Gateway API: Support backend TLS for KAS/Registry/Workhorse
What does this MR do?
Adds BackendTLSPolicy resources for KAS, Registry, and Workhorse so that the Gateway can verify TLS connections to those backends when both Gateway API routing and backend TLS are enabled. Unlike the NGINX Ingress path (where TLS verification can be disabled with tls.verify: false), Gateway API always enforces backend TLS verification (this is a known upstream limitation).
Per-component behavior:
- Webservice/Workhorse: rendered when global.workhorse.tls.enabled is true and a Gateway API route exists. One BackendTLSPolicy is created per webservice deployment with optional deployment-level overrides.
- KAS: rendered when global.kas.tls.enabled is true and a Gateway API route exists. CA cert taken from global.kas.tls.caSecretName.
- Registry: rendered when registry.tls.enabled is true and a Gateway API route exists. CA cert taken from registry.tls.caSecretName.
The validation hostname defaults to <service-name>.<namespace>.svc for all three and can be overridden per component.
Related issues
Closes Envoy Gateway - internal TLS support (#6363 - closed) • Clemens Beck • 19.0
Test Plan
-
Install GitLab chart with Envoy Gateway (don't enable backend tls yet). If you want to reuse the example certs and values below, use
glgwas namespace andglas release name. -
Setup additional Certificates for backend tls:
Selfsigned certmanager certs
--- apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: selfsigned-issuer spec: selfSigned: {} --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: kas-backendtls namespace: glgw spec: secretName: kas-backendtls issuerRef: name: selfsigned-issuer kind: ClusterIssuer dnsNames: - glgw-kas.gitlab.svc - glgw-kas.gitlab.svc.cluster.local duration: 87600h --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: registry-backendtls namespace: glgw spec: secretName: registry-backendtls issuerRef: name: selfsigned-issuer kind: ClusterIssuer dnsNames: - glgw-registry.gitlab.svc - glgw-registry.gitlab.svc.cluster.local duration: 87600h --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: workhorse-backendtls namespace: glgw spec: secretName: workhorse-backendtls issuerRef: name: selfsigned-issuer kind: ClusterIssuer dnsNames: - glgw-webservice-default.gitlab.svc - glgw-webservice-default.gitlab.svc.cluster.local duration: 87600h -
Upgrade GitLab and enable backend tls for KAS/Registry/Workhorse
global: hosts: registry: protocol: https # Ensure workloads trust self signed Envoy and each other # Needs a secret that mirrors the value of the ca.crt of the secret managed by certmanager certificates: customCAs: - secret: webservice-backendtls-ca - secret: kas-backendtls-ca - secret: registry-backendtls-ca kas: tls: enabled: true caSecretName: kas-backendtls secretName: kas-backendtls workhorse: tls: enabled: true registry: tls: enabled: true caSecretName: registry-backendtls secretName: registry-backendtls gitlab: webservice: workhorse: tls: enabled: true caSecretName: workhorse-backendtls secretName: workhorse-backendtls -
Confirm sign in page is reachable
-
Confirm docker image can be pushed
-
Confirm KAS agent can be registered
Author checklist
For general guidance, please follow our Contributing guide.
Required
For anything in this list which will not be completed, please provide a reason in the MR discussion.
- Merge Request Title and Description are up to date, accurate, and descriptive.
- MR targeting the appropriate branch.
- MR has a green pipeline.
- Documentation created/updated.
- Tests added/updated, and test plan for scenarios not covered by automated tests.
-
Equivalent MR/issue foromnibus-gitlabopened.
Reviewers checklist
- MR has a green pipeline on https://gitlab.com/gitlab-org/charts/gitlab.
- Consider downstream impact to the Operator, as per evaluating impact from changes to GitLab chart.
- The Operator must be updated to reconcile BackendTLSPolicy objects in a follow-up.