Commit b301a024 authored by DJ Mountney's avatar DJ Mountney

Merge branch 'selfsigned' into 'master'

Use self-signed certificate as last resort

See merge request charts/gitlab!360
parents d2ef48d0 b1d475fb
Pipeline #25077689 failed with stages
in 21 minutes and 41 seconds
......@@ -299,6 +299,28 @@ qa:
refs:
- branches
debug_review:
stage: qa
when: on_failure
script:
- kubectl -n "$KUBE_NAMESPACE" describe pod
- kubectl -n "$KUBE_NAMESPACE" get pod,jobs,secret,ing,cm,sa,svc,role,rolebinding,pvc
artifacts:
paths:
- variables
environment:
name: review/$CI_COMMIT_REF_NAME
url: https://gitlab-$CI_ENVIRONMENT_SLUG.$AUTO_DEVOPS_DOMAIN
variables:
HOST_SUFFIX: "$CI_ENVIRONMENT_SLUG"
DOMAIN: "-$CI_ENVIRONMENT_SLUG.$AUTO_DEVOPS_DOMAIN"
only:
refs:
- branches
kubernetes: active
except:
- master
changelog_manager:
stage: changelog
script:
......@@ -500,10 +522,10 @@ changelog_manager:
}
function cleanup() {
kubectl get ingress,configmap,all,pvc -n "$KUBE_NAMESPACE" \
-o jsonpath='{range .items[*]}{.kind}{" "}{.metadata.name}{"\n"}{end}' \
kubectl -n "$KUBE_NAMESPACE" get ingress,svc,pdb,hpa,deploy,statefulset,job,secret,configmap,pvc,secret,clusterrole,clusterrolebinding,role,rolebinding,sa 2>&1 \
| grep "$CI_ENVIRONMENT_SLUG" \
| xargs -n2 kubectl delete -n "$KUBE_NAMESPACE" \
| awk '{print $1}' \
| xargs kubectl -n "$KUBE_NAMESPACE" delete \
|| true
}
......
---
title: Use self-signed certificate as last resort
merge_request: 360
author: Corey O'Brien
type: security
......@@ -9,6 +9,8 @@ if there is a shared tls secret for all ingresses.
{{- $defaultName := (dict "secretName" "") -}}
{{- if .Values.global.ingress.configureCertmanager -}}
{{- $_ := set $defaultName "secretName" (printf "%s-gitlab-tls" .Release.Name) -}}
{{- else -}}
{{- $_ := set $defaultName "secretName" (include "gitlab.wildcard-self-signed-cert-name" .) -}}
{{- end -}}
{{- pluck "secretName" .Values.ingress.tls .Values.global.ingress.tls $defaultName | first -}}
{{- end -}}
......@@ -47,6 +47,8 @@ if there is a shared tls secret for all ingresses.
{{- $defaultName := (dict "secretName" "") -}}
{{- if .Values.global.ingress.configureCertmanager -}}
{{- $_ := set $defaultName "secretName" (printf "%s-minio-tls" .Release.Name) -}}
{{- else -}}
{{- $_ := set $defaultName "secretName" (include "gitlab.wildcard-self-signed-cert-name" .) -}}
{{- end -}}
{{- pluck "secretName" .Values.ingress.tls .Values.global.ingress.tls $defaultName | first -}}
{{- end -}}
......
......@@ -31,6 +31,8 @@ if there is a shared tls secret for all ingresses.
{{- $defaultName := (dict "secretName" "") -}}
{{- if .Values.global.ingress.configureCertmanager -}}
{{- $_ := set $defaultName "secretName" (printf "%s-registry-tls" .Release.Name) -}}
{{- else -}}
{{- $_ := set $defaultName "secretName" (include "gitlab.wildcard-self-signed-cert-name" .) -}}
{{- end -}}
{{- pluck "secretName" .Values.ingress.tls .Values.global.ingress.tls $defaultName | first -}}
{{- end -}}
......
{{- if not (or .Values.global.ingress.configureCertmanager .Values.global.ingress.tls) -}}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "shared-secrets.jobname" . }}-selfsign
labels:
app: {{ template "name" . }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": hook-succeeded
spec:
template:
metadata:
labels:
app: {{ template "name" . }}
release: {{ .Release.Name }}
spec:
serviceAccountName: {{ template "fullname" . }}
restartPolicy: Never
{{- include "pullsecrets" .Values.image | indent 6}}
initContainers:
- name: omgwtfssl
image: "{{ .Values.selfsign.image.repository }}:{{ .Values.selfsign.image.tag }}"
env:
- name: SSL_SUBJECT
value: {{ printf "*.%s" .Values.global.hosts.domain | quote }}
- name: SSL_EXPIRE
value: "30"
- name: SSL_SIZE
value: "4096"
- name: SILENT
value: "true"
- name: K8S_NAME
value: {{ template "gitlab.wildcard-self-signed-cert-name" . }}
- name: K8S_NAMESPACE
value: {{ .Release.Namespace }}
volumeMounts:
- name: certs-path
mountPath: /certs
containers:
- name: kubectl
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
command:
- /bin/bash
- -ec
- "kubectl create -f /certs/secret.yaml || true"
volumeMounts:
- name: certs-path
mountPath: /certs
volumes:
- name: certs-path
emptyDir: {}
{{- end -}}
......@@ -3,6 +3,10 @@ image:
tag: 1f8690f03f7aeef27e727396927ab3cc96ac89e7
# pullPolicy: Always
pullSecrets: []
selfsign:
image:
repository: paulczar/[email protected]
tag: 7fd1f81d740ffc0f87a17cfe4a99a26f9796f682b0cc905820e75ccb6414bcf9
resources: {}
env: production
global: {}
{{- if not (or .Values.global.ingress.configureCertmanager .Values.global.ingress.tls) -}}
WARNING: Automatic TLS certificate generation with cert-manager is disabled and
no TLS certificates were provided. Self-signed certificates were generated.
{{- if (index .Values "gitlab-runner").install -}}
{{- fail "Automatic TLS certificate generation with cert-manager is disabled and no TLS certificates were provided. Self-signed certificates would be generated that do not work with gitlab-runner. Please either disable gitlab-runner by setting `gitlab-runner.install=false` or provide valid certificates." -}}
{{- end -}}
{{- end -}}
......@@ -231,3 +231,8 @@ Returns gitlabUrl needed for gitlab-runner
{{- define "gitlab-runner.gitlabUrl" -}}
{{- template "gitlab.gitlab.url" . -}}
{{- end -}}
{{/* selfsigned cert for when other options aren't provided */}}
{{- define "gitlab.wildcard-self-signed-cert-name" -}}
{{- default (printf "%s-wildcard-tls" .Release.Name) .Values.global.ingress.tls.secretName -}}
{{- end -}}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment