Chainguard Container for gitlab-operator-fips

Kubernetes Operator for GitLab Server

Chainguard Containers are regularly-updated, secure-by-default container images.

Download this Container Image

For those with access, this container image is available on cgr.dev:

docker pull cgr.dev/ORGANIZATION/gitlab-operator-fips:latest

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.

Compatibility Notes

The gitlab-operator-fips image is designed to be a drop-in replacement for the upstream GitLab Operator, No changes to your configuration are required when switching to the Chainguard image.

FIPS Support

The gitlab-operator-fips Chainguard Image ships with a validated redistribution of the OpenSSL's FIPS provider module. For more on FIPS support in Chainguard Images, consult the guide on FIPS-enabled Chainguard Images on Chainguard Academy

Getting Started

Installing GitLab with GitLab Operator

Prerequisites

Before installing the GitLab Operator, you will need:

• Kubernetes cluster with kubectl configured
• Ingress controller - The GitLab Operator deploys NGINX by default, or you can use an external NGINX Ingress controller
• cert-manager - Must be installed before the operator
• Metrics server - Required for HorizontalPodAutoscalers
• Domain name with DNS configured - You'll need an internet-accessible domain that points to your Ingress controller. See GitLab DNS settings documentation for more details

Note: The default configuration is not suitable for production use. For production deployments, follow the Cloud Native Hybrid reference architectures.

Install the GitLab Operator

The GitLab Operator can be deployed using its Helm chart:

helm repo add gitlab https://charts.gitlab.io
helm repo update
helm install gitlab-operator gitlab/gitlab-operator \
  --namespace gitlab-system \
  --create-namespace \
  --set image.registry=cgr.dev \
  --set image.repository=ORGANIZATION \
  --set image.name=gitlab-operator-fips

See values.yaml for other possible configuration options.

Verify the operator deployment:

kubectl -n gitlab-system get deployment gitlab-controller-manager

Deploy GitLab

After the operator is installed, you can deploy GitLab by creating a GitLab custom resource:

cat <<EOF | kubectl apply -f -
apiVersion: apps.gitlab.com/v1beta1
kind: GitLab
metadata:
  name: gitlab
spec:
  chart:
    version: "X.Y.Z" # supported GitLab chart version (see note below)
    values:
      global:
        hosts:
          domain: example.com # use a real domain here
        ingress:
          configureCertmanager: true
      certmanager-issuer:
        email: youremail@example.com # use your real email address here
EOF

Note: Each GitLab Operator image supports only a few GitLab helm charts. To determine the supported versions for an operator version, check: https://gitlab.com/gitlab-org/cloud-native/gitlab-operator/-/blob/[OPERATOR_VERSION]/CHART_VERSIONS

Wait for the GitLab instance to deploy:

kubectl wait --for=condition=Ready gitlab gitlab --namespace=gitlab-system --timeout=10m

Once the GitLab instance is running, you can access it at your configured domain (https://gitlab.example.com).

GitLab Configuration

The GitLab Operator supports extensive configuration through the GitLab custom resource. All configuration options available in the GitLab Helm Chart can be specified under spec.chart.values.

For instance, you can configure the GitLab CR to use Chainguard FIPS images for various GitLab components:

cat <<EOF | kubectl apply -f -
apiVersion: apps.gitlab.com/v1beta1
kind: GitLab
metadata:
  name: gitlab
  namespace: gitlab-system
spec:
  chart:
    version: "X.Y.Z"
    values:
      global:
        hosts:
          domain: example.com
        ingress:
          configureCertmanager: true
      certmanager-issuer:
        email: youremail@example.com
      
      gitlab:
        toolbox:
          image:
            repository: cgr.dev/ORGANIZATION/gitlab-toolbox-ce
            tag: latest

        gitaly:
          image:
            repository: cgr.dev/ORGANIZATION/gitaly
            tag: latest

        kas:
          image:
            repository: cgr.dev/ORGANIZATION/gitlab-kas
            tag: latest

        webservice:
          image:
            repository: cgr.dev/ORGANIZATION/gitlab-webservice-ce
            tag: latest

        sidekiq:
          image:
            repository: cgr.dev/ORGANIZATION/gitlab-sidekiq-ce
            tag: latest
EOF

Visit the Chainguard Containers Directory for a full list of available Chainguard GitLab images.

Documentation and Resources

For more information on the GitLab Operator, refer to:

• GitLab Operator repository
• GitLab Operator documentation
• GitLab Helm chart documentation

What are Chainguard Containers?

Chainguard's free tier of Starter container images are built with Wolfi, our minimal Linux undistro.

All other Chainguard Containers are built with Chainguard OS, Chainguard's minimal Linux operating system designed to produce container images that meet the requirements of a more secure software supply chain.

The main features of Chainguard Containers include:

• Minimal design, without unnecessary software bloat
• Daily builds to ensure container images are up-to-date with available security patches
• High quality build-time SBOMs attesting to the provenance of all artifacts within the image
• Verifiable signatures provided by Sigstore
• Reproducible builds with Cosign and apko (read more about reproducibility)

For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a development, or -dev, variant.

In all other cases, including Chainguard Containers tagged as :latest or with a specific version number, the container images include only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager.

Although the -dev container image variants have similar security features as their more minimal versions, they include additional software that is typically not necessary in production environments. We recommend using multi-stage builds to copy artifacts from the -dev variant into a more minimal production image.

Need additional packages?

To improve security, Chainguard Containers include only essential dependencies. Need more packages? Chainguard customers can use Custom Assembly to add packages, either through the Console, chainctl, or API.

To use Custom Assembly in the Chainguard Console: navigate to the image you'd like to customize in your Organization's list of images, and click on the Customize image button at the top of the page.

Learn More

Refer to our Chainguard Containers documentation on Chainguard Academy. Chainguard also offers VMs and Libraries — contact us for access.

Trademarks

This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.