Support injecting the certificate for self signed KAS/gitlab into the kubeconfig directly - Gitlab side
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem to solve
When using a self-signed certificate with GitLab, the CI/CD tunnel does not work out of the box:
$ kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE`
agent/config/project:the-agent gitlab agent:1
$ kubectl config use-context test/test:sandbox`
Switched to context "agent/config/project:the-agent".
$ kubectl get pods
Unable to connect to the server: x509: certificate signed by unknown authorityCurrent workaround
The user can do one of the following:
- set a CI/CD variable
SSL_CERT_FILEwith their KAS certificate in PEM format - or, configure their kubernetes clients with
--certificate-authority=$KAS_CERTIFICATE, whereKAS_CERTIFICATEis a CI/CD variable with the CA certificate for their KAS host - or, configure their kubernetes client
--insecure-skip-tls-verify=true(not recommended) - or, place the certificates in an appropriate location in their job container (by updating the container image or mounting through the runner)
Proposal
Add an optional GitLab configuration
# config/gitlab.yml
production:
gitlab_kas:
# ...
external_k8s_proxy_ca_certificate_file: /path/to/kas/certificate.crtWhen present, feed the value of the certificate into certificate-authority-data in the GitLab-generated KUBECONFIG in CI/CD.
This configuration should also be exposed in GitLab Omnibus and the GitLab Helm chart. In a follow up, consider automatically configuring the value.
Further details
For implementation, you can follow along the following MRs, adding configuration for KAS to GitLab, Omnibus and the GitLab Helm Chart:
Permissions and Security
Documentation
Availability & Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
Links / references
Edited by 🤖 GitLab Bot 🤖