From 4157ab82e9e92d377bb9e3272b9554b004b8f258 Mon Sep 17 00:00:00 2001 From: Wayne Starr Date: Thu, 7 Nov 2024 16:55:53 -0700 Subject: [PATCH 1/2] fix: remove rate-limiting from default settings --- docs/configuration.md | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/docs/configuration.md b/docs/configuration.md index a8058909..10a32966 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -21,9 +21,6 @@ Network policies are controlled via the `uds-gitlab-config` chart in accordance > [!NOTE] > Currently the GitLab UDS Package contains Istio `PeerAuthentication` exceptions to allow the `dependency` init containers to reach out and check the Redis and Postgres services. These are only added with `redis.internal` or `postgres.internal` set to `true` and will be removed once UDS Core [switches to native sidecars](https://github.com/defenseunicorns/uds-core/issues/536). -> [!IMPORTANT] -> GitLab is configured to rate-limit by default (this can be changed in [application settings](#configuring-gitlab-settings) below). It will trust Istio to give it the proper headers to record the client IP, however, if you have additional proxies or tunnels in front of the Istio LoadBalancers it may receive a single IP for all users and should either be reconfigured or disabled. - ## Database GitLab uses Postgres as its backing database service and supports the [common database providers within UDS Software Factory](https://github.com/defenseunicorns/uds-software-factory/blob/main/docs/database.md). @@ -177,6 +174,29 @@ It is recommended to inspect these settings and further lock them down for your > [!TIP] > If you wish to disable the settings Job and CronJob and keep GitLab's default application settings you can do so with the `settingsJob.enabled` value. You can also adjust the CronJob schedule (when it will reset the application settings) with the `settingsJob.schedule` value. +> [!IMPORTANT] +> [GitLab's Application Hardening Recommendations](https://docs.gitlab.com/ee/security/hardening_application_recommendations.html) guide recommends setting rate limits for various request types however in this package these are disabled by default. This is because UDS Core does not by default pass the real IP of the client down to the GitLab Pod. If you need this functionality you must make the following overrides: +> +> `uds-core/istio-passthrough-gateway/gateway` +> ```yaml +> service: +> externalTrafficPolicy: Local +> ``` +> +> `uds-package-gitlab/gitlab/uds-gitlab-settings` +> ```yaml +> settingsJob: +> application: +> throttle_authenticated_api_enabled: true +> throttle_authenticated_packages_api_enabled: true +> throttle_authenticated_web_enabled: true +> throttle_unauthenticated_api_enabled: true +> throttle_unauthenticated_packages_api_enabled: true +> throttle_unauthenticated_web_enabled: true +> ``` +> +> Also note this configuration may become default but as of now is not fully supported and is pending further testing. + ## Configuring Bot Accounts #### `uds-gitlab-config` chart: From f0a2617bd68e1bcbbef2aad23c51b2e197ec0adb Mon Sep 17 00:00:00 2001 From: Wayne Starr Date: Thu, 7 Nov 2024 16:57:47 -0700 Subject: [PATCH 2/2] values --- charts/settings/values.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/charts/settings/values.yaml b/charts/settings/values.yaml index 683d88af..e3d8f1b1 100644 --- a/charts/settings/values.yaml +++ b/charts/settings/values.yaml @@ -56,22 +56,16 @@ settingsJob: admin_mode: true notify_on_unknown_sign_in: true dns_rebinding_protection_enabled: true - throttle_authenticated_api_enabled: true throttle_authenticated_api_period_in_seconds: 3600 throttle_authenticated_api_requests_per_period: 7200 - throttle_authenticated_packages_api_enabled: true throttle_authenticated_packages_api_period_in_seconds: 3600 throttle_authenticated_packages_api_requests_per_period: 7200 - throttle_authenticated_web_enabled: true throttle_authenticated_web_period_in_seconds: 3600 throttle_authenticated_web_requests_per_period: 7200 - throttle_unauthenticated_api_enabled: true throttle_unauthenticated_api_period_in_seconds: 3600 throttle_unauthenticated_api_requests_per_period: 3600 - throttle_unauthenticated_packages_api_enabled: true throttle_unauthenticated_packages_api_period_in_seconds: 3600 throttle_unauthenticated_packages_api_requests_per_period: 3600 - throttle_unauthenticated_web_enabled: true throttle_unauthenticated_web_period_in_seconds: 3600 throttle_unauthenticated_web_requests_per_period: 3600 usage_ping_enabled: false