Final slides for 20231123

Author: nicholasdille

150_gitlab/001_quickstart/gitlab.demo

@@ -5,6 +5,7 @@ docker run -d --name gitlab \
     --volume gitlab_config:/etc/gitlab \
     --volume gitlab_logs:/var/log/gitlab \
     --volume gitlab_data:/var/opt/gitlab \
+    --publish 80:80 \
     gitlab/gitlab-ce:16.5.2-ce.0
 
 # Wait for container to finish starting

150_gitlab/060_api/slides.md

@@ -122,4 +122,24 @@ glab [<i class="fa-solid fa-arrow-up-right-from-square"></i>](https://gitlab.com
     ```
     <!-- .element: style="width: 32em;" -->
 
+---
+
+## Token expiry and rotation
+
+### Expiry
+
+Token without expiry are a security threat [](https://about.gitlab.com/blog/2023/10/25/access-token-lifetime-limits/)
+
+GitLab 16.0 (May 2023) sets a 1-year lifetime on such tokens
+
+### Rotation
+
+Rotation API introduced in GitLab 16.0 (May 2023)
+
+- Personal Access Tokens [](https://docs.gitlab.com/ee/api/personal_access_tokens.html#rotate-a-personal-access-token)
+- Group Acces Tokens [](https://docs.gitlab.com/ee/api/group_access_tokens.html#rotate-a-group-access-token)
+- Project Access Tokens [](https://docs.gitlab.com/ee/api/project_access_tokens.html#rotate-a-project-access-token)
+
+Automatic reuse detection [](https://docs.gitlab.com/ee/api/personal_access_tokens.html#automatic-reuse-detection) prevents use of rotated tokens:
 
+- Use of old tokens result in revocation of latest token

150_gitlab/100_reverse_proxy/compose.vscode.yml

@@ -69,6 +69,10 @@ services:
 
         # Prevent conflict with host SSH port
         gitlab_rails['gitlab_shell_ssh_port'] = 2222
+
+        # https://docs.gitlab.com/ee/administration/monitoring/prometheus/index.html#configuring-prometheus
+        prometheus_monitoring['enable'] = true
+        prometheus['listen_address'] = ':9090'
     # https://docs.gitlab.com/ee/install/docker.html#devshm-mount-not-having-enough-space-in-docker-container
     shm_size: 256m
     volumes:
@@ -86,8 +90,8 @@ services:
       traefik.http.routers.pages.entrypoints: http
       traefik.http.routers.pages.rule: HostRegexp(`{subdomain:.+}.gitlab.${DOMAIN:?You must supply DOMAIN}`) || HostRegexp(`{subdomain:.+}gitlab.${IP:?You must supply IP}.nip.io`)
       traefik.http.routers.pages.service: pages
-      traefik.tcp.services.ssh.loadbalancer.server.port: 2222
+      traefik.tcp.services.ssh.loadbalancer.server.port: 22
       traefik.tcp.routers.ssh.entrypoints: ssh
-      traefik.tcp.routers.ssh.rule: HostSNI(`gitlab.${DOMAIN:?You must supply DOMAIN}`) || HostSNI(`gitlab.${IP:?You must supply IP}.nip.io`)
+      traefik.tcp.routers.ssh.rule: HostSNI(`*`)
       traefik.tcp.routers.ssh.service: ssh
       traefik.tcp.routers.ssh.tls.passthrough: true

150_gitlab/100_reverse_proxy/compose.yml

@@ -87,12 +87,6 @@ docker volume rm gitlab_data
 
 A fresh instance has a new initial root password
 
-```
-docker exec -it gitlab cat /etc/gitlab/initial_root_password \
-| grep ^Password \
-| cut -d' ' -f2
-```
-
 ---
 
 ## TLS
@@ -111,8 +105,10 @@ Configure GitLab with key and certificate [<i class="fa-solid fa-arrow-up-right-
 
 Configure GitLab to use Let's Encrypt [<i class="fa-solid fa-arrow-up-right-from-square"></i>](https://docs.gitlab.com/omnibus/settings/ssl.html#lets-encrypt-integration)
 
-### traefik with Let's Encrypt <i class="fa-duotone fa-traffic-light-go" style="--fa-secondary-color: green;"></i>
+### Reverse proxy with custom certificate <i class="fa-duotone fa-traffic-light-slow" style="--fa-secondary-color: yellow;"></i>
+
+Configure traefik to use custom certificate [<i class="fa-solid fa-arrow-up-right-from-square"></i>](https://doc.traefik.io/traefik/https/tls/#user-defined)
 
-Configure traefik to use Let's Encrypt with HTTP challenge [<i class="fa-solid fa-arrow-up-right-from-square"></i>](https://doc.traefik.io/traefik/user-guides/docker-compose/acme-http/)
+### Reverse proxy with Let's Encrypt <i class="fa-duotone fa-traffic-light-go" style="--fa-secondary-color: green;"></i>
 
-Configure traefik to use Let's Encrypt with DNS challenge [<i class="fa-solid fa-arrow-up-right-from-square"></i>](https://doc.traefik.io/traefik/user-guides/docker-compose/acme-dns/)
+Configure traefik to use Let's Encrypt with DNS challenge [<i class="fa-solid fa-arrow-up-right-from-square"></i>](https://doc.traefik.io/traefik/user-guides/docker-compose/acme-dns/)

150_gitlab/100_reverse_proxy/slides.md

@@ -12,60 +12,82 @@
 
 Runners [<i class="fa-solid fa-arrow-up-right-from-square"></i>](https://docs.gitlab.com/runner/) are used to execute jobs in GitLab CI
 
-Supported executors: `shell`, `docker`, `docker-windows`, `docker-ssh`, `ssh`, `parallels`, `virtualbox`, `docker+machine`, `docker-ssh+machine`, `kubernetes`
+Runner can be shared across the instance of GitLab
 
-### Shell
+They can be specific to a group or project
 
-Jobs are executed in the context of the runner
+Extensive configuration [<i class="fa-solid fa-arrow-up-right-from-square"></i>](https://docs.gitlab.com/runner/configuration/advanced-configuration.html)
 
-### Docker / Kubernetes
+### Tags
 
-Jobs are executed in a dedicated container / pod
+Jobs select runners by specifying a tag
 
-### Image cleanup
+---
 
-docuum [<i class="fa-solid fa-arrow-up-right-from-square"></i>](https://github.com/stepchowfun/docuum) is able to remove least recently used images
+## Heads-up
+
+New runner registration process [](https://docs.gitlab.com/ee/architecture/blueprints/runner_tokens/)
+
+New default in 16.0 (May 2023)
+
+Enforcement in 16.6 (November 2023)
+
+Removal of old runne registration in 17.0 (May 2024)
+
+### Old process
+
+One token per instance, per group and per project
+
+Credential leak causes a lot of work
+
+### New process
+
+Create a runner through the UI or the API
+
+One token per runner
 
 ---
 
 ## Details
 
 <i class="fa-duotone fa-person-running fa-4x fa-duotone-colors" style="float: right;"></i>
 
-Runner can be shared across the instance of GitLab
-
-They can be specific to a group of project
-
-Jobs select runners by specifying a tag
+Supported executors: `shell`, `docker`, `docker-windows`, `docker-ssh`, `ssh`, `parallels`, `virtualbox`, `docker+machine`, `docker-ssh+machine`, `kubernetes`
 
-Extensive configuration [<i class="fa-solid fa-arrow-up-right-from-square"></i>](https://docs.gitlab.com/runner/configuration/advanced-configuration.html)
+### Shell
 
-### Heads-up
+Jobs are executed in the context of the runner
 
-New runner registration process [](https://docs.gitlab.com/ee/architecture/blueprints/runner_tokens/)
+### Docker / Kubernetes
 
-New default in v16.0 (May 2023)
+Jobs are executed in a dedicated container / pod
 
-Enforcement in v16.6 (November 2023)
+### Image cleanup
 
-Removal of old runne registration in v17.0 (May 2024)
+docuum [<i class="fa-solid fa-arrow-up-right-from-square"></i>](https://github.com/stepchowfun/docuum) is able to remove least recently used images
 
 ---
 
 ## Hands-On
 
-Add runner to GitLab instance
-
-```bash
-# Switch to directory for this topic
-cd ../160_runners
-
-# Deploy GitLab runner
-export CI_SERVER_URL=http://gitlab.seatN.inmylab.de
-export REGISTRATION_TOKEN=<TOKEN>
-export RUNNER_EXECUTOR=docker
-docker compose --project-name gitlab \
-    --file ../100_reverse_proxy/compose.yml \
-    --file compose.yml \
-    up -d
-```
+1. Add runner to GitLab instance: Admin Area <i class="fa-regular fa-arrow-right"></i> CI/CD <i class="fa-regular fa-arrow-right"></i> Runners <i class="fa-regular fa-arrow-right"></i> New instance runner
+
+1. Configure runner: Check "Run untagged jobs"
+
+1. Start runner (substitute token below)
+
+    ```bash
+    # Switch to directory for this topic
+    cd ../160_runners
+
+    # Deploy GitLab runner
+    export CI_SERVER_URL=http://gitlab.seatN.inmylab.de
+    export REGISTRATION_TOKEN=<TOKEN>
+    export RUNNER_EXECUTOR=docker
+    docker compose --project-name gitlab \
+        --file ../100_reverse_proxy/compose.yml \
+        --file compose.yml \
+        up -d
+    ```
+
+    <!-- .element: style="width: 35em;" -->

150_gitlab/160_runner/slides.md

@@ -0,0 +1,3 @@
+## Cache
+
+XXX

150_gitlab/165_cache/slides.md

@@ -10,32 +10,36 @@
 
 <i class="fa-duotone fa-monitor-waveform fa-4x fa-duotone-colors" style="float: right;"></i>
 
-GitLab ships with Prometheus and Grafana included [<i class="fa-solid fa-arrow-up-right-from-square"></i>](https://docs.gitlab.com/omnibus/settings/grafana.html)
+GitLab ships with Prometheus [<i class="fa-solid fa-arrow-up-right-from-square"></i>](https://docs.gitlab.com/omnibus/settings/grafana.html)
 
-All components expose metrics
+Grafana was removed in 16.0 (May 2023)
 
-Grafana ships with custom dashboards
+All components expose metrics
 
-### Hands-On
+GitLab provides custom dashboards for import into Grafana [](https://gitlab.com/gitlab-org/grafana-dashboards)
 
-1. Enable link to integrated Grafana (Menu <i class="fa-regular fa-arrow-right"></i> Admin <i class="fa-regular fa-arrow-right"></i> Settings <i class="fa-regular fa-arrow-right"></i> Metrics and profiling <i class="fa-regular fa-arrow-right"></i> Metrics - Grafana)
+---
 
-1. Go to Grafana (Menu <i class="fa-regular fa-arrow-right"></i> Admin <i class="fa-regular fa-arrow-right"></i> Monitoring <i class="fa-regular fa-arrow-right"></i> Metrics Dashboard)
+## Hands-On
 
-1. Log in to Grafana using GitLab
+1. Start Grafana next to GitLab
 
---
+    ```bash
+    docker compose \
+        --project-name gitlab \
+        --file ../100_reverse_proxy/compose.yml \
+        --file ../160_runner/compose.yml \
+        --file ./compose.yml \
+        up -d
+    ```
 
-## If SSO to Grafana fails
+1. Create datasource of type Prometheus with URL `http://gitlab:9090`
 
-1. Reset password for Grafana [<i class="fa-solid fa-arrow-up-right-from-square"></i>](https://docs.gitlab.com/omnibus/settings/grafana.html#resetting-the-admin-password):
+1. Import dashboard with ID 5774 [](https://grafana.com/grafana/dashboards/5774-gitlab-omnibus/)
 
-    ```bash
-    docker compose --project-name gitlab exec gitlab \
-        gitlab-ctl set-grafana-password
-    ```
+1. Add link to Grafana: Admin Area <i class="fa-regular fa-arrow-right"></i> Settings <i class="fa-regular fa-arrow-right"></i> Metrics and profiling <i class="fa-regular fa-arrow-right"></i> Metrics - Grafana
 
-1. Log in to Grafana with user `admin` and your password
+1. Find link under: Admin Area <i class="fa-regular fa-arrow-right"></i> Monitoring <i class="fa-regular fa-arrow-right"></i> Metrics Dashboard
 
 ---
 

150_gitlab/170_monitoring/compose.yaml renamed to 150_gitlab/170_monitoring/compose.yml

@@ -66,9 +66,11 @@
 | From  | To    | What                                                  |
 |-------|-------|-------------------------------------------------------|
 | 09:00 |       | Let's roll <i class="fa-solid fa-rabbit-running"></i> |
-| 10:45 | 11:00 | Coffee Break <i class="fa-solid fa-mug-hot"></i>      |
+| 10:00 | 10:15 | Coffee Break <i class="fa-solid fa-mug-hot"></i>      |
+| 11:15 | 11:30 | Coffee Break <i class="fa-solid fa-mug-hot"></i>      |
 | 12:30 | 13:30 | Lunch Break <i class="fa-solid fa-pot-food"></i>      |
-| 15:00 | 15:15 | Coffee Break <i class="fa-solid fa-mug-hot"></i>      |
+| 14:30 | 14:45 | Coffee Break <i class="fa-solid fa-mug-hot"></i>      |
+| 15:45 | 16:00 | Coffee Break <i class="fa-solid fa-mug-hot"></i>      |
 |       | 17:00 | The End <i class="fa-solid fa-flag-checkered"></i>    |
 
 ---
@@ -170,12 +172,6 @@
 
 2023-11-30 / 2023-11-07: Workshop [GitLab CI](https://heise-academy.de/schulungen/cicd-gitlab) (2 days)
 </textarea></section>
-
-<section data-markdown="" data-separator="^---$" data-separator-vertical="^--$"><textarea data-template="">
-## Links
-
-https://to-be-continuous.gitlab.io/
-</textarea></section>
 </div>
 </div>