AWS Cloud native hybrid deployment do not copy SSL user certificates
I've deployed a minimum requirements cloud native hybrid configuration on AWS, but following the guidelines I'm not able to set my SSL certificates.
The only available certificate is the kubernetes one (Kubernetes Ingress Controller Fake Certificate).
This is the configuration I've deployed:
module "gitlab_ref_arch_aws" {
source = "gitlab.com/gitlab-org/gitlab-environment-toolkit/gitlab//modules/gitlab_ref_arch_aws"
version = "3.2.2"
prefix = var.prefix
ssh_public_key = file(var.ssh_public_key_file)
create_network = true
subnet_pub_count = 2
subnet_priv_count = 2
elb_internal_create = true
eks_gitlab_charts_namespace = "gitlab"
webservice_node_pool_max_count = 2
webservice_node_pool_min_count = 1
webservice_node_pool_instance_type = "t3a.medium"
webservice_node_pool_disk_size = 50
sidekiq_node_pool_max_count = 2
sidekiq_node_pool_min_count = 1
sidekiq_node_pool_instance_type = "t3a.medium"
sidekiq_node_pool_disk_size = 50
supporting_node_pool_max_count = 2
supporting_node_pool_min_count = 1
supporting_node_pool_instance_type = "t3a.medium"
supporting_node_pool_disk_size = 50
gitaly_node_count = 1
gitaly_instance_type = "t3a.medium"
gitaly_disk_size = 100
gitaly_disk_iops = 3000
rds_postgres_instance_type = "t4g.small"
rds_postgres_password = random_password.postgres_password.result
rds_postgres_backup_retention_period = 15
rds_postgres_backup_window = "03:00-04:00"
rds_postgres_delete_automated_backups = false
rds_postgres_maintenance_window = "Mon:00:00-Mon:02:30"
rds_postgres_version = "14.10"
rds_postgres_multi_az = false
elasticache_redis_cache_node_count = 1
elasticache_redis_cache_instance_type = "t4g.micro"
elasticache_redis_cache_password = random_password.cache_password.result
elasticache_redis_maintenance_window = "Mon:22:30-Mon:23:30"
elasticache_redis_snapshot_retention_limit = 15
elasticache_redis_snapshot_window = "03:00-04:00"
elasticache_redis_multi_az = false
}
and the ansible vars.yml:
vars:
# Ansible Settings
ansible_user: "ubuntu"
ansible_ssh_private_key_file: "~/.ssh/gitlab"
# Cloud Settings, available options: gcp, aws, azure
cloud_provider: "aws"
# AWS only settings
aws_region: "eu-west-1"
aws_allocation_ids: "eipalloc-xxxx0,eipalloc-xxxx1"
# General Settings
prefix: "gitlab-cloud"
external_url: "https://gitlab.myhost.it"
cloud_native_hybrid_environment: true
kubeconfig_setup: false
gitlab_edition: "gitlab-ce"
gitlab_version: "16.9.2"
gitlab_admin_email: "myemail@example.it"
gitlab_shell_ssh_port: 22
gitlab_charts_release_namespace: "gitlab"
gitlab_charts_webservice_requests_memory_gb: 2
gitlab_charts_webservice_requests_cpu: 0.5
gitlab_charts_webservice_min_replicas: 1
gitlab_charts_sidekiq_requests_memory_gb: 1
gitlab_charts_sidekiq_limits_memory_gb: 2
gitlab_charts_sidekiq_requests_cpu: 0.5
# SSL
external_ssl_source: "user"
external_ssl_files_host_certificate_file: "/mnt/mypath/ansible/environments/dev/files/certificates/cert.pem"
external_ssl_files_host_key_file: "/mnt/d/mypath/ansible/environments/dev/files/certificates/cert.key"
# Load Balancer Settings
internal_lb_host: "<aws_lb>.elb.eu-west-1.amazonaws.com"
# Component Settings
patroni_remove_data_directory_on_rewind_failure: false
patroni_remove_data_directory_on_diverged_timelines: false
# Passwords / Secrets
gitlab_root_password: "{{ lookup('amazon.aws.aws_ssm', '/path/GITLAB_ROOT_PASSWORD', region=aws_region) }}"
postgres_host: 'host-rds.xxxx.eu-west-1.rds.amazonaws.com'
postgres_password: "{{ lookup('amazon.aws.aws_ssm', '/path/AWS_RDS_POSTGRES_PASSWORD', region=aws_region) }}"
patroni_password: "{{ lookup('amazon.aws.aws_ssm', '/path/PATRONI_PASSWORD', region=aws_region) }}"
gitaly_token: "{{ lookup('amazon.aws.aws_ssm', '/path/GITALY_TOKEN', region=aws_region) }}"
redis_password: "{{ lookup('amazon.aws.aws_ssm', '/path/AWS_ELASTICACHE_REDIS_PASSWORD', region=aws_region) }}"
redis_host: 'master.redis_host.euw1.cache.amazonaws.com'
redis_port: '6379'
I've configured the DNS (gitlab.myhost.it) on route 53 pointing to the 2 created EIP, and during ansible upgrade or install there is no pending pod or error.
Is there any misconfiguration? Because the certificates seems not to be copied on K8s secrets
I've also tried to set an ACM to the generated ELB, but I get the error 400 Bad Request: The plain HTTP request was sent to HTTPS port
Edited by Francesco Bagnoli