Smartcard: Optionally extract certificate from XFCC header (!226021) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

Smartcard: Optionally extract certificate from XFCC header

Optionally extract certificate from X-Forwared-Client-Cert header. If the non standard X-SSL-Client-Certificate header is set (as done by our current NGINX and NGINX Ingress configuration in charts and Omnibus), it takes presedence.

Background

With NGINX Ingresses recent retirement, GitLab chart and Operator are looking to support Envoy Gateway (and Gateway API) as an alternative to (NGINX) Ingress. Envoy Gateway has built in support for client certificate handling but passes the certificate information in a different format.

By supporting this header on the rails site, we can expose the Smartcard functionality with a ClientTrafficPolicy in GitLab chart.

References

Relates Gateway API | Support Smartcard Authentication (gitlab-org/charts/gitlab#6304 - closed) • Clemens Beck
XFCC header spec: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-client-cert
Related Envoy Gateway spec: https://gateway.envoyproxy.io/v1.7/api/extension_types/#xforwardedclientcert
GitLab chart counterpart to this MR: Gateway API: Support Smartcard authentication (gitlab-org/charts/gitlab!4850 - merged)

Screenshots or screen recordings

Before	After

How to set up and validate locally

This can be tested by deploying the related GitLab chart feature branch with Gateway API and Envoy Gateway enabled. For certificate setup, the GDK instructions can be used.

Running both MRs together, I was able to sign in via smartcard.

⚠️ Testing this via GDK or Omnibus is not possible because they do not deploy Envoy.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited Mar 06, 2026 by Clemens Beck