GitLab: A DevSecOps Platform

Introduction

DevSecOps is a set of software development practices which involves the security practices along with DevOps practices which defines software development life-cycle activities to deliver robust and secure software delivery. It is getting popularity among developer communities along with Agile based software development and life cycle management. Due to increasing risk of security, it is very good idea to introduce the security practices along with DevOps activities. It is much beneficial in several manner and give a thought of “Design by Security” to the software architects.

Since the development activities are being evolved with time and technological advancement, the underlying tools used to ‘support’ and ‘perform’ development practices are also being strengthen. Typically, to perform each practice, there are tools and software available which allow to perform one or two activities only. Therefore multiple ‘tools and software’ are required during entire software life-cycle, which will require management and maintenance cost for practice tools itself & it makes software development costly in terms of time, effort, physical resources. For example, suppose using conventional tool for DevOps practices then, SVN is required for Source Code Management (SCM), then build tool, pipeline automation tool like Jenkins/Hudson, Project management tool, issue & bug tracking tool and so on. Hence, it requires complete set of tools and platform even if you have to develop respectively small software projects. This create a need for single platform which provide tools and feature to perform complete DevOps/DevSecOps practices along with project management.

Many software vendors are working to enrich and make a single platform to provide most/all ‘needs’ of the software development & maintenance activities. Example of such platforms are: GitHub, BitBucket etc. from different vendors. GitLab is also a similar platform which offers various features for supporting and performing development practices in compliance with DevSecOps practice set. It can be used as a robust platform for source code management along with DevSecOps automation platform.

About GitLab

GitLab is a popular DevOps software platform that provides ability to perform DevOps practices like SCM, create & run build pipeline, secure and operate software using single GitLab platform. GitLab has been developed by GitLab Inc. which is a ‘open-core’ model organization.

GitLab provides following hosting approaches:

• Internet Hosted Service — GitLab provides internet hosted software as-a service (SaaS) which can be used ‘free’ (based on consumption limitation) and ‘paid’ based upon various pricing model. One can sign-up and create project, repositories and build pipeline very easily. You can follow link for Sign Up (register user) or login if you have already account: https://gitlab.com/users/sign_in
• On-Premise Hosted—GitLab provides official packages for different Linux OS to install it on-premise. E.g. Ubuntu, OpenSuse Cent, Debian etc. Apart form Linux deployment packages, GitLab also provides Docker, Kubernetes and Helm based deployment artifacts. You can follow link for deployment packages: https://about.gitlab.com/install/
• Cloud Hosted — GitLab also provides deployment packages for different cloud vendors like Azure, AWS, GCP from marketplaces.

GitLab provides rich set of features which helps to perform the DevSecOps practices along with project management. Below are high-level list of features offered by GitLab:

Note: To work on GitLab, you can login if you have account else create account on GitLab. It is free for basic uses with some feature & use limitation. The paid subscriptions provides full features. Please follow the link (Sign in · GitLab) for Sign Up (register) / Login.

1. Group / Sub-Group — A group can contain another Group or Project/Repository. It is used to maintain the hierarchical order of Project/Repository placement.

Example, suppose there is microservice based development project for eStore then possible group and project would be:

eStore                    # root group
  - customer service      # customer management service project
  - order service         # order management service project
  - product service       # product management service project
  - billing service       # billing management service project

First need to create a group:

Click on ‘New group’, it will open a page to select ‘create group’:

Provide the details like group name, visibility level, role, email, members (for testing purpose, only provide group name and create it):

Once created, it can be opened, searched form menu:

A group may contain:

• Group Information — It has sub-menus to list activity, labels and members
• Issues — It has issue list, Board and Milestone
• Merge Requests — Group can show merge request for sub-groups/projects.
• Security — Settings for security policy
• CICD — CICD pipelines created for projects under group
• Packages and Registries — Package and registries created for projects under the group
• Settings — Settings for the group

2. Project / Repository —GitLab provide Git based Source Code Management (SCM) where centralized repository is created and developers create branches and commit their code.

GitLab provide approach of one repository for one project so GitLab call it ‘Project/Repository’. It is created under some group to place the ‘project/repository’ hierarchal.

To create ‘project/repository’, click on ‘New project/repository’:

It will open a page for create new project:

Project can be created from scratch by using ‘Create blank project’ button else it provides import project, create from another project as template and create project by using command line provided by GitLab. You can create a blank project if you don’t want to use any template:

Provide the project name and create project by clicking the button.

Once project is created it can be searched or opened from the main menu:

A project may contains following sub-features:

• Project Information — It shows the activities of project, labels and members

• Repository — Repository provides user interface and menus for SCM. It contains sub-menus like: Files, Commits, Branches, Tags, Contributors, Graph, Compare

• Issues- Issues provides complete issue management features with sub-menus to List issues, Boards, Service Desks, Milestones

• Merge Requests- When one branch code is to be merged to another branch, a Merge Request (MR) is created (it is similar to PRs in GitHub). It provides review feature while merging, the review can leave review comment, approve / reject MR

• CI/CD — GitLab provides powerful CI/CD pipeline creation using declarative YAML based configuration. The pipeline can be run from here and run details can be obtained

• Security and Compliance-It is used to apply security policies on project. It provide sub-menus for security configuration, audit events

• Deployment — This menu provides feature for release, the repository can create release. It also provide feature for creating Environment for deployment. The Release Notes can also be created here with ‘Releases’ sub-menu

• Package and Registries- The package registries can be added here so that after build packages can be added into registries

• Infrastructure-GitLab provides integration with Kubernetes, Terraform and Google Cloud. The existing deployment environments can be connect for deployment

• Monitor- Monitor provides various metrics, Error Tracking, Alerts and Incidents for the project

• Analytics -Analytics provide various charts and reports which can be utilized for reporting purpose

• Wiki-GitLab provide documentation feature as Wiki. One can create and manage wiki pages here

• Snippet-New snippet in project created for documentation purpose

• Settings-Settings for project and repositories.

3. Snippets — A code snippet is ‘block’ of code added for some reference or documentation purpose.

4. GitLab CICD Pipeline — GitLab CICD pipeline are created using declarative YAML configuration (similar to GitHub Action). It can be used to create complex pipeline with various stages and tasks. These pipelines can be run adhoc/scheduled/conditional.

The pipeline configuration are much rich and allows to create complex pipeline with various ready-made and custom components. It’s rich features and supports provide easy development of DevSecOps pipelines for various programming languages and build tools.

The pipeline feature can be seen under Group/Project/Repository menu from here, pipeline can be triggered and checked for its status.

The detailed pipeline development will be covered in subsequent section.

Use Case

GitLab is very rich platform and continuously being enriched with new features. It provides a single platform which cover project management, issue & incident management, release management, source code management, DevSecOps pipeline creation and run.

We need to create a project which can be added into GitLab and CI/CD created in GitLab. To demonstrate we need a project as prerequisite, therefore we created one microservice using:

• Java as programming language
• Spring boot as framework
• Maven as build tool
• Docker as packing tool

URL: https://gitlab.com/springapplicationgroup/springfirstproject

Once, project created, commit the Java project into GitLab repository:

To create GitLab CI/CD pipeline, click on ‘CI/CD’ -> ‘Editor’ menu which is being shown left side:

Click on ‘configure pipeline’, it will open an special editor called ‘Pipeline Editor’ with default pipeline script as YAML file which can be modified as per the need.

The ‘Pipeline Editor’ provides YAML editor, Visualization of pipeline, Validate pipeline, View Merged Pipeline:

Add the below configuration in Editor (remove default YAML content):

variables:
  MAVEN_OPTS: "-Dhttps.protocols=TLSv1.2 -Dmaven.repo.local=$CI_PROJECT_DIR/.m2/repository -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=WARN -Dorg.slf4j.simpleLogger.showDateTime=true -Djava.awt.headless=true"
  MAVEN_CLI_OPTS: "--batch-mode --errors --fail-at-end --show-version -DinstallAtEnd=true -DdeployAtEnd=true"
image: maven:3.3.9-jdk-8
cache:
  paths:
    - .m2/repository
stages:
  - test
  - build
  - deploy
.verify: &verify
  stage: test
  script:
    - 'mvn $MAVEN_CLI_OPTS verify'
  except:
    variables:
      - $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
verify:jdk8:
  <<: *verify
test:
  stage: test
  script:
  - 'mvn $MAVEN_CLI_OPTS test'
  only:
  - master
mvn-build:
  stage: build
  script:
  - 'mvn $MAVEN_CLI_OPTS clean compile package'
  artifacts:
    #untracked: true
    paths:
      - target/csm-0.1.jar
  only:
  - master
  dependencies:
     - docker-build
docker-build:
  image: docker:latest
  stage: build
  services:
    - docker:dind
  before_script:
    - docker version
  script:
    - ls
    - docker build --pull -f dockerfile -t "bankapp/csm:latest" .
    - docker tag "bankapp/csm:latest" "hub.docker.io/bankapp/csm:latest"
    - docker save -o "bankapp_csm_latest.img" "hub.docker.io/bankapp/csm:latest"
    - docker tag "hub.docker.io/bankapp/csm:latest" "registry.gitlab.com/springapplicationgroup/springfirstproject"
  rules:
    - if: $CI_COMMIT_BRANCH
      exists:
        - dockerfile
  needs: ["mvn-build"]
  artifacts:
    paths:
      - bankapp_csm_latest.img
production:
  stage: deploy
  script:
  - 'mvn $MAVEN_CLI_OPTS package'
  artifacts:
    paths:
      - target/csm-0.1.jar
  only:
  - master

It will create pipeline as:

Now commit it. A new pipeline file is created with name ‘.gitlab-ci.yaml’.

Once commit completed, it automatically invoke the Pipeline (manual pipeline trigger can also be performed) which we can see under ‘CI/CD -> Pipelines’:

Click on ‘Failed’ or ‘Passed’ button to see details about the pipeline execution:

Click on each step to see logs like:

The artifacts and logs can also be downloaded / browsed (based on configuration) from right side menus:

These pipeline can run on custom runners which can also be configured. If we see the YAML pipeline, it has variable, default image, the steps for build, test, package etc.

The pipeline capabilities are too rich in GitLab and can be created more complex pipeline, sub-pipelines, dependent pipelines based on need. It provide improved security by providing various dependency and security scanning tool integration.

Conclusion

GitLab is a powerful platform which provides a single platform for complete DevSecOps practices. It is quite easy to learn and manage projects without having mess of multiple tools used for different activities.

It provide wide range of programming language and build tool support for pipeline creation with rich set of declarative commands. GitLab pipeline also provides a good documentation so that new users can easily learn.

Since it will require single platform, time, effort and cost can be saved which are required in conventional mechanism of DevSecOps pipeline creation using Jenkins and other tools.

References

• GitLab — https://gitlab.com/
• About GitLab —https://about.gitlab.com/
• Install GitLab on-prem — https://about.gitlab.com/install/
• DevOps — https://siddhivinayak-sk.medium.com/continuous-integration-continuous-deployment-ci-cd-with-jenkins-sonarqube-nexus-docker-and-45a309bde131
• DevOps new players — https://siddhivinayak-sk.medium.com/devops-devsecops-new-players-gitlab-ci-cd-github-actions-bitbucket-pipelines-80daf1a2ef0b
• GitLab Use Case — https://gitlab.com/springapplicationgroup/springfirstproject
• GitLab Pipeline Documentation — https://docs.gitlab.com/ee/ci/pipelines/