From b06f31d89a8b84659f4a698c91d7f2d72c2cc14c Mon Sep 17 00:00:00 2001 From: Thomas Date: Tue, 30 Apr 2024 23:22:44 +0100 Subject: [PATCH] Set registry certificate secret keys Fixes: #5483 --- .../charts/sidekiq/templates/deployment.yaml | 2 +- .../charts/toolbox/templates/backup-job.yaml | 2 +- .../charts/toolbox/templates/deployment.yaml | 2 +- .../charts/webservice/templates/deployment.yaml | 2 +- charts/registry/templates/deployment.yaml | 2 +- doc/charts/gitlab/webservice/index.md | 3 ++- doc/charts/registry/index.md | 9 +++++++-- templates/_registry.tpl | 14 ++++++++++++++ templates/shared-secrets/_generate_secrets.sh.tpl | 2 +- 9 files changed, 29 insertions(+), 9 deletions(-) diff --git a/charts/gitlab/charts/sidekiq/templates/deployment.yaml b/charts/gitlab/charts/sidekiq/templates/deployment.yaml index e68ea0bb3d..76021e2de8 100644 --- a/charts/gitlab/charts/sidekiq/templates/deployment.yaml +++ b/charts/gitlab/charts/sidekiq/templates/deployment.yaml @@ -334,7 +334,7 @@ spec: - secret: name: {{ template "gitlab.registry.certificate.secret" $ }} items: - - key: registry-auth.key + - key: {{ template "gitlab.registry.certificate.privateKey" $ }} path: registry/gitlab-registry.key {{- include "gitlab.registry.notificationSecret.mount" $ | nindent 10 -}} {{- include "gitlab.pages.mountSecrets" $ | nindent 10 }} diff --git a/charts/gitlab/charts/toolbox/templates/backup-job.yaml b/charts/gitlab/charts/toolbox/templates/backup-job.yaml index 9c9143f837..a136dfb000 100644 --- a/charts/gitlab/charts/toolbox/templates/backup-job.yaml +++ b/charts/gitlab/charts/toolbox/templates/backup-job.yaml @@ -201,7 +201,7 @@ spec: - secret: name: {{ template "gitlab.registry.certificate.secret" . }} items: - - key: registry-auth.key + - key: {{ template "gitlab.registry.certificate.privateKey" . }} path: registry/gitlab-registry.key {{- include "gitlab.registry.notificationSecret.mount" $ | nindent 16 -}} {{- if or .Values.backups.objectStorage.config (not .Values.global.minio.enabled) }} diff --git a/charts/gitlab/charts/toolbox/templates/deployment.yaml b/charts/gitlab/charts/toolbox/templates/deployment.yaml index cc3dbda926..6e5213d052 100644 --- a/charts/gitlab/charts/toolbox/templates/deployment.yaml +++ b/charts/gitlab/charts/toolbox/templates/deployment.yaml @@ -234,7 +234,7 @@ spec: - secret: name: {{ template "gitlab.registry.certificate.secret" . }} items: - - key: registry-auth.key + - key:{{ template "gitlab.registry.certificate.privateKey" . }} path: registry/gitlab-registry.key {{- include "gitlab.registry.notificationSecret.mount" $ | nindent 10 -}} {{- if or .Values.backups.objectStorage.config (not (or .Values.global.minio.enabled .Values.global.appConfig.object_store.enabled)) }} diff --git a/charts/gitlab/charts/webservice/templates/deployment.yaml b/charts/gitlab/charts/webservice/templates/deployment.yaml index 24c24b5d49..26146a49c8 100644 --- a/charts/gitlab/charts/webservice/templates/deployment.yaml +++ b/charts/gitlab/charts/webservice/templates/deployment.yaml @@ -507,7 +507,7 @@ spec: - secret: name: {{ template "gitlab.registry.certificate.secret" $ }} items: - - key: registry-auth.key + - key: {{ template "gitlab.registry.certificate.privateKey" $ }} path: registry/gitlab-registry.key {{- include "gitlab.registry.notificationSecret.mount" $ | nindent 10 }} - secret: diff --git a/charts/registry/templates/deployment.yaml b/charts/registry/templates/deployment.yaml index 54b3abb18e..a4f5fff812 100644 --- a/charts/registry/templates/deployment.yaml +++ b/charts/registry/templates/deployment.yaml @@ -175,7 +175,7 @@ spec: - secret: name: {{ template "gitlab.registry.certificate.secret" . }} items: - - key: registry-auth.crt + - key: {{ template "gitlab.registry.certificate.crt" . }} path: certificate.crt - secret: name: {{ template "gitlab.registry.httpSecret.secret" . }} diff --git a/doc/charts/gitlab/webservice/index.md b/doc/charts/gitlab/webservice/index.md index 8e117cd67c..894e3cc636 100644 --- a/doc/charts/gitlab/webservice/index.md +++ b/doc/charts/gitlab/webservice/index.md @@ -639,8 +639,9 @@ registry: | `api.port` | Integer | `5000` | The port on which to connect to the Registry API. | | `api.protocol` | String | | The protocol Webservice should use to reach the Registry API. | | `api.serviceName` | String | `registry` | The name of the `service` which is operating the Registry server. If this is present, and `api.host` is not, the chart will template the hostname of the service (and current `.Release.Name`) in place of the `api.host` value. This is convenient when using Registry as a part of the overall GitLab chart. | -| `certificate.key` | String | | The name of the `key` in the `Secret` which houses the certificate bundle that will be provided to the [registry](https://hub.docker.com/_/registry/) container as `auth.token.rootcertbundle`. | | `certificate.secret` | String | | The name of the [Kubernetes Secret](https://kubernetes.io/docs/concepts/configuration/secret/) that houses the certificate bundle to be used to verify the tokens created by the GitLab instance(s). | +| `certificate.crt` | String | | The name of the `key` in the `Secret` which houses the certificate bundle that will be provided to the [registry](https://hub.docker.com/_/registry/) container as `auth.token.rootcertbundle`. | +| `certificate.privateKey` | String | | The name of the `key` in the `Secret` which houses the private key that will be provided to the [registry](https://hub.docker.com/_/registry/) container as `auth.token.rootcertbundle`. | | `host` | String | | The external hostname to use for providing Docker commands to users in the GitLab UI. Falls back to the value set in the `registry.hostname` template. Which determines the registry hostname based on the values set in `global.hosts`. See the [Globals Documentation](../../globals.md) for more information. | | `port` | Integer | | The external port used in the hostname. Using port `80` or `443` will result in the URLs being formed with `http`/`https`. Other ports will all use `http` and append the port to the end of hostname, for example `http://registry.example.com:8443`. | | `tokenIssuer` | String | `gitlab-issuer` | The name of the auth token issuer. This must match the name used in the Registry's configuration, as it incorporated into the token when it is sent. The default of `gitlab-issuer` is the same default we use in the Registry chart. | diff --git a/doc/charts/registry/index.md b/doc/charts/registry/index.md index d1b394818c..3db2619222 100644 --- a/doc/charts/registry/index.md +++ b/doc/charts/registry/index.md @@ -89,7 +89,8 @@ registry: tokenIssuer: certificate: secret: gitlab-registry - key: registry-auth.crt + crt: registry-auth.crt + privateKey: registry-auth.key deployment: terminationGracePeriodSeconds: 30 draintimeout: '0' @@ -152,6 +153,9 @@ If you chose to deploy this chart as a standalone, remove the `registry` at the | `authAutoRedirect` | `true` | Auth auto-redirect (must be true for Windows clients to work) | | `authEndpoint` | `global.hosts.gitlab.name` | Auth endpoint (only host and port) | | `certificate.secret` | `gitlab-registry` | JWT certificate | +| `certificate.crt` | `registry-auth.crt` | Secret key in which the certificate chain is stored | +| `certificate.privateKey` | `registry-auth.key` | Secret key in which the private key is stored | + | `debug.addr.port` | `5001` | Debug port | | `debug.tls.enabled` | `false` | Enable TLS for the debug port for the registry. Impacts liveness and readiness probes, as well as the metrics endpoint (if enabled) | | `debug.tls.secretName` | | The name of the Kubernetes TLS Secret that contains a valid certificate and key for the registry debug endpoint. When not set and `debug.tls.enabled=true` - the debug TLS configuration will default to the registry's TLS certificate. | @@ -646,7 +650,8 @@ Default Example: ```yaml certificate: secret: gitlab-registry - key: registry-auth.crt + crt: registry-auth.crt + privateKey: registry-auth.key ``` ### readiness and liveness probe diff --git a/templates/_registry.tpl b/templates/_registry.tpl index 6f5665543a..b38b46b8bd 100644 --- a/templates/_registry.tpl +++ b/templates/_registry.tpl @@ -7,6 +7,20 @@ Return the registry certificate secret name {{- default (printf "%s-registry-secret" .Release.Name) .Values.global.registry.certificate.secret | quote -}} {{- end -}} +{{/* +Return the registry certificate crt secret key +*/}} +{{- define "gitlab.registry.certificate.crt" -}} +{{- default (printf "registry-auth.crt" .Release.Name) .Values.global.registry.certificate.crt | quote -}} +{{- end -}} + +{{/* +Return the registry certificate key secret key +*/}} +{{- define "gitlab.registry.certificate.privateKey" -}} +{{- default (printf "registry-auth.key" .Release.Name) .Values.global.registry.certificate.privateKey | quote -}} +{{- end -}} + {{/* Return the registry TLS secret name */}} diff --git a/templates/shared-secrets/_generate_secrets.sh.tpl b/templates/shared-secrets/_generate_secrets.sh.tpl index c626210537..27115d913e 100644 --- a/templates/shared-secrets/_generate_secrets.sh.tpl +++ b/templates/shared-secrets/_generate_secrets.sh.tpl @@ -143,7 +143,7 @@ generate_secret_if_needed {{ template "gitlab.appConfig.serviceDeskEmail.authTok # Registry certificates mkdir -p certs openssl req -new -newkey rsa:4096 -subj "/CN={{ coalesce .Values.registry.tokenIssuer (dig "registry" "tokenIssuer" "gitlab-issuer" .Values.global ) }}" -nodes -x509 -keyout certs/registry-example-com.key -out certs/registry-example-com.crt -days 3650 -generate_secret_if_needed {{ template "gitlab.registry.certificate.secret" . }} --from-file=registry-auth.key=certs/registry-example-com.key --from-file=registry-auth.crt=certs/registry-example-com.crt +generate_secret_if_needed {{ template "gitlab.registry.certificate.secret" . }} --from-file={{ template "gitlab.registry.certificate.privateKey" . }}=certs/registry-example-com.key --from-file={{ template "gitlab.registry.certificate.crt" . }}=certs/registry-example-com.crt # config/secrets.yaml if [ -n "$env" ]; then -- GitLab