Support for Mutual TLS/x509 client authentication in GitLab Pages
Related to gitlab-pages!907 (merged)
I've recently opened an MR in GitLab Pages that adds support for client-authentication using x509
certificates. @jaime requested that I open an issue here to track progress of the feature throughout the overall GitLab code base.
Context: my organisation uses x509
certificates for authentication and I've had several users reach out about enabling it in GitLab Pages as it would eliminate the need for them to operate additional infrastructure.
The linked MR above adds the ability for:
- Administrators to globally enable and configure mutual TLS
- Users to optionally enable mutual TLS on a per-domain basis (if it hasn't already been enabled by an admin)
The remaining tasks for this feature are:
-
Merge gitlab-pages!907 (merged) -
Add new flags to Omnibus -
Add new flags to Cloud Native Helm chart -
Add an additional field to the Pages custom domains page where users can input one or more certificate authorities -
Extend the GitLab Pages internal API to return the certificate authorities data back to GitLab Pages. My implementation currently expects GitLab to return a client_certificate
field alongside the normalcertificate
andkey
fields.
Edited by John Hope