Release a chart to easily setup a Gitlab Proxy

charts/gitlab-proxy/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/gitlab-proxy/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: gitlab-proxy
+type: application
+version: 0.0.1
+appVersion: "2.6"
+description: A proxy configured for Gitlab.com requests from Opslevel so you do not have to give OpsLevel your real Gitlab.com credentials
+home: https://www.opslevel.com/
+icon: https://www.opslevel.com/images/OpsLevelLogoText.svg
+maintainers:
+  - name: OpsLevel
+    email: [email protected]

charts/gitlab-proxy/README.md

@@ -0,0 +1,20 @@
+Gitlab Proxy
+---
+
+This chart packages up [caddy]() a proxy configured for Gitlab.com requests from Opslevel so you do not have to give OpsLevel your real Gitlab.com credentials.
+
+Make sure you have the [OpsLevel Helm chart](https://github.com/OpsLevel/helm-charts) repository added then you can perform an installation with:
+
+```
+cat << EOF > values.yaml
+real_token: "Your Real Gitlab Token"
+dummy_token: "The Dummy Token you give Opslevel"
+EOF
+helm install --namespace=opslevel --create-namespace -f values.yaml gitlab-proxy opslevel/gitlab-proxy
+```
+
+To upgrade
+
+```
+helm upgrade --namespace=opslevel -f values.yaml gitlab-proxy opslevel/gitlab-proxy
+```

charts/gitlab-proxy/templates/_helpers.tpl

@@ -0,0 +1,38 @@
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "utils.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "utils.name" -}}
+{{- default .Chart.Name .Values.name | lower | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "utils.labels" -}}
+helm.sh/chart: {{ include "utils.chart" . }}
+{{ include "utils.selectorLabels" . }}
+{{- with .Values.labels }}
+{{ toYaml . }}
+{{- end }}
+{{- end}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "utils.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "utils.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name | lower }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .Values.selectorLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}

charts/gitlab-proxy/templates/configmap.yaml

@@ -0,0 +1,88 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "utils.name" . }}
+  labels:
+    {{- include "utils.labels" . | nindent 4 }}
+data:
+  Caddyfile: |
+    (gitlab_proxy) {
+    	reverse_proxy https://gitlab.com {
+    		header_up Authorization "Bearer {$OUTBOUND_TOKEN}"
+    		header_up Host {upstream_hostport}
+    	}
+    }
+
+    (get) {
+    	header_regexp Authorization "Bearer\s{$INBOUND_TOKEN}"
+    	method GET
+    }
+
+    :80 {
+    	@allow_get_auth {
+    		import get
+    		path_regexp "^/oauth/token/info$|^/api/v4/personal_access_tokens$"
+    	}
+
+    	@allow_get_groups {
+    		import get
+    		path_regexp "^/api/v4/groups$|^/api/v4/groups/\w*/projects$"
+    	}
+
+    	@allow_get_projects {
+    		import get
+    		path_regexp "^/api/v4/projects$|^/api/v4/projects/\w*$|^/api/v4/projects/\w*/languages$|^/api/v4/projects/\w*/search$"
+    	}
+
+    	@allow_get_repository {
+    		import get
+    		path_regexp "^/api/v4/projects/\w*/repository/files/*|^/api/v4/projects/\w*/repository/branches/*"
+    	}
+
+    	@allow_get_hooks {
+    		import get
+    		path /api/v4/projects/*/hooks/*
+    	}
+
+    	@allow_post_hooks {
+    		header_regexp Authorization "Bearer\s{$INBOUND_TOKEN}"
+    		method POST
+    		path /api/v4/projects/*/hooks
+    	}
+
+    	@allow_delete_hooks {
+    		header_regexp Authorization "Bearer\s{$INBOUND_TOKEN}"
+    		method DELETE
+    		path /api/v4/projects/*/hooks/*
+    	}
+
+    	handle @allow_get_auth {
+    		import gitlab_proxy
+    	}
+
+    	handle @allow_get_groups {
+    		import gitlab_proxy
+    	}
+
+    	handle @allow_get_projects {
+    		import gitlab_proxy
+    	}
+
+    	handle @allow_get_repository {
+    		import gitlab_proxy
+    	}
+
+    	handle @allow_get_hooks {
+    		import gitlab_proxy
+    	}
+
+    	handle @allow_post_hooks {
+    		import gitlab_proxy
+    	}
+
+    	handle @allow_delete_hooks {
+    		import gitlab_proxy
+    	}
+
+    	respond 403
+    }

charts/gitlab-proxy/templates/deployment.yaml

@@ -0,0 +1,45 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "utils.name" . }}
+  labels:
+    {{- include "utils.labels" . | nindent 4 }}
+  {{- with .Values.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: 1
+  revisionHistoryLimit: 3
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+  selector:
+    matchLabels:
+      {{- include "utils.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "utils.selectorLabels" . | nindent 8 }}
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+    spec:
+      containers:
+        - name: {{ template "utils.name" . }}
+          image: {{ .Values.image }}
+          imagePullPolicy: IfNotPresent
+          envFrom:
+            - secretRef:
+                name: {{ template "utils.name" . }}
+          ports:
+            - name: {{ template "utils.name" . }}
+              containerPort: 80
+          volumeMounts:
+            - mountPath: /etc/caddy/
+              name: {{ template "utils.name" . }}
+      volumes:
+        - name: {{ template "utils.name" . }}
+          configMap:
+            name: {{ template "utils.name" . }}

charts/gitlab-proxy/templates/ingress.yaml

@@ -0,0 +1,30 @@
+{{- if .Values.ingress.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ template "utils.name" . }}
+  labels:
+    {{- include "utils.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+  {{- if .Values.ingress.tls -}}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.domain }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.ingress.domain }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ template "utils.name" . }}
+                port:
+                  number: 80
+  {{- end }}

charts/gitlab-proxy/templates/secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "utils.name" . }}
+  labels:
+    {{- include "utils.labels" . | nindent 4 }}
+stringData:
+  OUTBOUND_TOKEN: "{{ .Values.real_token | b64enc }}"
+  INBOUND_TOKEN: "{{ .Values.dummy_token | b64enc }}"

charts/gitlab-proxy/templates/service.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "utils.name" . }}
+  labels:
+    {{- include "utils.labels" . | nindent 4 }}
+  {{- with .Values.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.service.type }}
+  externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }}
+  ports:
+    - name: {{ template "utils.name" . }}
+      port: 80
+      targetPort: 80
+  selector:
+    {{- include "utils.selectorLabels" . | nindent 4 }}

charts/gitlab-proxy/values.yaml

@@ -0,0 +1,22 @@
+image: "caddy:2.6"
+real_token: ""
+dummy_token: ""
+selectorLabels: {}
+service:
+    annotations: {}
+    type: ClusterIP
+    externalTrafficPolicy: Cluster
+ingress:
+    enabled: false
+    annotations: {}
+    ingressClassName: "nginx"
+    tls: false
+    domain: "gitlab-proxy.company-name.com"
+
+# File Wide Settings
+name: "gitlab-proxy"
+labels: {}
+annotations:
+  opslevel.com/description: "A proxy configured for Gitlab.com requests from Opslevel so you do not have to give OpsLevel your real Gitlab.com credentials"
+  opslevel.com/language: "go"
+  opslevel.com/framework: "helm"