diff --git a/charts/gitlab/charts/unicorn/templates/smartcard-configmap.yaml b/charts/gitlab/charts/unicorn/templates/smartcard-configmap.yaml new file mode 100644 index 0000000000000000000000000000000000000000..e5f33420fa7a50adcdc941ad84cfb5050e373c68 --- /dev/null +++ b/charts/gitlab/charts/unicorn/templates/smartcard-configmap.yaml @@ -0,0 +1,37 @@ +{{- if and .Values.enabled (eq (include "gitlab.smartcard.enabled" .) "true") -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "fullname" . }}-smartcard-nginx-config + namespace: {{ $.Release.Namespace }} + labels: +{{ include "gitlab.standardLabels" . | indent 4 }} +data: + {{ .Values.smartcard.nginx.config.key }}: | +server { + listen *:{{ template "gitlab.smartcard.port" . }} ssl; + + # certificate for configuring SSL + ssl_certificate /etc/ssl/private/cert.pem; + ssl_certificate_key /etc/ssl/private/key.pem; + + ssl_verify_depth 2; + ssl_client_certificate {{ template "gitlab.smartcard.config.ca.fullPath" . }}; + ssl_verify_client on; + + location / { + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header X-SSL-Client-Certificate $ssl_client_escaped_cert; + + proxy_read_timeout 300; + + proxy_pass http://{{ template "fullname" . }}.{{ $.Release.Namespace }}.svc.cluster.local:{{ .Values.service.workhorseExternalPort }}; + } +} +{{- end }} diff --git a/charts/gitlab/charts/unicorn/templates/smartcard-deployment.yaml b/charts/gitlab/charts/unicorn/templates/smartcard-deployment.yaml new file mode 100644 index 0000000000000000000000000000000000000000..bc409cb18e1f385cb7d4c4f88825a8baa485b63a --- /dev/null +++ b/charts/gitlab/charts/unicorn/templates/smartcard-deployment.yaml @@ -0,0 +1,71 @@ +{{- if and .Values.enabled (eq (include "gitlab.smartcard.enabled" .) "true") -}} +apiVersion: apps/v1beta2 +kind: Deployment +metadata: + name: {{ template "fullname" . }}-smartcard + namespace: {{ $.Release.Namespace }} + labels: +{{ include "gitlab.standardLabels" . | indent 4 }} + selector: + matchLabels: + app: {{ template "name" . }}-smartcard + component: nginx + release: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ template "name" . }}-smartcard + component: nginx + release: {{ .Release.Name }} + annotations: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + {{- range $key, $value := .Values.smartcard.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + containers: + - name: smartcard-nginx + image: "{{ .Values.smartcard.nginx.image.repository }}:{{ .Values.smartcard.nginx.image.tag }}" + imagePullPolicy: "{{ .Values.smartcard.nginx.image.pullPolicy }}" + securityContext: + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + ports: + - name: https-smartcard + containerPort: 443 + protocol: TCP + volumeMounts: + - mountPath: /etc/nginx + name: nginx-config-volume + readOnly: true + - mountPath: /etc/ssl/private/ + name: ingress-tls-volume + readOnly: true + - mountPath: {{- template "gitlab.smartcard.config.ca.dir" . -}} + name: smartcard-ca-volume + readOnly: true + volumes: + - name: smartcard-ca-volume + secret: + secretName: {{- template "gitlab.smartcard.ca.secret" . -}} + items: + - key: {{- template "gitlab.smartcard.ca.key" . -}} + - name: nginx-config-volume + configMap: + name: {{ template "fullname" . }}-smartcard-nginx-config + items: + - key: {{ .Values.smartcard.nginx.config.key }} + path: nginx.conf + - name: ingress-tls-volume + secretName: {{ .Values.global.ingress.tls.secretName }} + defaultMode: 0600 + items: + - key: cert + path: cert.pem + - key: key + path: key.pem +{{- end -}} \ No newline at end of file diff --git a/charts/gitlab/charts/unicorn/templates/smartcard-service.yaml b/charts/gitlab/charts/unicorn/templates/smartcard-service.yaml new file mode 100644 index 0000000000000000000000000000000000000000..d629972fd1957c786a7d6e64cd2f56a760fb13e5 --- /dev/null +++ b/charts/gitlab/charts/unicorn/templates/smartcard-service.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.enabled (eq (include "gitlab.smartcard.enabled" .) "true") -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "fullname" . }}-smartcard + namespace: {{ $.Release.Namespace }} + labels: +{{ include "gitlab.standardLabels" . | indent 4 }} + annotations: +{{ include "gitlab.serviceAnnotations" . | indent 4 }} +spec: + type: {{ .Values.smartcard.service.type }} + ports: + - port: https-smartcard + targetPort: {{ template "gitlab.smartcard.port" . }} + protocol: TCP + name: smartcard + selector: + app: {{ template "name" . }}-smartcard + release: {{ .Release.Name }} +{{- end }} diff --git a/charts/gitlab/charts/unicorn/values.yaml b/charts/gitlab/charts/unicorn/values.yaml index 260c365d81d597ba1d6cecdde63f089242e1b5df..fb93728b60d16653541bae826632643102bece51 100644 --- a/charts/gitlab/charts/unicorn/values.yaml +++ b/charts/gitlab/charts/unicorn/values.yaml @@ -132,6 +132,11 @@ global: # bind_dn: '_the_full_dn_of_the_user_you_will_bind_with' # password: '_the_password_of_the_bind_user' # encryption: 'plain' + smartcard: + enabled: false + ca: {} + # secret: secret-containing-ca-cert + # key: ca.crt omniauth: enabled: false autoSignInWithProvider: @@ -191,3 +196,15 @@ minReplicas: 2 maxReplicas: 10 helmTests: enabled: true +smartcard: + annotations: {} + nginx: + image: + repository: nginx + tag: 1.15.9 + pullPolicy: IfNotPresent + config: + key: nginx.conf + + service: + type: ClusterIP diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index 5bb1bd6b0d667a9900561c7242489d39a7e2fa7d..992ad90da38d593917546e0829e26cf0da50d090 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -302,3 +302,52 @@ Return true in any other case. {{- true }} {{- end -}} {{- end -}} + +{{/* +Returns true if Smartcard authentication can be enabled. +*/}} +{{- define "gitlab.smartcard.enabled" -}} +{{- and .Values.global.appConfig.smartcard.enabled (eq (include "gitlab.ingress.tls.enabled" $) "true") }} +{{- end -}} + +{{/* +Validates and returns the Smartcard CA secret. +*/}} +{{- define "gitlab.smartcard.ca.secret" -}} +{{- required "Smartcard CA secret is required" .Values.global.appConfig.smartcard.ca.secret -}} +{{- end -}} + +{{/* +Returns the Smartcard CA secret key or its default value if missing. +*/}} +{{- define "gitlab.smartcard.ca.key" -}} +{{- default "ca.pem" .Values.global.appConfig.smartcard.ca.key -}} +{{- end -}} + +{{/* +Returns the required port for Smartcard authentication or its default value if missing. +*/}} +{{- define "gitlab.smartcard.port" -}} +{{- default 3444 .Values.global.appConfig.smartcard.port -}} +{{- end -}} + +{{/* +Return the qualified name of the Smartcard CA secret (namespace/name), as required by nginx-ingress annotation. +*/}} +{{- define "gitlab.smartcard.ingress.tlsCert" -}} +{{- printf "%s/%s" .Release.Namespace (include "gitlab.smartcard.ca.secret" .) -}} +{{- end -}} + +{{/* +Return the mount point of Smartcard CA. +*/}} +{{- define "gitlab.smartcard.config.ca.dir" -}} +{{- "/etc/smartcard" -}} +{{- end -}} + +{{/* +Return the full path of Smartcard CA. +*/}} +{{- define "gitlab.smartcard.config.ca.fullPath" -}} +{{- printf "%s/%s" (include "gitlab.smartcard.config.ca.dir" .) (include "gitlab.smartcard.ca.key" .) -}} +{{- end -}}