Support injecting the certificate for self signed KAS/gitlab into the kubeconfig directly
Problem to solve
When using a self-signed certificate with GitLab, the CI/CD tunnel does not work out of the box:
$ kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE`
agent/config/project:the-agent gitlab agent:1
$ kubectl config use-context test/test:sandbox`
Switched to context "agent/config/project:the-agent".
$ kubectl get pods
Unable to connect to the server: x509: certificate signed by unknown authority
Current workaround
The user can do one of the following:
- set a CI/CD variable
SSL_CERT_FILE
with their KAS certificate in PEM format - or, configure their kubernetes clients with
--certificate-authority=$KAS_CERTIFICATE
, whereKAS_CERTIFICATE
is a CI/CD variable with the CA certificate for their KAS host - or, configure their kubernetes client
--insecure-skip-tls-verify=true
(not recommended)
Proposal
Add an optional GitLab configuration
# config/gitlab.yml
production:
gitlab_kas:
# ...
ca_certificate_file: /path/to/kas/certificate.crt
When present, feed the value of the certificate into certificate-authority-data
in the GitLab-generated KUBECONFIG
in CI/CD.
This configuration should also be exposed in GitLab Omnibus and the GitLab Helm chart. In a follow up, consider automatically configuring the value.
Further details
For implementation, you can follow along the following MRs, adding configuration for KAS to GitLab, Omnibus and the GitLab Helm Chart:
Permissions and Security
Documentation
Availability & Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
Links / references
Edited by Hordur Freyr Yngvason