Skip to content

Registry: add support for TLS for the debug endpoint

Jason Young requested to merge 3454-add-tls-to-registry-debug into master

What does this MR do?

With gitlab-org/container-registry#729 (closed) - TLS support was added to the debug listener for the registry. This exposes the configuration necessary to enable that support within the registry chart.

The configuration is written when registry.debug.tls.enable=true is set. A dedicated TLS secret can be specified as registry.debug.tls.secretName - and if present, the contents are mounted as /etc/docker/registry/tls/tls-debug.crt and /etc/docker/registry/tls/tls-debug.key. If a dedicated TLS secret is not provided, it's expected the regular port has been configured for TLS - i.e. registry.tls.enabed=true is set, as well as a registry.tls.secretName.

The debug port is used for the kubelet liveness/readiness probes, as well as metrics. Enabling metrics is independent of the TLS setting, but appropriate Prometheus annotations are added if TLS is enabled and Metrics are enabled.

Since this configuration is really targeting the "debug" port - the setting names have been tied to the registry.debug map.

Related issues

Closes #3454 (closed)

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion.

Required

  • Merge Request Title and Description are up to date, accurate, and descriptive
  • MR targeting the appropriate branch
  • MR has a green pipeline on GitLab.com

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes
  • Documentation created/updated
  • Tests added
  • Integration tests added to GitLab QA
  • Equivalent MR/issue for omnibus-gitlab opened

Test Plan

The following configuration was used for testing:

certmanager-issuer:
  email: jyoung@gitlab.com
global:
  appConfig:
    initialDefaults:
      signupEnabled: false
  hosts:
    domain: chartdev.jayo.run
  image:
    pullPolicy: "Always"
registry:
  debug:
    tls:
      enabled: true
      secretName: gitlab-registry-debug-tls
  1. Create a TLS secret as gitlab-registry-debug-tls
  2. Deploy the chart from this branch
  3. Observe that liveness and readiness probes for the gitlab-registry deployment are using scheme: HTTPS
  4. Doing a curl --insecure --verbose https://localhost:5001/debug/health from inside either or both of the registry pods should show the TLS connection, and server certificate details added in the gitlab-registry-debug-tls secret.
Edited by Jason Young

Merge request reports