Add External SSL Let's Encrypt support
Closes https://gitlab.com/gitlab-org/quality/gitlab-environment-toolkit/-/issues/159
Follow up from https://gitlab.com/gitlab-org/quality/gitlab-environment-toolkit/-/merge_requests/229. MR adds in the ability to enable Let's Encrypt certificates for Omnibus (HAProxy) and Helm hybrids as follows:
- HAProxy - Will install, run and configure
certbot
to retrieve certificates.- On first run
certbot
will run while HAProxy is disabled as it needs to serve files over port 80 and 443 for verification. -
certbot
will also be configured to renew every 90 days or so automatically. When this happens HAProxy will be restarted during the process as documented by certbot.
- On first run
- Helm - Will configure the
certmanager
service as part of the GitLab Helm Charts
To enable this several changes and improvements have been added on top of https://gitlab.com/gitlab-org/quality/gitlab-environment-toolkit/-/merge_requests/229:
- SSL variables have been changed and added to enable users to use either
user
orletsencrypt
as a source for the certificates - To maintain consistency
.pem
and.key
files are expected across the board, both internally and when a user is providing their own certs. This is due to both Let's Encrypt and HAProxy both using the.pem
format for certificate files. In addition HAProxy has been switched to now expect a.pem
and.pem.key
file in it's config directory (HAProxy will look for a.pem.key
file if key is not in the main file since 2.2). - A failure will now show if the user provided certificates cannot be found on host
- GET will perform idempotent cleanup if SSL is disabled to ensure no cert files are left remaining if they were previously disabled.
Docs will be added in a follow up MR. In a nutshell to configure SSL a user needs to set the following settings:
-
external_url
- To start withhttps
-
external_ssl_source
- Eitherletsencrypt
oruser
-
external_ssl_letsencrypt_issuer_email
- Needed whenletsencrypt
In addition to the above users can optionally configure where SSL files are found locally when user provided via the external_ssl_files_host_path
, external_ssl_files_host_certificate_file
, external_ssl_files_host_key_file
respectively. By default GET expects the file to live in environments/<name>/files/certificates
and have the format <hostname>.pem
and <hostname>.key
.