Add trusted_user_ca_keys support to gitlab-shell chart
What does this MR do?
Contributes to gitlab-org/gitlab-shell#841 (closed)
- GitLab-Shell change: Add support for instance-level SSH certificates... (gitlab-org/gitlab-shell!1396 - merged)
- Documentation draft: Add documentation for instance-level SSH certif... (gitlab-org/gitlab!229028 - merged)
Problem
Self-managed GitLab instances using gitlab-sshd on Kubernetes
cannot configure instance-level SSH certificates. The new
trusted_user_ca_keys option added in gitlab-shell
(gitlab-org/gitlab-shell!1396 (merged)) needs to be exposed via Helm
chart values.
Solution
Add config.sshd.trustedUserCAKeys Helm values that accept
a Kubernetes Secret name and a list of key names within it.
The chart conditionally mounts the Secret, copies CA public
key files via the init container, and renders the correct
file paths in config.yml.tpl for gitlab-sshd to load at
startup. This follows the same pattern used by the GSSAPI
keytab feature.
Related issues
Add support for instance-level SSH certificates... (gitlab-org/gitlab-shell#841 - closed)
Author checklist
For general guidance, please follow our Contributing guide.
Required
For anything in this list which will not be completed, please provide a reason in the MR discussion.
- Merge Request Title and Description are up to date, accurate, and descriptive.
- MR targeting the appropriate branch.
- MR has a green pipeline.
- Documentation created/updated - gitlab-org/gitlab!229028 (merged)
- Tests added/updated, and test plan for scenarios not covered by automated tests.
- Equivalent MR/issue for omnibus-gitlab opened - gitlab-org/omnibus-gitlab!9265 (merged)
Reviewers checklist
- MR has a green pipeline on https://gitlab.com/gitlab-org/charts/gitlab.
- Consider downstream impact to the Operator, as per evaluating impact from changes to GitLab chart.