whitehat.berlin

I relocated back in Italy

I’m reachable through the usual channels. Since the pandemic has confined all of us in our apartments, I decided to move back to Franciacorta, Iseo Lake, Italy. I’m waiting for my Starlink.com satellite dish to be able to move off-the-grid next to Presolana.

technotes

GitLab on Azure

just delegate a domain to the Azure’s cloud, map a wildcard DNS to the Kubernetes loadbalancer entry point… and (crucial, I just mention the painful part) do create your own cert-signing thing for let’s encrypt like this:

(the class: addon-http-application-routing is the REALLY important bit, else you don’t get the fancy loadbalancing/Ingress resource integration from Azure )

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: your@email.address
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: prod-issuer-account-key
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
    - http01:
        ingress:
          class: addon-http-application-routing

and finally bring up the cluster of GitLab specifying 3 separate tls secrets, otherwise GitLab will assume you do have a wildcard certificate and the http01 validation of Let’sEncrypt will fail… (u need otherwise to use dns01 validation)

nginx-ingress:
  enabled: false
certmanager:
  install: false
global:
  hosts:
    domain: your.fancy.domain
  ingress:
    annotations:
      kubernetes.io/ingress.class: addon-http-application-routing
      cert-manager.io/cluster-issuer: letsencrypt-prod
      kubernetes.io/tls-acme: true
    configureCertmanager: false
gitlab:
  unicorn:
    ingress:
      tls:
        secretName: "gitlab-unicorn-tls"
registry:
  ingress:
    tls:
      secretName: "gitlab-registry-tls"
minio:
  ingress:
    tls:
      secretName: "gitlab-minio-tls"

ah… don’t try to use ArgoCD for this,
it is buggy -> gitlab/-/issues/2039

therefore… reiterate with:

$ helm upgrade gitlab gitlab/gitlab -n gitlab -f gitlab_values.yaml –render-subchart-notes –reset-values

UPDATE: u want git+ssh access to pull/push from ur repo, right?

well, then you need to add the following snipped in your values.yaml

gitlab:
  gitlab-shell:
    service:
      type: LoadBalancer
global:
  hosts:
    ssh: ssh.your.fancy.domain

and again, accordingly, create in your dns zone a CNAME (ANAME) towards the newly created LoadBalancer IP that AKS has created you…

yes, of course you could have created a complete set of ingress-controllers, but we are not running a service that yet needs to be scaled to a broad audience

Uncategorized

I’m back freelancing

…even more determined than before

If you can keep your head when all about you
    Are losing theirs and blaming it on you,
If you can trust yourself when all men doubt you,
    But make allowance for their doubting too;
If you can wait and not be tired by waiting,
    Or being lied about, don’t deal in lies,
Or being hated, don’t give way to hating,
    And yet don’t look too good, nor talk too wise:

If you can dream—and not make dreams your master;
    If you can think—and not make thoughts your aim;
If you can meet with Triumph and Disaster
    And treat those two impostors just the same;
If you can bear to hear the truth you’ve spoken
    Twisted by knaves to make a trap for fools,
Or watch the things you gave your life to, broken,
    And stoop and build ’em up with worn-out tools:

If you can make one heap of all your winnings
    And risk it on one turn of pitch-and-toss,
And lose, and start again at your beginnings
    And never breathe a word about your loss;
If you can force your heart and nerve and sinew
    To serve your turn long after they are gone,
And so hold on when there is nothing in you
    Except the Will which says to them: ‘Hold on!’

If you can talk with crowds and keep your virtue,
    Or walk with Kings—nor lose the common touch,
If neither foes nor loving friends can hurt you,
    If all men count with you, but none too much;
If you can fill the unforgiving minute
    With sixty seconds’ worth of distance run,
Yours is the Earth and everything that’s in it,
    And—which is more—you’ll be a Man, my son!

src: If— by Rudyard Kipling | Poetry Foundation