Add TLS to the workspaces
- MR: Add TLS to the workspaces (!118351 - merged)
- Related GitLab workspaces proxy issue: GitLab Workspaces Proxy - Ensure OAuth redirect... (#393509)
Exit criteria
We should be able to browse the workspace on HTTPS
How
Rails
- A new agent is setup with
dns_zone
configured in its agent configuration (by administrator)
GA4K
- Administrator generates TLS certificates(using Let's Encrypt or whatever service they desire) - we will document the steps
- Administrator creates Kubernetes secrets using the TLS Certificates generated above for Ingress to use - we will document the steps
- Assuming Remote Development is enabled for the agent, when it starts up, it checks the existence of the Kubernetes Secret which contains the TLS certificate.
- Until the secret is not found, agentk will not proceed ahead.
Other solution considered
Rails
- A new agent is setup with
dns_zone
configured in its agent configuration (by administrator). - Rails verifies the domain ownership (like GitLab Pages does).
- Once ownership is verified, Rails creates Let's Encrypt certificates for that domain and stores them in the database (refer GitLab Pages).
GA4K
- Assuming Remote Development is enabled for the agent, when it starts up, it will make a call to Rails of message_type
prerequisites
. - Once certificates are ready on Rails end, it will send them over and agentk will create the secrets for Ingress to use.
- Until the certificates are not ready, agentk will not proceed ahead.
Reason for not going ahead with this approach
Some organizations might run their own certificate issuing authority. Let's Encrypt might not be in their list of allowed CAs dues to various company policies.
This is a useful approach for providing smoother user experience for non-organization customers and we can consider it in future.
Edited by Chad Woolley