User provides TLS certificate to the Gitlab-agent

Proposal

We need to implement the following use cases :

  1. The user provides its own TLS certificate and private key

    a. The TLS certificate provided is signed by a custom CA cert. In this case the user is required to provide also the CA cert. The scanning job will require a custom ca cert to perform TLS. The HTTPs server needs the TLS cert and key. Related comment #431334 (comment 1647848481).

    b. The TLS certificate provided is signed by a well trusted CA cert. That means that the CA cert is already in the scanning image. That means that we don't need to provide the CA root. The user just passes the TLS cert and key to be used in the HTTPs server.

  2. The user doesn't provide any TLS certificate and private key. In this case we should still use HTTPs instead of HTTP (currently using). For this use case we can generate a TLS certificate and private key during gitlab-agent HTTPs server initialisation and request from the scanning pod to not verify the issuer. This way we still encrypt comms but we just don't verify the authority. Related comment #431334 (comment 1651538238).

Related links

&11968 (comment 1639556600)

Implementation Plan

  • Update Helm chart and values.yml so that the user can provide a TLS cert and key and a CA cert. TLS cert and key are stored as a secret accessed by the gitlab-agent. CA cert can be stored as a config or secret also accessed by the gitlab-agent.
  • Update Trivy k8s wrapper to get another command line flag (--ca) for specifying if a ca cert is available.
  • Update gitlab-agent so that when initiating a scanning pod (Trivy k8s wrapper image) it will pass the CA cert as a config/secret along with the new flag --ca as an argument. This happens in case a CA is provided by the user only.
  • Update Trivy k8s wrapper to use HTTPs instead of HTTP. It should add the CA cert in the trusted certificates if the given flag is provided. Otherwise nothing special needs to be done. We use the trusted public ca roots from the image itself.
  • Update gitlab-agent so that in case no TLS cert/key is provided to trigger scanning jobs with a new configuration flag (--InsecureSkipVerify) meaning that it should not verify the authority because the certificates are created within the gitlab-agent. In the future we can change that.
  • Update Trivy k8s wrapper with --InsecureSkipVerify flag. Example: #431334 (comment 1651538238).
Edited by Nick Ilieskou