From 8d98d2ff53fc6c9c7f1ed23a6f1a40037ee55c7f Mon Sep 17 00:00:00 2001 From: Hossein Pursultani Date: Tue, 5 Mar 2019 22:46:56 +1100 Subject: [PATCH 1/2] Add initial configuration for SmartCard authentication --- .../charts/unicorn/templates/configmap.yml | 6 ++ .../charts/unicorn/templates/deployment.yaml | 19 +++++ .../smartcard-ingress-configmap.yaml | 9 +++ .../smartcard-ingress-deployment.yaml | 73 +++++++++++++++++++ .../templates/smartcard-ingress-service.yaml | 24 ++++++ .../unicorn/templates/smartcard-ingress.yaml | 33 +++++++++ charts/gitlab/charts/unicorn/values.yaml | 6 ++ templates/_helpers.tpl | 58 +++++++++++++++ 8 files changed, 228 insertions(+) create mode 100644 charts/gitlab/charts/unicorn/templates/smartcard-ingress-configmap.yaml create mode 100644 charts/gitlab/charts/unicorn/templates/smartcard-ingress-deployment.yaml create mode 100644 charts/gitlab/charts/unicorn/templates/smartcard-ingress-service.yaml create mode 100644 charts/gitlab/charts/unicorn/templates/smartcard-ingress.yaml diff --git a/charts/gitlab/charts/unicorn/templates/configmap.yml b/charts/gitlab/charts/unicorn/templates/configmap.yml index 5dbf01d026..fb22a2b1ae 100644 --- a/charts/gitlab/charts/unicorn/templates/configmap.yml +++ b/charts/gitlab/charts/unicorn/templates/configmap.yml @@ -108,6 +108,12 @@ data: enabled: false gitlab_ci: {{- include "gitlab.appConfig.ldap.configuration" $ | nindent 6 }} + {{- if eq (include "gitlab.smartcard.enabled" .) "true" }} + smartcard: + enabled: true + client_certificate_required_port: {{ template "gitlab.smartcard.port" . }} + ca_file: {{ include "gitlab.smartcard.config.ca.fullPath" . | quote }} + {{- end }} {{- include "gitlab.appConfig.omniauth.configuration" $ | nindent 6 }} kerberos: enabled: false diff --git a/charts/gitlab/charts/unicorn/templates/deployment.yaml b/charts/gitlab/charts/unicorn/templates/deployment.yaml index f3a2e70671..8f43f00d33 100644 --- a/charts/gitlab/charts/unicorn/templates/deployment.yaml +++ b/charts/gitlab/charts/unicorn/templates/deployment.yaml @@ -157,6 +157,11 @@ spec: - name: shared-artifact-directory mountPath: /srv/gitlab/shared readOnly: false + {{- if eq (include "gitlab.smartcard.enabled" .) "true" }} + - name: smartcard-ca-file + mountPath: {{ template "gitlab.smartcard.config.ca.dir" . | quote }} + readOnly: true + {{- end }} {{ include "gitlab.certificates.volumeMount" . | indent 12 }} {{ include "gitlab.extraVolumeMounts" . | indent 12 }} livenessProbe: @@ -201,6 +206,11 @@ spec: - name: shared-artifact-directory mountPath: /srv/gitlab/shared readOnly: false + {{- if eq (include "gitlab.smartcard.enabled" .) "true" }} + - name: smartcard-ca-file + mountPath: {{ template "gitlab.smartcard.config.ca.dir" . | quote }} + readOnly: true + {{- end }} {{ include "gitlab.certificates.volumeMount" . | indent 12 }} {{ include "gitlab.extraVolumeMounts" . | indent 12 }} livenessProbe: @@ -294,6 +304,15 @@ spec: - name: shared-artifact-directory emptyDir: {} {{ include "gitlab.certificates.volumes" . | indent 6 }} + {{- if eq (include "gitlab.smartcard.enabled" .) "true" }} + {{- $smartcardCAKey := include "gitlab.smartcard.ca.key" . }} + - name: smartcard-ca-file + secret: + secretName: {{ include "gitlab.smartcard.ca.secret" . | quote }} + items: + - key: {{ $smartcardCAKey }} + path: {{ $smartcardCAKey }} + {{- end }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} diff --git a/charts/gitlab/charts/unicorn/templates/smartcard-ingress-configmap.yaml b/charts/gitlab/charts/unicorn/templates/smartcard-ingress-configmap.yaml new file mode 100644 index 0000000000..3a8cf1cc78 --- /dev/null +++ b/charts/gitlab/charts/unicorn/templates/smartcard-ingress-configmap.yaml @@ -0,0 +1,9 @@ +{{- if and .Values.enabled (eq (include "gitlab.ingress.enabled" $) "true") (eq (include "gitlab.smartcard.enabled" .) "true") -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-smartcard-ingress-nginx" (include "fullname" .) }} + namespace: {{ $.Release.Namespace }} +data: + enable-vts-status: "false" +{{- end }} diff --git a/charts/gitlab/charts/unicorn/templates/smartcard-ingress-deployment.yaml b/charts/gitlab/charts/unicorn/templates/smartcard-ingress-deployment.yaml new file mode 100644 index 0000000000..7c47573e27 --- /dev/null +++ b/charts/gitlab/charts/unicorn/templates/smartcard-ingress-deployment.yaml @@ -0,0 +1,73 @@ +{{- if and .Values.enabled (eq (include "gitlab.ingress.enabled" $) "true") (eq (include "gitlab.smartcard.enabled" .) "true") -}} +{{- $appName := "nginx-smartcard" -}} +{{- $componentName := printf "%s-smartcard-ingress-nginx" (include "fullname" .) -}} +{{- $componentClass := "controller" -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $componentName | quote }} + namespace: {{ $.Release.Namespace }} +spec: + replicas: 1 + selector: + matchLabels: + app: {{ $appName }} + component: {{ $componentClass }} + release: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ $appName }} + component: {{ $componentClass }} + release: {{ .Release.Name }} + spec: + containers: + - name: {{ printf "%s-%s" $componentName $componentClass | quote }} + image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.23.0 + args: + - /nginx-ingress-controller + - --election-id=smartcard-ingress-controller-leader + - --ingress-class={{ template "gitlab.smartcard.ingress.class" . }} + - --configmap={{ .Release.Namespace }}/{{ $componentName }} + - --watch-namespace={{ .Release.Namespace }} + securityContext: + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsUser: 33 + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + ports: + - name: http + containerPort: 80 + - name: https + containerPort: 443 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 10 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 10 +{{- end -}} diff --git a/charts/gitlab/charts/unicorn/templates/smartcard-ingress-service.yaml b/charts/gitlab/charts/unicorn/templates/smartcard-ingress-service.yaml new file mode 100644 index 0000000000..edabe842d2 --- /dev/null +++ b/charts/gitlab/charts/unicorn/templates/smartcard-ingress-service.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.enabled (eq (include "gitlab.ingress.enabled" $) "true") (eq (include "gitlab.smartcard.enabled" .) "true") -}} +{{- $appName := "nginx-smartcard" -}} +{{- $componentName := printf "%s-smartcard-ingress-nginx" (include "fullname" .) -}} +{{- $componentClass := "controller" -}} +apiVersion: apps/v1 +kind: Service +apiVersion: v1 +metadata: + name: {{ $componentName | quote }} + namespace: {{ .Release.Namespace }} + labels: + component: {{ $componentClass }} +spec: + type: LoadBalancer + selector: + app: {{ $appName }} + component: {{ $componentClass }} + release: {{ .Release.Name }} + ports: + - name: https + port: {{ template "gitlab.smartcard.port" . }} + protocol: TCP + targetPort: https +{{- end -}} diff --git a/charts/gitlab/charts/unicorn/templates/smartcard-ingress.yaml b/charts/gitlab/charts/unicorn/templates/smartcard-ingress.yaml new file mode 100644 index 0000000000..157e28334b --- /dev/null +++ b/charts/gitlab/charts/unicorn/templates/smartcard-ingress.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.enabled (eq (include "gitlab.ingress.enabled" $) "true") (eq (include "gitlab.smartcard.enabled" .) "true") -}} +{{- $gitlabHostname := include "gitlab.gitlab.hostname" . -}} +{{- $tlsSecret := include "unicorn.tlsSecret" . -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: {{ printf "%s-smartcard" (include "fullname" .) | quote }} + namespace: {{ $.Release.Namespace }} + labels: +{{ include "gitlab.standardLabels" . | indent 4 }} + annotations: + kubernetes.io/ingress.class: {{ template "gitlab.smartcard.ingress.class" . | quote }} + kubernetes.io/ingress.provider: nginx + nginx.ingress.kubernetes.io/proxy-body-size: {{ .Values.ingress.proxyBodySize | quote }} + nginx.ingress.kubernetes.io/proxy-read-timeout: {{ .Values.ingress.proxyReadTimeout | quote }} + nginx.ingress.kubernetes.io/proxy-connect-timeout: {{ .Values.ingress.proxyConnectTimeout | quote }} + nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" + nginx.ingress.kubernetes.io/auth-tls-verify-depth: "2" + nginx.ingress.kubernetes.io/auth-tls-secret: {{ include "gitlab.smartcard.ingress.tlsCert" . | quote }} +spec: + rules: + - host: {{ $gitlabHostname }} + http: + paths: + - path: / + backend: + serviceName: {{ template "fullname" . }} + servicePort: {{ .Values.service.workhorseExternalPort }} + tls: + - hosts: + - {{ $gitlabHostname }} + secretName: {{ $tlsSecret }} +{{- end -}} diff --git a/charts/gitlab/charts/unicorn/values.yaml b/charts/gitlab/charts/unicorn/values.yaml index 78969d55d7..c40ca1374e 100644 --- a/charts/gitlab/charts/unicorn/values.yaml +++ b/charts/gitlab/charts/unicorn/values.yaml @@ -132,6 +132,12 @@ global: # bind_dn: '_the_full_dn_of_the_user_you_will_bind_with' # password: '_the_password_of_the_bind_user' # encryption: 'plain' + smartcard: + enabled: false + port: 3444 + ca: + # secret: + key: ca.pem omniauth: enabled: false autoSignInWithProvider: diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 5bb1bd6b0d..536c028e35 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -302,3 +302,61 @@ Return true in any other case. {{- true }} {{- end -}} {{- end -}} + +{{/* +Returns true if Smartcard authentication can be enabled. +*/}} +{{- define "gitlab.smartcard.enabled" -}} +{{- and .Values.global.appConfig.smartcard.enabled (eq (include "gitlab.ingress.tls.enabled" $) "true") }} +{{- end -}} + +{{/* +Validates and returns the Smartcard CA secret. +*/}} +{{- define "gitlab.smartcard.ca.secret" -}} +{{- required "Smartcard CA secret is required" .Values.global.appConfig.smartcard.ca.secret -}} +{{- end -}} + +{{/* +Returns the Smartcard CA secret key or its default value if missing. +*/}} +{{- define "gitlab.smartcard.ca.key" -}} +{{- default "ca.pem" .Values.global.appConfig.smartcard.ca.key -}} +{{- end -}} + +{{/* +Returns the required port for Smartcard authentication or its default value if missing. +*/}} +{{- define "gitlab.smartcard.port" -}} +{{- default 3444 .Values.global.appConfig.smartcard.port -}} +{{- end -}} + + +{{/* +Return the qualified name of the Smartcard CA secret (namespace/name), as required by nginx-ingress annotation. +*/}} +{{- define "gitlab.smartcard.ingress.tlsCert" -}} +{{- printf "%s/%s" .Release.Namespace (include "gitlab.smartcard.ca.secret" .) -}} +{{- end -}} + +{{/* +Return the special ingress class name for Smartcard authentication. +*/}} +{{- define "gitlab.smartcard.ingress.class" -}} +{{- "nginx-smartcard" -}} +{{- end -}} + + +{{/* +Return the mount point of Smartcard CA. +*/}} +{{- define "gitlab.smartcard.config.ca.dir" -}} +{{- "/etc/smartcard" -}} +{{- end -}} + +{{/* +Return the full path of Smartcard CA. +*/}} +{{- define "gitlab.smartcard.config.ca.fullPath" -}} +{{- printf "%s/%s" (include "gitlab.smartcard.config.ca.dir" .) (include "gitlab.smartcard.ca.key" .) -}} +{{- end -}} -- GitLab From b35fefb5e7afec57a1f294c3f99656a313db753b Mon Sep 17 00:00:00 2001 From: Hossein Pursultani Date: Wed, 13 Mar 2019 17:24:10 +1100 Subject: [PATCH 2/2] Add nginx-ingress as a dependency to unicord for Smartcard auth --- .../gitlab/charts/unicorn/requirements.yaml | 5 ++ .../smartcard-ingress-configmap.yaml | 9 --- .../smartcard-ingress-deployment.yaml | 73 ------------------- .../templates/smartcard-ingress-service.yaml | 24 ------ charts/gitlab/charts/unicorn/values.yaml | 16 ++++ 5 files changed, 21 insertions(+), 106 deletions(-) create mode 100644 charts/gitlab/charts/unicorn/requirements.yaml delete mode 100644 charts/gitlab/charts/unicorn/templates/smartcard-ingress-configmap.yaml delete mode 100644 charts/gitlab/charts/unicorn/templates/smartcard-ingress-deployment.yaml delete mode 100644 charts/gitlab/charts/unicorn/templates/smartcard-ingress-service.yaml diff --git a/charts/gitlab/charts/unicorn/requirements.yaml b/charts/gitlab/charts/unicorn/requirements.yaml new file mode 100644 index 0000000000..b9fda9eb74 --- /dev/null +++ b/charts/gitlab/charts/unicorn/requirements.yaml @@ -0,0 +1,5 @@ +dependencies: +- name: nginx-ingress + version: 1.3.1 + repository: https://kubernetes-charts.storage.googleapis.com/ + condition: global.appConfig.smartcard.enabled diff --git a/charts/gitlab/charts/unicorn/templates/smartcard-ingress-configmap.yaml b/charts/gitlab/charts/unicorn/templates/smartcard-ingress-configmap.yaml deleted file mode 100644 index 3a8cf1cc78..0000000000 --- a/charts/gitlab/charts/unicorn/templates/smartcard-ingress-configmap.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{- if and .Values.enabled (eq (include "gitlab.ingress.enabled" $) "true") (eq (include "gitlab.smartcard.enabled" .) "true") -}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ printf "%s-smartcard-ingress-nginx" (include "fullname" .) }} - namespace: {{ $.Release.Namespace }} -data: - enable-vts-status: "false" -{{- end }} diff --git a/charts/gitlab/charts/unicorn/templates/smartcard-ingress-deployment.yaml b/charts/gitlab/charts/unicorn/templates/smartcard-ingress-deployment.yaml deleted file mode 100644 index 7c47573e27..0000000000 --- a/charts/gitlab/charts/unicorn/templates/smartcard-ingress-deployment.yaml +++ /dev/null @@ -1,73 +0,0 @@ -{{- if and .Values.enabled (eq (include "gitlab.ingress.enabled" $) "true") (eq (include "gitlab.smartcard.enabled" .) "true") -}} -{{- $appName := "nginx-smartcard" -}} -{{- $componentName := printf "%s-smartcard-ingress-nginx" (include "fullname" .) -}} -{{- $componentClass := "controller" -}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ $componentName | quote }} - namespace: {{ $.Release.Namespace }} -spec: - replicas: 1 - selector: - matchLabels: - app: {{ $appName }} - component: {{ $componentClass }} - release: {{ .Release.Name }} - template: - metadata: - labels: - app: {{ $appName }} - component: {{ $componentClass }} - release: {{ .Release.Name }} - spec: - containers: - - name: {{ printf "%s-%s" $componentName $componentClass | quote }} - image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.23.0 - args: - - /nginx-ingress-controller - - --election-id=smartcard-ingress-controller-leader - - --ingress-class={{ template "gitlab.smartcard.ingress.class" . }} - - --configmap={{ .Release.Namespace }}/{{ $componentName }} - - --watch-namespace={{ .Release.Namespace }} - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: 33 - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - ports: - - name: http - containerPort: 80 - - name: https - containerPort: 443 - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 10 - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 10 -{{- end -}} diff --git a/charts/gitlab/charts/unicorn/templates/smartcard-ingress-service.yaml b/charts/gitlab/charts/unicorn/templates/smartcard-ingress-service.yaml deleted file mode 100644 index edabe842d2..0000000000 --- a/charts/gitlab/charts/unicorn/templates/smartcard-ingress-service.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if and .Values.enabled (eq (include "gitlab.ingress.enabled" $) "true") (eq (include "gitlab.smartcard.enabled" .) "true") -}} -{{- $appName := "nginx-smartcard" -}} -{{- $componentName := printf "%s-smartcard-ingress-nginx" (include "fullname" .) -}} -{{- $componentClass := "controller" -}} -apiVersion: apps/v1 -kind: Service -apiVersion: v1 -metadata: - name: {{ $componentName | quote }} - namespace: {{ .Release.Namespace }} - labels: - component: {{ $componentClass }} -spec: - type: LoadBalancer - selector: - app: {{ $appName }} - component: {{ $componentClass }} - release: {{ .Release.Name }} - ports: - - name: https - port: {{ template "gitlab.smartcard.port" . }} - protocol: TCP - targetPort: https -{{- end -}} diff --git a/charts/gitlab/charts/unicorn/values.yaml b/charts/gitlab/charts/unicorn/values.yaml index c40ca1374e..94f5f91718 100644 --- a/charts/gitlab/charts/unicorn/values.yaml +++ b/charts/gitlab/charts/unicorn/values.yaml @@ -195,3 +195,19 @@ resources: maxUnavailable: 1 minReplicas: 2 maxReplicas: 10 + +nginx-ingress: + nameOverride: nginx-ingress-smartcard + controller: + extraArgs: + https-port: 3444 + ingressClass: nginx-smartcard + scope: + enabled: true + service: + enableHttp: false + enableHttps: false + defaultBackend: + enabled: false + tcp: + 3444: -- GitLab