Commit 40e0fba3 authored by Ryan Algar's avatar Ryan Algar Committed by Jason Plum
Browse files

Add configMaps and keys for customCA

When defining customCAs:
- It is now possible to use configMaps in addition to secrets.
- It is now possible to define specific keys to be mounted.

Changelog: added
parent 8622235e
......@@ -1336,20 +1336,32 @@ To disable the use of LDAP for web sign-in, set `global.appConfig.ldap.preventSi
If the LDAP server uses a custom CA or self-signed certificate, you must:
1. Ensure that the custom CA/Self-Signed certificate is created as a secret in the cluster/namespace:
1. Ensure that the custom CA/Self-Signed certificate is created as a Secret or ConfigMap in the cluster/namespace:
```shell
kubectl -n gitlab create secret generic my-custom-ca --from-file=my-custom-ca.pem
# Secret
kubectl -n gitlab create secret generic my-custom-ca-secret --from-file=unique_name=my-custom-ca.pem
# ConfigMap
kubectl -n gitlab create configmap my-custom-ca-configmap --from-file=unique_name=my-custom-ca.pem
```
1. Then, specify:
```shell
--set global.certificates.customCAs[0].secret=my-custom-ca
--set global.appConfig.ldap.servers.main.ca_file=/etc/ssl/certs/ca-cert-my-custom-ca.pem
# Configure a custom CA from a Secret
--set global.certificates.customCAs[0].secret=my-custom-ca-secret
# Or from a ConfigMap
--set global.certificates.customCAs[0].configMap=my-custom-ca-configmap
# Configure the LDAP integration to trust the custom CA
--set global.appConfig.ldap.servers.main.ca_file=/etc/ssl/certs/ca-cert-unique_name.pem
```
This will ensure that the CA is mounted in the relevant pods under `/etc/ssl/certs/ca-cert-my-custom-ca.pem` and specifies its use in the LDAP configuration.
This will ensure that the CA certificate is mounted in the relevant pods at `/etc/ssl/certs/ca-cert-unique_name.pem` and specifies its use in the LDAP configuration.
See [Custom Certificate Authorities](#custom-certificate-authorities) for more info.
### OmniAuth
......@@ -1789,33 +1801,39 @@ These settings do not affect charts from outside of this repository, via `requir
Some users may need to add custom certificate authorities, such as when using internally
issued SSL certificates for TLS services. To provide this functionality, we provide
a mechanism for injecting these custom root certificate authorities into the application via secrets.
```yaml
global:
certificates:
customCAs:
- secret: internal-cas
- secret: other-custom-cas
```
A user can provide any number of secrets, each containing any number of keys that hold
PEM encoded CA certificates. These are configured as entries under `global.certificates.customCAs`.
All keys within the secret will be mounted, so all keys across all secrets must be unique.
These secrets can be named in any fashion, but they *must not* contain key names that collide.
a mechanism for injecting these custom root certificate authorities into the application through Secrets or ConfigMaps.
To create a secret:
To create a Secret or ConfigMap:
```shell
kubectl create secret generic custom-ca --from-file=unique_name=/path/to/cert
# Create a Secret from a certificate file
kubectl create secret generic secret-custom-ca --from-file=unique_name=/path/to/cert
# Create a ConfigMap from a certificate file
kubectl create configmap cm-custom-ca --from-file=unique_name=/path/to/cert
```
To configure the secret:
To configure a Secret or ConfigMap, or both, specify them in globals:
```shell
helm install gitlab gitlab/gitlab \
--set global.certificates.customCAs[0].secret=custom-ca
```
```yaml
global:
certificates:
customCAs:
- secret: secret-custom-CAs # Mount all keys of a Secret
- secret: secret-custom-CAs # Mount only the specified keys of a Secret
keys:
- unique_name
- configMap: cm-custom-CAs # Mount all keys of a ConfigMap
- configMap: cm-custom-CAs # Mount only the specified keys of a ConfigMap
keys:
- unique_name_1
- unique_name_2
```
You can provide any number of Secrets or ConfigMaps, each containing any number of keys that hold
PEM-encoded CA certificates. These are configured as entries under `global.certificates.customCAs`.
All keys are mounted unless `keys:` is provided with a list of specific keys to be mounted. All mounted keys across all Secrets and ConfigMaps must be unique.
The Secrets and ConfigMaps can be named in any fashion, but they *must not* contain key names that collide.
## Application Resource
......
......@@ -28,7 +28,16 @@ describe 'Certificates configuration' do
global:
certificates:
customCAs:
- secret: rspec-custom-ca
- secret: rspec-custom-ca-secret-1
- secret: rspec-custom-ca-secret-2
keys:
- custom-ca-1.crt
- custom-ca-2.crt
- configMap: rspec-custom-ca-configmap-1
- configMap: rspec-custom-ca-configmap-2
keys:
- custom-ca-3.crt
- custom-ca-4.crt
)))
end
......@@ -43,14 +52,54 @@ describe 'Certificates configuration' do
next if skip_items.any? { |i| resource[0].include? i }
sources = present.projected_volume_sources(resource[0],'custom-ca-certificates')
expect(sources).to be_truthy, "unable to locate 'custom-ca-certificates' volume for #{resource[0]}"
expect(sources[0]['secret']['name']).to eq('rspec-custom-ca')
expect(sources[0]['secret']['name']).to eq('rspec-custom-ca-secret-1')
expect(sources[0]['secret']).not_to have_key('items')
expect(sources[1]['secret']['name']).to eq('rspec-custom-ca-secret-2')
expect(sources[1]['secret']['items'][0]['key']).to eq('custom-ca-1.crt')
expect(sources[1]['secret']['items'][0]['path']).to eq('custom-ca-1.crt')
expect(sources[1]['secret']['items'][1]['key']).to eq('custom-ca-2.crt')
expect(sources[1]['secret']['items'][1]['path']).to eq('custom-ca-2.crt')
end
present.resources_by_kind('StatefulSet').each do |resource|
next if skip_items.any? { |i| resource[0].include? i }
sources = present.projected_volume_sources(resource[0],'custom-ca-certificates')
expect(sources).to be_truthy, "unable to locate 'custom-ca-certificates' volume for #{resource[0]}"
expect(sources[0]['secret']['name']).to eq('rspec-custom-ca')
expect(sources[0]['secret']['name']).to eq('rspec-custom-ca-secret-1')
expect(sources[0]['secret']).not_to have_key('items')
expect(sources[1]['secret']['name']).to eq('rspec-custom-ca-secret-2')
expect(sources[1]['secret']['items'][0]['key']).to eq('custom-ca-1.crt')
expect(sources[1]['secret']['items'][0]['path']).to eq('custom-ca-1.crt')
expect(sources[1]['secret']['items'][1]['key']).to eq('custom-ca-2.crt')
expect(sources[1]['secret']['items'][1]['path']).to eq('custom-ca-2.crt')
end
end
it 'populates volumes with extra ConfigMap' do
present.resources_by_kind('Deployment').each do |resource|
next if skip_items.any? { |i| resource[0].include? i }
sources = present.projected_volume_sources(resource[0],'custom-ca-certificates')
expect(sources).to be_truthy, "unable to locate 'custom-ca-certificates' volume for #{resource[0]}"
expect(sources[2]['configMap']['name']).to eq('rspec-custom-ca-configmap-1')
expect(sources[2]['configMap']).not_to have_key('items')
expect(sources[3]['configMap']['name']).to eq('rspec-custom-ca-configmap-2')
expect(sources[3]['configMap']['items'][0]['key']).to eq('custom-ca-3.crt')
expect(sources[3]['configMap']['items'][0]['path']).to eq('custom-ca-3.crt')
expect(sources[3]['configMap']['items'][1]['key']).to eq('custom-ca-4.crt')
expect(sources[3]['configMap']['items'][1]['path']).to eq('custom-ca-4.crt')
end
present.resources_by_kind('StatefulSet').each do |resource|
next if skip_items.any? { |i| resource[0].include? i }
sources = present.projected_volume_sources(resource[0],'custom-ca-certificates')
expect(sources).to be_truthy, "unable to locate 'custom-ca-certificates' volume for #{resource[0]}"
expect(sources[2]['configMap']['name']).to eq('rspec-custom-ca-configmap-1')
expect(sources[2]['configMap']).not_to have_key('items')
expect(sources[3]['configMap']['name']).to eq('rspec-custom-ca-configmap-2')
expect(sources[3]['configMap']['items'][0]['key']).to eq('custom-ca-3.crt')
expect(sources[3]['configMap']['items'][0]['path']).to eq('custom-ca-3.crt')
expect(sources[3]['configMap']['items'][1]['key']).to eq('custom-ca-4.crt')
expect(sources[3]['configMap']['items'][1]['path']).to eq('custom-ca-4.crt')
end
end
......
......@@ -45,9 +45,27 @@
defaultMode: 0440
sources:
{{- range $index, $customCA := .Values.global.certificates.customCAs }}
{{- if $customCA.secret }}
- secret:
name: {{ $customCA.secret }}
# items not specified, will mount all keys
{{- if $customCA.keys }}
items:
{{- range $customCA.keys }}
- key: {{ . }}
path: {{ . }}
{{- end }}
{{- end }}
{{- else if $customCA.configMap }}
- configMap:
name: {{ $customCA.configMap }}
{{- if $customCA.keys }}
items:
{{- range $customCA.keys }}
- key: {{ . }}
path: {{ . }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- if not (or $.Values.global.ingress.configureCertmanager $.Values.global.ingress.tls) }}
- secret:
......
......@@ -671,6 +671,13 @@ global:
customCAs: []
# - secret: custom-CA
# - secret: more-custom-CAs
# keys:
# - custom-ca-1.crt
# - configMap: custom-CA-cm
# - configMap: more-custom-CAs-cm
# keys:
# - custom-ca-2.crt
# - custom-ca-3.crt
## kubectl image used by hooks to carry out specific jobs
kubectl:
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment