep in mind that enabling this directive does increases both +# memory consumption and response latency. +# +SecResponseBodyAccess On + +# Which response MIME types do you want to inspect? You should adjust the +# configuration below to catch documents but avoid static files +# (e.g., images and archives). +# +SecResponseBodyMimeType text/plain text/html text/xml + +# Buffer response bodies of up to 512 KB in length. +SecResponseBodyLimit 524288 + +# What happens when we encounter a response body larger than the configured +# limit? By default, we process what we have and let the rest through. +# That's somewhat less secure, but does not break any legitimate pages. +# +SecResponseBodyLimitAction ProcessPartial + + +# -- Filesystem configuration ------------------------------------------------ + +# The location where ModSecurity stores temporary files (for example, when +# it needs to handle a file upload that is larger than the configured limit). +# +# This default setting is chosen due to all systems have /tmp available however, +# this is less than ideal. It is recommended that you specify a location that's private. +# +SecTmpDir /tmp/ + +# The location where ModSecurity will keep its persistent data. This default setting +# is chosen due to all systems have /tmp available however, it +# too should be updated to a place that other users can't access. +# +SecDataDir /tmp/ + + +# -- File uploads handling configuration ------------------------------------- + +# The location where ModSecurity stores intercepted uploaded files. This +# location must be private to ModSecurity. You don't want other users on +# the server to access the files, do you? +# +#SecUploadDir /opt/modsecurity/var/upload/ + +# By default, only keep the files that were determined to be unusual +# in some way (by an external inspection script). For this to work you +# will also need at least one file inspection rule. +# +#SecUploadKeepFiles RelevantOnly + +# Uploaded files are by default created with permissions that do not allow +# any other user to access them. You may need to relax that if you want to +# interface ModSecurity to an external program (e.g., an anti-virus). +# +#SecUploadFileMode 0600 + + +# -- Debug log configuration ------------------------------------------------- + +# The default debug log configuration is to duplicate the error, warning +# and notice messages from the error log. +# +#SecDebugLog /opt/modsecurity/var/log/debug.log +#SecDebugLogLevel 3 + + +# -- Audit log configuration ------------------------------------------------- + +# Log the transactions that are marked by a rule, as well as those that +# trigger a server error (determined by a 5xx or 4xx, excluding 404, +# level response status codes). +# +SecAuditEngine RelevantOnly +SecAuditLogRelevantStatus "^(?:5|4(?!04))" + +# Log everything we know about a transaction. +SecAuditLogParts ABIJDEFHZ + +# Use a single file for logging. This is much easier to look at, but +# assumes that you will use the audit log only ocassionally. +# +# SecAuditLogType Serial +SecAuditLogFormat JSON +SecAuditLog /var/log/modsec/audit.log + +# Specify the path for concurrent audit logging. +#SecAuditLogStorageDir /opt/modsecurity/var/audit/ + + +# -- Miscellaneous ----------------------------------------------------------- + +# Use the most commonly used application/x-www-form-urlencoded parameter +# separator. There's probably only one application somewhere that uses +# something else so don't expect to change this value. +# +SecArgumentSeparator & + +# Settle on version 0 (zero) cookies, as that is what most applications +# use. Using an incorrect cookie version may open your installation to +# evasion attacks (against the rules that examine named cookies). +# +SecCookieFormat 0 + +# Specify your Unicode Code Point. +# This mapping is used by the t:urlDecodeUni transformation function +# to properly map encoded data to your language. Properly setting +# these directives helps to reduce false positives and negatives. +# +SecUnicodeMapFile unicode.mapping 20127 + +# Improve the quality of ModSecurity by sharing information about your +# current ModSecurity version and dependencies versions. +# The following information will be shared: ModSecurity version, +# Web Server version, APR version, PCRE version, Lua version, Libxml2 +# version, Anonymous unique id for host. +# SecStatusEngine On + + diff --git a/vendor/project_templates/serverless_framework.tar.gz b/vendor/project_templates/serverless_framework.tar.gz Binary files differnew file mode 100644 index 00000000000..b09de0ec3a2 --- /dev/null +++ b/vendor/project_templates/serverless_framework.tar.gz |