diff --git a/charts/gitlab/charts/unicorn/requirements.yaml b/charts/gitlab/charts/unicorn/requirements.yaml new file mode 100644 index 0000000000000000000000000000000000000000..b9fda9eb74039565880340425ce31642dec50bc7 --- /dev/null +++ b/charts/gitlab/charts/unicorn/requirements.yaml @@ -0,0 +1,5 @@ +dependencies: +- name: nginx-ingress + version: 1.3.1 + repository: https://kubernetes-charts.storage.googleapis.com/ + condition: global.appConfig.smartcard.enabled diff --git a/charts/gitlab/charts/unicorn/templates/configmap.yml b/charts/gitlab/charts/unicorn/templates/configmap.yml index 5dbf01d0261187a38d1836474f9c8f749e8e5991..fb22a2b1aed0a3977a9bf5224a31e9c8589394c4 100644 --- a/charts/gitlab/charts/unicorn/templates/configmap.yml +++ b/charts/gitlab/charts/unicorn/templates/configmap.yml @@ -108,6 +108,12 @@ data: enabled: false gitlab_ci: {{- include "gitlab.appConfig.ldap.configuration" $ | nindent 6 }} + {{- if eq (include "gitlab.smartcard.enabled" .) "true" }} + smartcard: + enabled: true + client_certificate_required_port: {{ template "gitlab.smartcard.port" . }} + ca_file: {{ include "gitlab.smartcard.config.ca.fullPath" . | quote }} + {{- end }} {{- include "gitlab.appConfig.omniauth.configuration" $ | nindent 6 }} kerberos: enabled: false diff --git a/charts/gitlab/charts/unicorn/templates/deployment.yaml b/charts/gitlab/charts/unicorn/templates/deployment.yaml index f3a2e706715bb9ab84ea247790be14cb754a59f8..8f43f00d334c75060e2b0595d5d0d3519b11255a 100644 --- a/charts/gitlab/charts/unicorn/templates/deployment.yaml +++ b/charts/gitlab/charts/unicorn/templates/deployment.yaml @@ -157,6 +157,11 @@ spec: - name: shared-artifact-directory mountPath: /srv/gitlab/shared readOnly: false + {{- if eq (include "gitlab.smartcard.enabled" .) "true" }} + - name: smartcard-ca-file + mountPath: {{ template "gitlab.smartcard.config.ca.dir" . | quote }} + readOnly: true + {{- end }} {{ include "gitlab.certificates.volumeMount" . | indent 12 }} {{ include "gitlab.extraVolumeMounts" . | indent 12 }} livenessProbe: @@ -201,6 +206,11 @@ spec: - name: shared-artifact-directory mountPath: /srv/gitlab/shared readOnly: false + {{- if eq (include "gitlab.smartcard.enabled" .) "true" }} + - name: smartcard-ca-file + mountPath: {{ template "gitlab.smartcard.config.ca.dir" . | quote }} + readOnly: true + {{- end }} {{ include "gitlab.certificates.volumeMount" . | indent 12 }} {{ include "gitlab.extraVolumeMounts" . | indent 12 }} livenessProbe: @@ -294,6 +304,15 @@ spec: - name: shared-artifact-directory emptyDir: {} {{ include "gitlab.certificates.volumes" . | indent 6 }} + {{- if eq (include "gitlab.smartcard.enabled" .) "true" }} + {{- $smartcardCAKey := include "gitlab.smartcard.ca.key" . }} + - name: smartcard-ca-file + secret: + secretName: {{ include "gitlab.smartcard.ca.secret" . | quote }} + items: + - key: {{ $smartcardCAKey }} + path: {{ $smartcardCAKey }} + {{- end }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} diff --git a/charts/gitlab/charts/unicorn/templates/smartcard-ingress.yaml b/charts/gitlab/charts/unicorn/templates/smartcard-ingress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..157e28334bbc83672bcf494bf14f9c0d74602de0 --- /dev/null +++ b/charts/gitlab/charts/unicorn/templates/smartcard-ingress.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.enabled (eq (include "gitlab.ingress.enabled" $) "true") (eq (include "gitlab.smartcard.enabled" .) "true") -}} +{{- $gitlabHostname := include "gitlab.gitlab.hostname" . -}} +{{- $tlsSecret := include "unicorn.tlsSecret" . -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: {{ printf "%s-smartcard" (include "fullname" .) | quote }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "gitlab.standardLabels" . | indent 4 }} + annotations: + kubernetes.io/ingress.class: {{ template "gitlab.smartcard.ingress.class" . | quote }} + kubernetes.io/ingress.provider: nginx + nginx.ingress.kubernetes.io/proxy-body-size: {{ .Values.ingress.proxyBodySize | quote }} + nginx.ingress.kubernetes.io/proxy-read-timeout: {{ .Values.ingress.proxyReadTimeout | quote }} + nginx.ingress.kubernetes.io/proxy-connect-timeout: {{ .Values.ingress.proxyConnectTimeout | quote }} + nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" + nginx.ingress.kubernetes.io/auth-tls-verify-depth: "2" + nginx.ingress.kubernetes.io/auth-tls-secret: {{ include "gitlab.smartcard.ingress.tlsCert" . | quote }} +spec: + rules: + - host: {{ $gitlabHostname }} + http: + paths: + - path: / + backend: + serviceName: {{ template "fullname" . }} + servicePort: {{ .Values.service.workhorseExternalPort }} + tls: + - hosts: + - {{ $gitlabHostname }} + secretName: {{ $tlsSecret }} +{{- end -}} diff --git a/charts/gitlab/charts/unicorn/values.yaml b/charts/gitlab/charts/unicorn/values.yaml index 78969d55d7a644971b101333e0a6d0a9bafe1f5d..94f5f917183308356db0165a931fef2290f27e8f 100644 --- a/charts/gitlab/charts/unicorn/values.yaml +++ b/charts/gitlab/charts/unicorn/values.yaml @@ -132,6 +132,12 @@ global: # bind_dn: '_the_full_dn_of_the_user_you_will_bind_with' # password: '_the_password_of_the_bind_user' # encryption: 'plain' + smartcard: + enabled: false + port: 3444 + ca: + # secret: + key: ca.pem omniauth: enabled: false autoSignInWithProvider: @@ -189,3 +195,19 @@ resources: maxUnavailable: 1 minReplicas: 2 maxReplicas: 10 + +nginx-ingress: + nameOverride: nginx-ingress-smartcard + controller: + extraArgs: + https-port: 3444 + ingressClass: nginx-smartcard + scope: + enabled: true + service: + enableHttp: false + enableHttps: false + defaultBackend: + enabled: false + tcp: + 3444: diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 5bb1bd6b0d667a9900561c7242489d39a7e2fa7d..536c028e35d3b83d6a7802369a51cf63c7cf4e87 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -302,3 +302,61 @@ Return true in any other case. {{- true }} {{- end -}} {{- end -}} + +{{/* +Returns true if Smartcard authentication can be enabled. +*/}} +{{- define "gitlab.smartcard.enabled" -}} +{{- and .Values.global.appConfig.smartcard.enabled (eq (include "gitlab.ingress.tls.enabled" $) "true") }} +{{- end -}} + +{{/* +Validates and returns the Smartcard CA secret. +*/}} +{{- define "gitlab.smartcard.ca.secret" -}} +{{- required "Smartcard CA secret is required" .Values.global.appConfig.smartcard.ca.secret -}} +{{- end -}} + +{{/* +Returns the Smartcard CA secret key or its default value if missing. +*/}} +{{- define "gitlab.smartcard.ca.key" -}} +{{- default "ca.pem" .Values.global.appConfig.smartcard.ca.key -}} +{{- end -}} + +{{/* +Returns the required port for Smartcard authentication or its default value if missing. +*/}} +{{- define "gitlab.smartcard.port" -}} +{{- default 3444 .Values.global.appConfig.smartcard.port -}} +{{- end -}} + + +{{/* +Return the qualified name of the Smartcard CA secret (namespace/name), as required by nginx-ingress annotation. +*/}} +{{- define "gitlab.smartcard.ingress.tlsCert" -}} +{{- printf "%s/%s" .Release.Namespace (include "gitlab.smartcard.ca.secret" .) -}} +{{- end -}} + +{{/* +Return the special ingress class name for Smartcard authentication. +*/}} +{{- define "gitlab.smartcard.ingress.class" -}} +{{- "nginx-smartcard" -}} +{{- end -}} + + +{{/* +Return the mount point of Smartcard CA. +*/}} +{{- define "gitlab.smartcard.config.ca.dir" -}} +{{- "/etc/smartcard" -}} +{{- end -}} + +{{/* +Return the full path of Smartcard CA. +*/}} +{{- define "gitlab.smartcard.config.ca.fullPath" -}} +{{- printf "%s/%s" (include "gitlab.smartcard.config.ca.dir" .) (include "gitlab.smartcard.ca.key" .) -}} +{{- end -}}