Skip to content

Add External SSL Let's Encrypt support

Grant Young requested to merge gy-external-ssl-lets-encrypt into master

Closes https://gitlab.com/gitlab-org/quality/gitlab-environment-toolkit/-/issues/159

Follow up from https://gitlab.com/gitlab-org/quality/gitlab-environment-toolkit/-/merge_requests/229. MR adds in the ability to enable Let's Encrypt certificates for Omnibus (HAProxy) and Helm hybrids as follows:

  • HAProxy - Will install, run and configure certbot to retrieve certificates.
    • On first run certbot will run while HAProxy is disabled as it needs to serve files over port 80 and 443 for verification.
    • certbot will also be configured to renew every 90 days or so automatically. When this happens HAProxy will be restarted during the process as documented by certbot.
  • Helm - Will configure the certmanager service as part of the GitLab Helm Charts

To enable this several changes and improvements have been added on top of https://gitlab.com/gitlab-org/quality/gitlab-environment-toolkit/-/merge_requests/229:

  • SSL variables have been changed and added to enable users to use either user or letsencrypt as a source for the certificates
  • To maintain consistency.pem and .key files are expected across the board, both internally and when a user is providing their own certs. This is due to both Let's Encrypt and HAProxy both using the .pem format for certificate files. In addition HAProxy has been switched to now expect a .pem and .pem.key file in it's config directory (HAProxy will look for a .pem.key file if key is not in the main file since 2.2).
  • A failure will now show if the user provided certificates cannot be found on host
  • GET will perform idempotent cleanup if SSL is disabled to ensure no cert files are left remaining if they were previously disabled.

Docs will be added in a follow up MR. In a nutshell to configure SSL a user needs to set the following settings:

  • external_url - To start with https
  • external_ssl_source - Either letsencrypt or user
  • external_ssl_letsencrypt_issuer_email - Needed when letsencrypt

In addition to the above users can optionally configure where SSL files are found locally when user provided via the external_ssl_files_host_path, external_ssl_files_host_certificate_file, external_ssl_files_host_key_file respectively. By default GET expects the file to live in environments/<name>/files/certificates and have the format <hostname>.pem and <hostname>.key.

Edited by Grant Young

Merge request reports