Skip to content

Add TLS termination options to GitLab KAS's APIs

Fabio Huser requested to merge siemens/omnibus-gitlab:feat/gitlab-kas-tls-config-api into master

What does this MR do?

This MR introduces new TLS configuration options for GitLab-KAS's listener interface (gitlab_kas['certificate_path']/gitlab_kas['key_path']), Kubernetes API interface (gitlab_kas['kubernetes_api_certificate_path']/gitlab_kas['kubernetes_api_key_path']), internal API interface (gitlab_kas['internal_api_certificate_path']/gitlab_kas['internal_api_key_path']) and private API interface (gitlab_kas['private_api_certificate_path']/gitlab_kas['private_api_key_path']), allowing to enable TLS terminated communication for all incoming connections as it's the case for other GitLab services (e.g. Gitaly). If both the certificate and private key path are defined, the configuration will be rendered into GitLab KAS's configuration file.

I first thought about providing a single certificate/private key configuration pair for all interfaces but this would severely limit the supported deployment scenarios. For a multi-node setup, one might only want to TLS terminate the KAS-KAS communication (internal and private API), while a single node setup with different frontend and KAS instances only requires the main listener and Kubernetes API to be TLS terminated.

GitLab KAS configuration reference: https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/blob/00a84486a5096ddeb4db63fb7ded1c25b49d461e/pkg/kascfg/config_example.yaml#L16

Related issues

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion

Required

  • Merge Request Title, and Description are up to date, accurate, and descriptive
  • MR targeting the appropriate branch
  • MR has a green pipeline on GitLab.com
  • Pipeline is green on dev.gitlab.org if the change is touching anything besides documentation or internal cookbooks -> how to check via Community contribution?
  • trigger-package has a green pipeline running against latest commit -> how to check via Community contribution?

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes
  • Documentation created/updated
  • Tests added -> New test cases added
  • [-] Integration tests added to GitLab QA -> KAS setup not being tested within gitlab-org/gitlab-qa
  • [-] Equivalent MR/issue for the GitLab Chart opened -> Configuration already possible via KAS customConfig
Edited by DJ Mountney

Merge request reports