Make tls_options.cert and tls_options.key externalizable

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Proposal

Google Secure LDAP (Docs) provides the .crt file and the .key file. So, when the customer congigure their GitLab Instance to use Google Secure LDAP, they should use tls_options.cert and tls_options.key as documented in the GitLab's Google Secure LDAP documentation.

On the other hand, the Integrate LDAP with GitLab documentation describes the tls_options.cert and tls_options.key (Client Certificate and Client Private Key) is string. 

Therefore, when the customer configure Google Secure LDAP in GitLab, they need to hard-code the Client Certificate and Client Private Key into the configuration file.

This should be avoided from a security point of view. The tls_options.cert and tls_options.key would better to be externalized. For example, LDAP password can be stored in the Kubernetes secret. There should be a mechanism similar to this.