Support injecting the certificate for self signed KAS/gitlab into the kubeconfig directly - Helm chart side

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem to solve

In #366955, we are proposing an additional GitLab configuration option for when KAS is behind a a certificate that is not automatically trusted by most container images running kubectl in the CI/CD workflow (e.g. a self-signed certificate).

# config/gitlab.yml
production:
  gitlab_kas:
    # ...
    external_k8s_proxy_ca_certificate_file: /path/to/kas/certificate.crt

This option should be automatically configured in the Helm chart when KAS is enabled but cert manager is disabled. In this case, it should use the file tls.crt from the secret {{ template "kas.tlsSecret" . }}.

Further details

For implementation, you can follow along the following MRs, adding configuration for KAS to GitLab, Omnibus and the GitLab Helm Chart:

• !54260 (merged)
• omnibus-gitlab!5016 (merged)
• gitlab-org/charts/gitlab!1879 (merged)

Permissions and Security

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references