From 7bf8e5931d10decc720b1981404c40350e20d195 Mon Sep 17 00:00:00 2001 From: ngala Date: Tue, 7 May 2024 15:59:38 +0530 Subject: [PATCH 1/4] Add client_cert_key_pairs, ca_certs in gitlab.rb for Pages Related: https://gitlab.com/gitlab-org/gitlab-pages/-/issues/548+ Changelog: added --- charts/gitlab/charts/gitlab-pages/templates/configmap.yml | 6 ++++++ charts/gitlab/charts/gitlab-pages/values.yaml | 3 +++ doc/charts/gitlab/gitlab-pages/index.md | 2 ++ doc/charts/globals.md | 2 ++ values.yaml | 2 ++ 5 files changed, 15 insertions(+) diff --git a/charts/gitlab/charts/gitlab-pages/templates/configmap.yml b/charts/gitlab/charts/gitlab-pages/templates/configmap.yml index 2b97e241d8..95ff519558 100644 --- a/charts/gitlab/charts/gitlab-pages/templates/configmap.yml +++ b/charts/gitlab/charts/gitlab-pages/templates/configmap.yml @@ -170,6 +170,12 @@ data: {{- if .Values.serverKeepAlive }} server-keep-alive={{ .Values.serverKeepAlive }} {{- end }} + {{- if .Values.clientCertKeyPairs }} + client-cert-key-pairs={{ .Values.clientCertKeyPairs }} + {{- end }} + {{- if .Values.caCerts }} + ca-certs={{ .Values.caCerts }} + {{- end }} configure: | {{- include "gitlab.scripts.configure.secrets" (dict "required" "pages" "optional" "none") | nindent 4 }} {{- if $.Values.metrics.tls.enabled }} diff --git a/charts/gitlab/charts/gitlab-pages/values.yaml b/charts/gitlab/charts/gitlab-pages/values.yaml index c649158e1c..61b4dde692 100644 --- a/charts/gitlab/charts/gitlab-pages/values.yaml +++ b/charts/gitlab/charts/gitlab-pages/values.yaml @@ -244,3 +244,6 @@ affinity: # rateLimitTLSSourceIPBurst: # rateLimitTLSDomain: # rateLimitTLSDomainBurst: + +# clientCertKeyPairs +# caCerts \ No newline at end of file diff --git a/doc/charts/gitlab/gitlab-pages/index.md b/doc/charts/gitlab/gitlab-pages/index.md index 2da811617e..5c5f7c1516 100644 --- a/doc/charts/gitlab/gitlab-pages/index.md +++ b/doc/charts/gitlab/gitlab-pages/index.md @@ -160,6 +160,8 @@ configurations that can be supplied to the `helm install` command using the | `serverKeepAlive` | `15s` | See: [GitLab Pages global settings](https://docs.gitlab.com/ee/administration/pages/#global-settings) | | `authTimeout` | `5s` | See: [GitLab Pages global settings](https://docs.gitlab.com/ee/administration/pages/#global-settings) | | `authCookieSessionTimeout` | `10m` | See: [GitLab Pages global settings](https://docs.gitlab.com/ee/administration/pages/#global-settings) | +| `clientCertKeyPairs` | | See: [GitLab Pages global settings](https://docs.gitlab.com/ee/administration/pages/#global-settings) | +| `caCerts` | | See: [GitLab Pages global settings](https://docs.gitlab.com/ee/administration/pages/#global-settings) | ### Configuring the `ingress` diff --git a/doc/charts/globals.md b/doc/charts/globals.md index 06b51567fd..a2d734a920 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -2001,6 +2001,8 @@ global: | `localStore.path` | String | `/srv/gitlab/shared/pages` | Path where pages files will be stored; only used if localStore is set to true. | | `apiSecret.secret` | String | | Secret containing 32 bit API key in Base64 encoded form. | | `apiSecret.key` | String | | Key within the API key secret where the API key is stored. | +| `clientCertKeyPairs` | String | | GitLab client certificate key pairs utilized for mutual TLS authentication with GitLab API. | +| `caCerts` | String | | Root CA certificates utilized for signing GitLab client certificates | ## Configure Webservice diff --git a/values.yaml b/values.yaml index 8163e1a1ff..41e50f3cf5 100644 --- a/values.yaml +++ b/values.yaml @@ -693,6 +693,8 @@ global: authSecret: {} # secret: # key: + clientCertKeyPairs: + caCerts: ## GitLab Runner ## Secret created according to https://docs.gitlab.com/charts/installation/secrets#gitlab-runner-secret -- GitLab From ce0096efd9810b890eefbc4d1afd6e52265ba3bc Mon Sep 17 00:00:00 2001 From: ngala Date: Tue, 7 May 2024 16:06:02 +0530 Subject: [PATCH 2/4] Update pages_spec.rb with relevant test --- spec/configuration/pages_spec.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/spec/configuration/pages_spec.rb b/spec/configuration/pages_spec.rb index 1836756f5b..81ad5dfac4 100644 --- a/spec/configuration/pages_spec.rb +++ b/spec/configuration/pages_spec.rb @@ -510,6 +510,8 @@ describe 'GitLab Pages' do serverKeepAlive: 4h authTimeout: 10s authCookieSessionTimeout: 1h + clientCertKeyPairs: /path/to/client.crt:/path/to/client.key + caCerts: /path/to/ca.crt )) end @@ -562,6 +564,8 @@ describe 'GitLab Pages' do server-read-header-timeout=2h server-write-timeout=3h server-keep-alive=4h + client-cert-key-pairs=/path/to/client.crt:/path/to/client.key + ca-certs=/path/to/ca.crt MSG expect(pages_enabled_template.exit_code).to eq(0), "Unexpected error code #{pages_enabled_template.exit_code} -- #{pages_enabled_template.stderr}" -- GitLab From edccf7ba591e9d82bd4775fe92b77de3242042c1 Mon Sep 17 00:00:00 2001 From: ngala Date: Fri, 24 May 2024 10:32:57 +0530 Subject: [PATCH 3/4] Update mTLS parameters --- .../charts/gitlab-pages/templates/configmap.yml | 11 +++++++---- charts/gitlab/charts/gitlab-pages/values.yaml | 3 ++- doc/charts/gitlab/gitlab-pages/index.md | 5 +++-- doc/charts/globals.md | 5 +++-- spec/configuration/pages_spec.rb | 10 ++++++---- values.yaml | 5 +++-- 6 files changed, 24 insertions(+), 15 deletions(-) diff --git a/charts/gitlab/charts/gitlab-pages/templates/configmap.yml b/charts/gitlab/charts/gitlab-pages/templates/configmap.yml index 95ff519558..ec2cb5680b 100644 --- a/charts/gitlab/charts/gitlab-pages/templates/configmap.yml +++ b/charts/gitlab/charts/gitlab-pages/templates/configmap.yml @@ -170,11 +170,14 @@ data: {{- if .Values.serverKeepAlive }} server-keep-alive={{ .Values.serverKeepAlive }} {{- end }} - {{- if .Values.clientCertKeyPairs }} - client-cert-key-pairs={{ .Values.clientCertKeyPairs }} + {{- if .Values.clientCert }} + client-cert={{ .Values.clientCert }} {{- end }} - {{- if .Values.caCerts }} - ca-certs={{ .Values.caCerts }} + {{- if .Values.clientKey }} + client-key={{ .Values.clientKey }} + {{- end }} + {{- if .Values.clientCACerts }} + client-ca-certs={{ .Values.clientCACerts }} {{- end }} configure: | {{- include "gitlab.scripts.configure.secrets" (dict "required" "pages" "optional" "none") | nindent 4 }} diff --git a/charts/gitlab/charts/gitlab-pages/values.yaml b/charts/gitlab/charts/gitlab-pages/values.yaml index 61b4dde692..569955b635 100644 --- a/charts/gitlab/charts/gitlab-pages/values.yaml +++ b/charts/gitlab/charts/gitlab-pages/values.yaml @@ -245,5 +245,6 @@ affinity: # rateLimitTLSDomain: # rateLimitTLSDomainBurst: -# clientCertKeyPairs +# clientCert +# clientKey # caCerts \ No newline at end of file diff --git a/doc/charts/gitlab/gitlab-pages/index.md b/doc/charts/gitlab/gitlab-pages/index.md index 5c5f7c1516..21b65c42d7 100644 --- a/doc/charts/gitlab/gitlab-pages/index.md +++ b/doc/charts/gitlab/gitlab-pages/index.md @@ -160,8 +160,9 @@ configurations that can be supplied to the `helm install` command using the | `serverKeepAlive` | `15s` | See: [GitLab Pages global settings](https://docs.gitlab.com/ee/administration/pages/#global-settings) | | `authTimeout` | `5s` | See: [GitLab Pages global settings](https://docs.gitlab.com/ee/administration/pages/#global-settings) | | `authCookieSessionTimeout` | `10m` | See: [GitLab Pages global settings](https://docs.gitlab.com/ee/administration/pages/#global-settings) | -| `clientCertKeyPairs` | | See: [GitLab Pages global settings](https://docs.gitlab.com/ee/administration/pages/#global-settings) | -| `caCerts` | | See: [GitLab Pages global settings](https://docs.gitlab.com/ee/administration/pages/#global-settings) | +| `clientCert` | | See: [GitLab Pages global settings](https://docs.gitlab.com/ee/administration/pages/#global-settings) | +| `clientKey` | | See: [GitLab Pages global settings](https://docs.gitlab.com/ee/administration/pages/#global-settings) | +| `clientCACerts` | | See: [GitLab Pages global settings](https://docs.gitlab.com/ee/administration/pages/#global-settings) | ### Configuring the `ingress` diff --git a/doc/charts/globals.md b/doc/charts/globals.md index a2d734a920..77ef93faf9 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -2001,8 +2001,9 @@ global: | `localStore.path` | String | `/srv/gitlab/shared/pages` | Path where pages files will be stored; only used if localStore is set to true. | | `apiSecret.secret` | String | | Secret containing 32 bit API key in Base64 encoded form. | | `apiSecret.key` | String | | Key within the API key secret where the API key is stored. | -| `clientCertKeyPairs` | String | | GitLab client certificate key pairs utilized for mutual TLS authentication with GitLab API. | -| `caCerts` | String | | Root CA certificates utilized for signing GitLab client certificates | +| `clientCert` | String | | GitLab client certificate utilized for mutual TLS authentication with GitLab API. | +| `clientKey` | String | | GitLab client key utilized for mutual TLS authentication with GitLab API. | +| `clientCACerts` | String | | Root CA certificates utilized for signing GitLab client certificates | ## Configure Webservice diff --git a/spec/configuration/pages_spec.rb b/spec/configuration/pages_spec.rb index 81ad5dfac4..5ef606b6af 100644 --- a/spec/configuration/pages_spec.rb +++ b/spec/configuration/pages_spec.rb @@ -510,8 +510,9 @@ describe 'GitLab Pages' do serverKeepAlive: 4h authTimeout: 10s authCookieSessionTimeout: 1h - clientCertKeyPairs: /path/to/client.crt:/path/to/client.key - caCerts: /path/to/ca.crt + clientCert: /path/to/client.crt + clientKey: /path/to/client.key + clientCACerts: /path/to/ca.crt )) end @@ -564,8 +565,9 @@ describe 'GitLab Pages' do server-read-header-timeout=2h server-write-timeout=3h server-keep-alive=4h - client-cert-key-pairs=/path/to/client.crt:/path/to/client.key - ca-certs=/path/to/ca.crt + client-cert=/path/to/client.crt + client-key=/path/to/client.key + client-ca-certs=/path/to/ca.crt MSG expect(pages_enabled_template.exit_code).to eq(0), "Unexpected error code #{pages_enabled_template.exit_code} -- #{pages_enabled_template.stderr}" diff --git a/values.yaml b/values.yaml index 41e50f3cf5..1348dfeb1b 100644 --- a/values.yaml +++ b/values.yaml @@ -693,8 +693,9 @@ global: authSecret: {} # secret: # key: - clientCertKeyPairs: - caCerts: + clientCert: + clientKey: + clientCACerts: ## GitLab Runner ## Secret created according to https://docs.gitlab.com/charts/installation/secrets#gitlab-runner-secret -- GitLab From a215f3f3e032c1a0fec546332060051662f0b8e4 Mon Sep 17 00:00:00 2001 From: ngala Date: Fri, 24 May 2024 23:58:57 +0530 Subject: [PATCH 4/4] Add mTLS support for GitLab Pages with GitLab API in charts --- .../gitlab-pages/templates/_helpers.tpl | 16 +++++++++++- .../gitlab-pages/templates/configmap.yml | 18 +++++++------ .../gitlab-pages/templates/deployment.yaml | 14 ++++++++++ charts/gitlab/charts/gitlab-pages/values.yaml | 8 +++--- doc/charts/gitlab/gitlab-pages/index.md | 5 ++-- doc/charts/globals.md | 3 --- examples/internal-tls/shared-cert-values.yaml | 4 +++ spec/configuration/pages_spec.rb | 26 ++++++++++++++----- values.yaml | 3 --- 9 files changed, 70 insertions(+), 27 deletions(-) diff --git a/charts/gitlab/charts/gitlab-pages/templates/_helpers.tpl b/charts/gitlab/charts/gitlab-pages/templates/_helpers.tpl index 1252fdce1e..ee0ad5ce67 100644 --- a/charts/gitlab/charts/gitlab-pages/templates/_helpers.tpl +++ b/charts/gitlab/charts/gitlab-pages/templates/_helpers.tpl @@ -18,4 +18,18 @@ Return the pages-metrics TLS secret name */}} {{- define "pages-metrics.tls.secret" -}} {{- default (printf "%s-pages-metrics-tls" .Release.Name) $.Values.metrics.tls.secretName | quote -}} -{{- end -}} \ No newline at end of file +{{- end -}} + +{{/* +Return the pages gitlab mTLS secret name +*/}} +{{- define "pages.mtls.secret" -}} +{{- default (printf "%s-pages-mtls" .Release.Name) $.Values.mtls.secretName | quote -}} +{{- end -}} + +{{/* +Return the pages gitlab mTLS CA secret name +*/}} +{{- define "pages.mtls.ca.secret" -}} +{{- default (printf "%s-pages-mtls-ca" .Release.Name) $.Values.mtls.caSecretName | quote -}} +{{- end -}} diff --git a/charts/gitlab/charts/gitlab-pages/templates/configmap.yml b/charts/gitlab/charts/gitlab-pages/templates/configmap.yml index ec2cb5680b..55e0c425f7 100644 --- a/charts/gitlab/charts/gitlab-pages/templates/configmap.yml +++ b/charts/gitlab/charts/gitlab-pages/templates/configmap.yml @@ -170,14 +170,10 @@ data: {{- if .Values.serverKeepAlive }} server-keep-alive={{ .Values.serverKeepAlive }} {{- end }} - {{- if .Values.clientCert }} - client-cert={{ .Values.clientCert }} - {{- end }} - {{- if .Values.clientKey }} - client-key={{ .Values.clientKey }} - {{- end }} - {{- if .Values.clientCACerts }} - client-ca-certs={{ .Values.clientCACerts }} + {{- if $.Values.mtls.enabled }} + client-cert=/etc/gitlab-secrets/pages/mtls/client.crt + client-key=/etc/gitlab-secrets/pages/mtls/client.key + client-ca-certs=/etc/gitlab-secrets/pages/mtls/client_ca.crt {{- end }} configure: | {{- include "gitlab.scripts.configure.secrets" (dict "required" "pages" "optional" "none") | nindent 4 }} @@ -186,3 +182,9 @@ data: cp -v -L /init-config/pages-metrics/pages-metrics.crt /init-secrets/pages-metrics/pages-metrics.crt cp -v -L /init-config/pages-metrics/pages-metrics.key /init-secrets/pages-metrics/pages-metrics.key {{- end }} + {{- if $.Values.mtls.enabled }} + mkdir -p /init-secrets/pages/mtls + cp -v -L /init-config/pages/mtls/client.crt /init-secrets/pages/mtls/client.crt + cp -v -L /init-config/pages/mtls/client.key /init-secrets/pages/mtls/client.key + cp -v -L /init-config/pages/mtls/client_ca.crt /init-secrets/pages/mtls/client_ca.crt + {{- end }} diff --git a/charts/gitlab/charts/gitlab-pages/templates/deployment.yaml b/charts/gitlab/charts/gitlab-pages/templates/deployment.yaml index 1aec1d238f..dbb3fd4aca 100644 --- a/charts/gitlab/charts/gitlab-pages/templates/deployment.yaml +++ b/charts/gitlab/charts/gitlab-pages/templates/deployment.yaml @@ -187,6 +187,20 @@ spec: - key: "tls.key" path: "pages-metrics/pages-metrics.key" {{- end }} + {{- if $.Values.mtls.enabled }} + - secret: + name: {{ template "pages.mtls.secret" $ }} + items: + - key: "tls.crt" + path: "pages/mtls/client.crt" + - key: "tls.key" + path: "pages/mtls/client.key" + - secret: + name: {{ template "pages.mtls.ca.secret" $ }} + items: + - key: "ca.crt" + path: "pages/mtls/client_ca.crt" + {{- end }} - name: pages-secrets emptyDir: medium: "Memory" diff --git a/charts/gitlab/charts/gitlab-pages/values.yaml b/charts/gitlab/charts/gitlab-pages/values.yaml index 569955b635..d4ea2b1831 100644 --- a/charts/gitlab/charts/gitlab-pages/values.yaml +++ b/charts/gitlab/charts/gitlab-pages/values.yaml @@ -245,6 +245,8 @@ affinity: # rateLimitTLSDomain: # rateLimitTLSDomainBurst: -# clientCert -# clientKey -# caCerts \ No newline at end of file +mtls: + enabled: false + # secretName: + # caSecretName: + diff --git a/doc/charts/gitlab/gitlab-pages/index.md b/doc/charts/gitlab/gitlab-pages/index.md index 21b65c42d7..7701ccb494 100644 --- a/doc/charts/gitlab/gitlab-pages/index.md +++ b/doc/charts/gitlab/gitlab-pages/index.md @@ -160,9 +160,8 @@ configurations that can be supplied to the `helm install` command using the | `serverKeepAlive` | `15s` | See: [GitLab Pages global settings](https://docs.gitlab.com/ee/administration/pages/#global-settings) | | `authTimeout` | `5s` | See: [GitLab Pages global settings](https://docs.gitlab.com/ee/administration/pages/#global-settings) | | `authCookieSessionTimeout` | `10m` | See: [GitLab Pages global settings](https://docs.gitlab.com/ee/administration/pages/#global-settings) | -| `clientCert` | | See: [GitLab Pages global settings](https://docs.gitlab.com/ee/administration/pages/#global-settings) | -| `clientKey` | | See: [GitLab Pages global settings](https://docs.gitlab.com/ee/administration/pages/#global-settings) | -| `clientCACerts` | | See: [GitLab Pages global settings](https://docs.gitlab.com/ee/administration/pages/#global-settings) | +| `gitlab.mtls.enabled` | `false` | Enable mutual TLS authentication with GitLab API. | +| `gitlab.mtls.secretName` | `{Release.Name}-pages-gitlab-mtls` | Secret for client full chain certificate, client key and root CA certificate utilized for mutual TLS authentication with GitLab API. | ### Configuring the `ingress` diff --git a/doc/charts/globals.md b/doc/charts/globals.md index 77ef93faf9..06b51567fd 100644 --- a/doc/charts/globals.md +++ b/doc/charts/globals.md @@ -2001,9 +2001,6 @@ global: | `localStore.path` | String | `/srv/gitlab/shared/pages` | Path where pages files will be stored; only used if localStore is set to true. | | `apiSecret.secret` | String | | Secret containing 32 bit API key in Base64 encoded form. | | `apiSecret.key` | String | | Key within the API key secret where the API key is stored. | -| `clientCert` | String | | GitLab client certificate utilized for mutual TLS authentication with GitLab API. | -| `clientKey` | String | | GitLab client key utilized for mutual TLS authentication with GitLab API. | -| `clientCACerts` | String | | Root CA certificates utilized for signing GitLab client certificates | ## Configure Webservice diff --git a/examples/internal-tls/shared-cert-values.yaml b/examples/internal-tls/shared-cert-values.yaml index 6f1eef568f..813e50ed25 100644 --- a/examples/internal-tls/shared-cert-values.yaml +++ b/examples/internal-tls/shared-cert-values.yaml @@ -45,6 +45,10 @@ gitlab: enabled: true secretName: *internal-tls gitlab-pages: + mtls: + enabled: true + secretName: *internal-tls + caSecretName: *internal-ca metrics: tls: enabled: true diff --git a/spec/configuration/pages_spec.rb b/spec/configuration/pages_spec.rb index 5ef606b6af..9866f6d4a6 100644 --- a/spec/configuration/pages_spec.rb +++ b/spec/configuration/pages_spec.rb @@ -510,9 +510,6 @@ describe 'GitLab Pages' do serverKeepAlive: 4h authTimeout: 10s authCookieSessionTimeout: 1h - clientCert: /path/to/client.crt - clientKey: /path/to/client.key - clientCACerts: /path/to/ca.crt )) end @@ -565,9 +562,6 @@ describe 'GitLab Pages' do server-read-header-timeout=2h server-write-timeout=3h server-keep-alive=4h - client-cert=/path/to/client.crt - client-key=/path/to/client.key - client-ca-certs=/path/to/ca.crt MSG expect(pages_enabled_template.exit_code).to eq(0), "Unexpected error code #{pages_enabled_template.exit_code} -- #{pages_enabled_template.stderr}" @@ -595,6 +589,26 @@ describe 'GitLab Pages' do expect(config_data).to include('metrics-key=/etc/gitlab-secrets/pages-metrics/pages-metrics.key') end end + + context 'when GitLab mTLS support is enabled' do + let(:pages_enabled_values) do + YAML.safe_load(%( + global: + pages: + enabled: true + gitlab: + gitlab-pages: + mtls: + enabled: true + )) + end + + it 'populates the config.tpl pages mtls settings' do + expect(config_data).to include('client-cert=/etc/gitlab-secrets/pages/mtls/client.crt') + expect(config_data).to include('client-key=/etc/gitlab-secrets/pages/mtls/client.key') + expect(config_data).to include('client-ca-certs=/etc/gitlab-secrets/pages/mtls/client_ca.crt') + end + end end describe 'customDomains' do diff --git a/values.yaml b/values.yaml index 1348dfeb1b..8163e1a1ff 100644 --- a/values.yaml +++ b/values.yaml @@ -693,9 +693,6 @@ global: authSecret: {} # secret: # key: - clientCert: - clientKey: - clientCACerts: ## GitLab Runner ## Secret created according to https://docs.gitlab.com/charts/installation/secrets#gitlab-runner-secret -- GitLab