Skip to content

Add GSS-API support for gitlab-sshd

Marin Hannache requested to merge mareo/gitlab-chart:add-gssapi-support-for-gilab-sshd into master

What does this MR do?

This MR adds GSSAPI related settings to the gitlab-shell chart, following gitlab-org/gitlab-shell!682 (merged).

These settings only work with gitlab-sshd:

gitlab:
  gitlab-shell:
    enabled: true
    sshDaemon: gitlab-sshd
    config:
      gssapi:
        enabled: true
        keytab:
          secret: gitlab-keytab
          key: keytab
        krb5Config: |
          [libdefaults]
          default_realm = GDK.TEST

The complete list of settings this MR adds (with their default values):

gitlab:
  gitlab-shell:
    config:
      gssapi:
        enabled: false
        keytab:
          secret:  # required, no default value
          key: keytab
        krb5Config: ""  # optional
        servicePrincipalName: ""  # optional

It is possible to use yaml anchors to share settings with appConfig's kerberos section:

.kerberos: &kerberos
  keytab:
    secret: gitlab-keytab
  krb5Config: |
    [libdefaults]
    default_realm = GDK.TEST

gitlab:
  appConfig:
    kerberos:
      <<: *kerberos
      enabled: false  # disable cloning with SPNEGO but still allows authentication with the web ui given the proper omniauth configuration.
      servicePrincipalName: HTTP/gdk.test@GDK.TEST
  gitlab-shell:
    enabled: true
    sshDaemon: gitlab-sshd
    config:
      gssapi:
        <<: *kerberos
        enabled: true
        servicePrincipalName: host/gdk.test@GDK.TEST

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion.

Required

  • Merge Request Title and Description are up to date, accurate, and descriptive
  • MR targeting the appropriate branch
  • MR has a green pipeline on GitLab.com
  • When ready for review, MR is labeled "~workflow::ready for review" per the Distribution MR workflow

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes
  • Documentation created/updated
  • Tests added
  • Integration tests added to GitLab QA
  • Equivalent MR/issue for omnibus-gitlab opened
  • Validate potential values for new configuration settings. Formats such as integer 10, duration 10s, URI scheme://user:passwd@host:port may require quotation or other special handling when rendered in a template and written to a configuration file.
Edited by Marin Hannache

Merge request reports