From 3f2e2798ff0ec7d9c144868d9f21577f47d97f80 Mon Sep 17 00:00:00 2001
From: Jordan McClintock <jordan@defenseunicorns.com>
Date: Fri, 1 Nov 2024 18:30:15 +0000
Subject: [PATCH 1/4] fix: add netpol to allow gitaly to perform repository
 mirroring actions

---
 charts/config/templates/uds-package.yaml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/charts/config/templates/uds-package.yaml b/charts/config/templates/uds-package.yaml
index 293edabd..8d4ccf84 100644
--- a/charts/config/templates/uds-package.yaml
+++ b/charts/config/templates/uds-package.yaml
@@ -445,6 +445,18 @@ spec:
         {{- end }}
         description: "Gitlab Pages Storage"
 
+      # Gitaly
+      - direction: Egress
+        selector:
+          app: gitaly
+        remoteGenerated: Anywhere
+        ports:
+          - 9418
+          - 443
+          - 80
+          - 22
+        description: Gitaly repository mirroring
+
       # Custom rules for unanticipated scenarios
       {{- range .Values.custom }}
       - direction: {{ .direction }}

From 43617351da20dc095328d81b4a5845a9cee7913a Mon Sep 17 00:00:00 2001
From: Jordan McClintock <jordan@defenseunicorns.com>
Date: Fri, 1 Nov 2024 19:38:57 +0000
Subject: [PATCH 2/4] move to configurable ports for mirroring

---
 charts/config/templates/uds-package.yaml |  5 +----
 charts/config/values.yaml                | 10 ++++++++++
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/charts/config/templates/uds-package.yaml b/charts/config/templates/uds-package.yaml
index 8d4ccf84..24ffd35b 100644
--- a/charts/config/templates/uds-package.yaml
+++ b/charts/config/templates/uds-package.yaml
@@ -451,10 +451,7 @@ spec:
           app: gitaly
         remoteGenerated: Anywhere
         ports:
-          - 9418
-          - 443
-          - 80
-          - 22
+          {{- .Values.mirroring.ports | toYaml | nindent 10 }}
         description: Gitaly repository mirroring
 
       # Custom rules for unanticipated scenarios
diff --git a/charts/config/values.yaml b/charts/config/values.yaml
index 569a5336..53330e18 100644
--- a/charts/config/values.yaml
+++ b/charts/config/values.yaml
@@ -48,6 +48,16 @@ runner:
     app: gitlab-runner
   namespace: gitlab-runner
   sandboxNamespace: gitlab-runner-sandbox
+
+# Gitaly is responsible for mirroring actions, and there are 4 valid protocols with the following ports
+# ssh: 22
+# http: 80
+# https: 443
+# git: 9418
+mirroring:
+  ports:
+    - 443
+
 # custom:
 #    # Notice no `remoteGenerated` field here on custom internal rule
 #   - direction: Ingress

From 028673ab064906da9ed7294213f62fee771f7330 Mon Sep 17 00:00:00 2001
From: Jordan McClintock <jordan@defenseunicorns.com>
Date: Fri, 1 Nov 2024 19:42:57 +0000
Subject: [PATCH 3/4] make mirroring netpol toggleable

---
 charts/config/templates/uds-package.yaml | 2 ++
 charts/config/values.yaml                | 1 +
 2 files changed, 3 insertions(+)

diff --git a/charts/config/templates/uds-package.yaml b/charts/config/templates/uds-package.yaml
index 24ffd35b..b71316f3 100644
--- a/charts/config/templates/uds-package.yaml
+++ b/charts/config/templates/uds-package.yaml
@@ -446,6 +446,7 @@ spec:
         description: "Gitlab Pages Storage"
 
       # Gitaly
+      {{ if .Values.mirroring.enabled }}
       - direction: Egress
         selector:
           app: gitaly
@@ -453,6 +454,7 @@ spec:
         ports:
           {{- .Values.mirroring.ports | toYaml | nindent 10 }}
         description: Gitaly repository mirroring
+      {{- end }}
 
       # Custom rules for unanticipated scenarios
       {{- range .Values.custom }}
diff --git a/charts/config/values.yaml b/charts/config/values.yaml
index 53330e18..cd968d6c 100644
--- a/charts/config/values.yaml
+++ b/charts/config/values.yaml
@@ -55,6 +55,7 @@ runner:
 # https: 443
 # git: 9418
 mirroring:
+  enabled: false
   ports:
     - 443
 

From 62699d7c45458830c84099aa14f43813c956ad76 Mon Sep 17 00:00:00 2001
From: Jordan McClintock <jordan@defenseunicorns.com>
Date: Fri, 1 Nov 2024 19:48:01 +0000
Subject: [PATCH 4/4] docs for mirroring netpols

---
 docs/configuration.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/configuration.md b/docs/configuration.md
index dd4a41c5..bd27b85c 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -15,6 +15,7 @@ Network policies are controlled via the `uds-gitlab-config` chart in accordance
 - `storage`: sets network policies for accessing object storage from all GitLab services (`registry`, `pages`, `webservice`, `toolbox`, `sidekiq`)
 - `redis`:  sets network policies for accessing a Redis-compatible server from all GitLab services (`webservice`, `toolbox`, `sidekiq`, `migrations`, `gitlab-exporter`)
 - `postgres`: sets network policies for accessing a Postgres database from all GitLab services (`webservice`, `toolbox`, `sidekiq`, `migrations`, `gitlab-exporter`)
+- `mirroring`: sets network policies that allow the gitlab repository mirroring feature to work. It defaults to only `https` (443) but can be set to allow the other protocols gitlab supports via the `ports` key.
 - `custom`: sets custom network policies for the GitLab namespace - this allows for custom integrations with other services (i.e. Jira)
 
 > [!NOTE]