diff options
Diffstat (limited to 'doc/user/clusters/applications.md')
| -rw-r--r-- | doc/user/clusters/applications.md | 97 |
1 files changed, 61 insertions, 36 deletions
diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index 47cbc0d4a1e..9ede9d9fdef 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -1,10 +1,16 @@ +--- +stage: Configure +group: Configure +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers +--- + # GitLab Managed Apps GitLab provides **GitLab Managed Apps**, a one-click install for various applications which can be added directly to your configured cluster. These applications are needed for [Review Apps](../../ci/review_apps/index.md) -and [deployments](../../ci/environments.md) when using [Auto DevOps](../../topics/autodevops/index.md). +and [deployments](../../ci/environments/index.md) when using [Auto DevOps](../../topics/autodevops/index.md). You can install them after you [create a cluster](../project/clusters/add_remove_clusters.md). @@ -128,9 +134,9 @@ before deploying one. NOTE: **Note:** The [`runner/gitlab-runner`](https://gitlab.com/gitlab-org/charts/gitlab-runner) -chart is used to install this application with a -[`values.yaml`](https://gitlab.com/gitlab-org/gitlab/blob/master/vendor/runner/values.yaml) -file. Customizing installation by modifying this file is not supported. +chart is used to install this application, using +[a preconfigured `values.yaml`](https://gitlab.com/gitlab-org/charts/gitlab-runner/-/blob/master/values.yaml) +file. Customizing the installation by modifying this file is not supported. ### Ingress @@ -314,6 +320,16 @@ To change your WAF's mode: 1. Under **Global default**, select your desired mode. 1. Click **Save changes**. +##### WAF version updates + +Enabling, disabling, or changing the logging mode for **ModSecurity** is only allowed within same version of [Ingress](#ingress) due to limitations in [Helm](https://helm.sh/) which might be overcome in future releases. + +**ModSecurity** UI controls are disabled if the version deployed differs from the one available in GitLab, while actions at the [Ingress](#ingress) level, such as uninstalling, can still be performed: + + + +Updating [Ingress](#ingress) to the most recent version enables you to take advantage of bug fixes, security fixes, and performance improvements. To update [Ingress application](#ingress), you must first uninstall it, and then re-install it as described in [Install ModSecurity](../../topics/web_application_firewall/quick_start_guide.md). + ##### Viewing Web Application Firewall traffic > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/14707) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9. @@ -356,7 +372,7 @@ will also see ready-to-use DevOps Runbooks built with Nurtch's [Rubix library](h More information on creating executable runbooks can be found in [our Runbooks -documentation](../project/clusters/runbooks/index.md#executable-runbooks). Note that +documentation](../project/clusters/runbooks/index.md#configure-an-executable-runbook-with-gitlab). Note that Ingress must be installed and have an IP address assigned before JupyterHub can be installed. @@ -487,18 +503,25 @@ and you will have access to more advanced querying capabilities. Log data is automatically deleted after 30 days using [Curator](https://www.elastic.co/guide/en/elasticsearch/client/curator/5.5/about.html). -To enable log shipping, install Elastic Stack into the cluster with the **Install** button. +To enable log shipping: + +1. Ensure your cluster contains at least 3 nodes of instance types larger than + `f1-micro`, `g1-small`, or `n1-standard-1`. +1. Navigate to **{cloud-gear}** **Operations > Kubernetes**. +1. In **Kubernetes Cluster**, select a cluster. +1. In the **Applications** section, find **Elastic Stack** and click **Install**. NOTE: **Note:** -The [`stable/elastic-stack`](https://github.com/helm/charts/tree/master/stable/elastic-stack) +The [`gitlab/elastic-stack`](https://gitlab.com/gitlab-org/charts/elastic-stack) chart is used to install this application with a [`values.yaml`](https://gitlab.com/gitlab-org/gitlab/blob/master/vendor/elastic_stack/values.yaml) file. NOTE: **Note:** -The chart will deploy 5 Elasticsearch nodes: 2 masters, 2 data and 1 client node, -with resource requests totalling 0.125 CPU and 4.5GB RAM. Each data node requests 1.5GB of memory, -which makes it incompatible with clusters of `f1-micro` and `g1-small` instance types. +The chart deploys 3 identical Elasticsearch pods which can't be colocated, and each +require 1 CPU and 2 GB of RAM, making them incompatible with clusters containing +fewer than 3 nodes or consisting of `f1-micro`, `g1-small`, `n1-standard-1`, or +`*-highcpu-2` instance types. NOTE: **Note:** The Elastic Stack cluster application is intended as a log aggregation solution and is not related to our @@ -517,25 +540,25 @@ Save the following to `kibana.yml`: elasticsearch: enabled: false -logstash: +filebeat: enabled: false kibana: enabled: true - env: - ELASTICSEARCH_HOSTS: http://elastic-stack-elasticsearch-client.gitlab-managed-apps.svc.cluster.local:9200 + elasticsearchHosts: http://elastic-stack-elasticsearch-master.gitlab-managed-apps.svc.cluster.local:9200 ``` Then install it on your cluster: ```shell -helm install --name kibana stable/elastic-stack --values kibana.yml +helm repo add gitlab https://charts.gitlab.io +helm install --name kibana gitlab/elastic-stack --values kibana.yml ``` -To access kibana, forward the port to your local machine: +To access Kibana, forward the port to your local machine: ```shell -kubectl port-forward svc/kibana 5601:443 +kubectl port-forward svc/kibana-kibana 5601:5601 ``` Then, you can visit Kibana at `http://localhost:5601`. @@ -556,11 +579,10 @@ To enable Fluentd: 1. Provide the host domain name or URL in **SIEM Hostname**. 1. Provide the host port number in **SIEM Port**. 1. Select a **SIEM Protocol**. -1. Check **Send ModSecurity Logs**. If you do not select this checkbox, the **Install** - button is disabled. +1. Select at least one of the available logs (such as WAF or Cilium). 1. Click **Save changes**. - + ### Future apps @@ -777,7 +799,7 @@ In order for GitLab Runner to function, you **must** specify the following: - `runnerRegistrationToken` - The registration token for adding new Runners to GitLab. This must be [retrieved from your GitLab instance](../../ci/runners/README.md). -These values can be specifed using [CI variables](../../ci/variables/README.md): +These values can be specified using [CI variables](../../ci/variables/README.md): - `GITLAB_RUNNER_GITLAB_URL` will be used for `gitlabUrl`. - `GITLAB_RUNNER_REGISTRATION_TOKEN` will be used for `runnerRegistrationToken` @@ -792,10 +814,12 @@ available configuration options. > [Introduced](https://gitlab.com/gitlab-org/cluster-integration/cluster-applications/-/merge_requests/22) in GitLab 12.8. -[Cilium](https://cilium.io/) is a networking plugin for Kubernetes -that you can use to implement support for -[NetworkPolicy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) -resources. For more information on [Network Policies](../../topics/autodevops/stages.md#network-policy), see the documentation. +[Cilium](https://cilium.io/) is a networking plugin for Kubernetes that you can use to implement +support for [NetworkPolicy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) +resources. For more information, see [Network Policies](../../topics/autodevops/stages.md#network-policy). + +<i class="fa fa-youtube-play youtube" aria-hidden="true"></i> +For an overview, see the [Container Network Security Demo for GitLab 12.8](https://www.youtube.com/watch?v=pgUEdhdhoUI). Enable Cilium in the `.gitlab/managed-apps/config.yaml` file to install it: @@ -822,7 +846,8 @@ management project. Refer to the for the available configuration options. CAUTION: **Caution:** -Installation and removal of the Cilium [requires restart](https://cilium.readthedocs.io/en/stable/gettingstarted/k8s-install-gke/#restart-remaining-pods) +Installation and removal of the Cilium requires a **manual** +[restart](https://cilium.readthedocs.io/en/stable/gettingstarted/k8s-install-gke/#restart-remaining-pods) of all affected pods in all namespaces to ensure that they are [managed](https://cilium.readthedocs.io/en/stable/troubleshooting/#ensure-pod-is-managed-by-cilium) by the correct networking plugin. @@ -908,15 +933,15 @@ vault: installed: true ``` -By default you will get a basic Vault setup with no high availability nor any scalable -storage backend. This is enough for simple testing and small scale deployments, though has limits +By default you will get a basic Vault setup with no scalable +storage backend. This is enough for simple testing and small-scale deployments, though has limits to how much it can scale, and as it is a single instance deployment, you will experience downtime when upgrading the Vault application. To optimally use Vault in a production environment, it's ideal to have a good understanding of the internals of Vault and how to configure it. This can be done by reading the [the Vault documentation](https://www.vaultproject.io/docs/internals/) as well as -the Vault Helm chart [values.yaml file](https://github.com/hashicorp/vault-helm/blob/v0.3.3/values.yaml). +the Vault Helm chart [`values.yaml` file](https://github.com/hashicorp/vault-helm/blob/v0.3.3/values.yaml). At a minimum you will likely set up: @@ -1009,11 +1034,11 @@ In addition, the following variables must be specified using [CI variables](../. | CI Variable | Description | |:---------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `JUPYTERHUB_PROXY_SECRET_TOKEN` | Sets [`proxy.secretToken`](https://zero-to-jupyterhub.readthedocs.io/en/stable/reference.html#proxy-secrettoken). Generate using `openssl rand -hex 32`. | -| `JUPYTERHUB_COOKIE_SECRET` | Sets [`hub.cookieSecret`](https://zero-to-jupyterhub.readthedocs.io/en/stable/reference.html#hub-cookiesecret). Generate using `openssl rand -hex 32`. | +| `JUPYTERHUB_PROXY_SECRET_TOKEN` | Secure string used for signing communications from the hub. See[`proxy.secretToken`](https://zero-to-jupyterhub.readthedocs.io/en/stable/reference/reference.html#proxy-secrettoken). | +| `JUPYTERHUB_COOKIE_SECRET` | Secure string used for signing secure cookies. See [`hub.cookieSecret`](https://zero-to-jupyterhub.readthedocs.io/en/stable/reference/reference.html#hub-cookiesecret). | | `JUPYTERHUB_HOST` | Hostname used for the installation. For example, `jupyter.gitlab.example.com`. | | `JUPYTERHUB_GITLAB_HOST` | Hostname of the GitLab instance used for authentication. For example, `gitlab.example.com`. | -| `JUPYTERHUB_AUTH_CRYPTO_KEY` | Sets [`auth.state.cryptoKey`](https://zero-to-jupyterhub.readthedocs.io/en/stable/reference.html#auth-state-cryptokey). Generate using `openssl rand -hex 32`. | +| `JUPYTERHUB_AUTH_CRYPTO_KEY` | A 32-byte encryption key used to set [`auth.state.cryptoKey`](https://zero-to-jupyterhub.readthedocs.io/en/stable/reference/reference.html#auth-state-cryptokey). | | `JUPYTERHUB_AUTH_GITLAB_CLIENT_ID` | "Application ID" for the OAuth Application. | | `JUPYTERHUB_AUTH_GITLAB_CLIENT_SECRET` | "Secret" for the OAuth Application. | @@ -1042,12 +1067,12 @@ elasticStack: Elastic Stack is installed into the `gitlab-managed-apps` namespace of your cluster. -You can check the default [values.yaml](https://gitlab.com/gitlab-org/gitlab/-/blob/master/vendor/elastic_stack/values.yaml) we set for this chart. +You can check the default [`values.yaml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/vendor/elastic_stack/values.yaml) we set for this chart. You can customize the installation of Elastic Stack by defining `.gitlab/managed-apps/elastic-stack/values.yaml` file in your cluster management project. Refer to the -[chart](https://github.com/helm/charts/blob/master/stable/elastic-stack/values.yaml) for the +[chart](https://gitlab.com/gitlab-org/charts/elastic-stack) for the available configuration options. NOTE: **Note:** @@ -1070,7 +1095,7 @@ Crossplane: Crossplane is installed into the `gitlab-managed-apps` namespace of your cluster. You can check the default -[values.yaml](https://github.com/crossplane/crossplane/blob/master/cluster/charts/crossplane/values.yaml.tmpl) +[`values.yaml`](https://github.com/crossplane/crossplane/blob/master/cluster/charts/crossplane/values.yaml.tmpl) we set for this chart. You can customize the installation of Crossplane by defining @@ -1090,7 +1115,7 @@ Fluentd: installed: true ``` -You can also review the default values set for this chart in the [values.yaml](https://github.com/helm/charts/blob/master/stable/fluentd/values.yaml) file. +You can also review the default values set for this chart in the [`values.yaml`](https://github.com/helm/charts/blob/master/stable/fluentd/values.yaml) file. You can customize the installation of Fluentd by defining `.gitlab/managed-apps/fluentd/values.yaml` file in your cluster management @@ -1207,7 +1232,7 @@ epic](https://gitlab.com/groups/gitlab-org/-/epics/1201). Applications can fail with the following error: -```text +```plaintext Error: remote error: tls: bad certificate ``` |