Gitlab Enterprise
Last updated
Was this helpful?
Last updated
Was this helpful?
Let's connect a nodejs app in one company's Amazon VPC with a CodeRepository hosted on a Gitlab Server in another company's Amazon VPC. The example uses AWS CLI to create these VPCs.
Each company’s network is private, isolated, and doesn't expose ports. To learn how end-to-end trust is established, please read: “”
Then run the following commands:
If everything runs as expected, you'll see the message: The example run was successful 🥳
In a typical production setup an administrator or provisioning pipeline generates enrollment tickets and gives them to nodes that are being provisioned. In our example, the run function is acting on your behalf as the administrator of the Ockam project.
First, the bank_corp/run.sh
script creates a network to host the database:
We are now ready to create an EC2 instance where the Gitlab server and Ockam outlet node will run:
When the instance is started, the run_gitlab.sh
script is executed:
Password can be used to access the gitlab console from local machine
When the instance is started, the run_ockam.sh
script is executed:
We then create an Ockam node:
First, the analysis_corp/run.sh
script creates a network to host the nodejs application:
We are now ready to create an EC2 instance where the Ockam inlet node will run:
The instance is started and the run_repoaccess.sh
script is executed:
The instance is started and the run_ockam.sh
script is executed:
We then create an Ockam node:
We finally wait for the instance to be ready and install the nodejs application:
Once the nodejs application is started:
We connected a nodejs app in one virtual private network with a Gitlab CodeRepository in another virtual private network over an end-to-end encrypted portal.
Analysis Corp. does not get unfettered access to Bank Corp.’s network. It gets access only to the codebase hosted on the Gitlab server. Bank Corp. does not get unfettered access to Analysis Corp.’s network. It gets access only to respond to queries over a tcp connection. Bank Corp. cannot initiate connections.
To delete all AWS resources:
This example requires Bash, Git, AWS CLI, Influx CLI, jq. Please set up these tools for your operating system. In particular you need to with aws sso login
.
The , that you ran above, and its are full of comments and meant to be read. The example setup is only a few simple steps, so please take some time to read and explore.
The calls the which invokes the to create an new identity, sign into Ockam Orchestrator, set up a new Ockam project, make you the administrator of this project, and get a project membership .
The run function then . The tickets are valid for 10 minutes. Each ticket can be redeemed only once and assigns to its redeemer. The is meant for the Ockam node that will run in Bank Corp.’s network. The is meant for the Ockam node that will run in Analysis Corp.’s network.
The run function passes the enrollment tickets as variables of the run scripts provisioning and .
We and tag it.
We and attach it to the VPC.
We and to the Internet via the gateway.
We , and associated to the route table.
We finally so that there is:
,
from the local machine running the example, to access Gitlab on port 22 and 80.
An SSH keypair to access gitlab repository is created and, .
We .
We to access EC2 and to obtain gitlab password to be able to login to gitlab console.
We above and a start script based on run_ockam.sh
and run_gitlab.sh
where:
created by the administrator and given as a parameter to run.sh
.
in run_gitlab.sh
script
We and .
We wait for 3 minutes for gitlab to be setup and
.
.
.
.
.
.
The .
The .
With .
A . The policy authorizes identities with a credential containing the attribute gitlab-inlet="true".
With capable of forwarding the TCP traffic to the TCP outlet.
We and tag it.
We and attach it to the VPC.
We and to the Internet via the gateway.
We , and associated to the route table.
We finally so that there is:
,
And to download and install the nodejs application from local machine running the script.
We .
We above and a start script based on run_ockam.sh
where:
created by the administrator and given as a parameter to run.sh
.
The is created on the EC2 with details of the private SSH key and permissions are updated
The .
The .
With .
A . The policy authorizes identities with a credential containing the attribute gitlab-outlet="true".
The has code to access the code repository on port 1222
configured
We can then and:
.
.
.
.
It will .
It that clones the repository, makes sure README.md file exists, inserts a line to the README.md file, does a commit and push the commit to the remote gitlab server.
Sensitive business data in the Gitlab Codebase is only accessible to Bank Corp. and Analysis Corp. All data is with strong forward secrecy as it moves through the Internet. The communication channel is and . Keys and credentials are automatically rotated. Access to connect with InfluxDB can be easily revoked.
All are secure-by-default. Only project members, with valid credentials, can connect with each other. NAT’s are traversed using a relay and outgoing tcp connections. Bank Corp. or Analysis Corp. don’t expose any listening endpoints on the Internet. Their networks are completely closed and protected from any attacks from the Internet.