[go: up one dir, main page]

Helm chart version fails to authenticate with a self-signed certificate in LDAPS

Summary

Helm version (https://docs.gitlab.com/ce/install/kubernetes/gitlab_chart.html) of GitLab CE supports LDAP and LDAPS authentication, but apparently LDAPS doesn't work with self-signed certificates. NOTE: This exact LDAPS configuration has been working with an Omnibus deployment for months.

Steps to reproduce

  1. Set up a LDAPS server with a self-signed certificate
  2. Get GitLab Helm chart and customize values.yaml to the specific environment
  3. Configure:
    • LDAP server values on charts\gitlab\charts\unicorn\values.yaml
    • Secret on the Kubernetes cluster with the self-signed certificate
    • Custom CA secret pointing to the mentioned secret
  4. Install the Helm chart
  5. Try to log in with LDAP
  6. Time out after 60 seconds

What is the current bug behavior?

LDAP login fails (502 error).

What is the expected correct behavior?

GitLab reads the self-signed CA and LDAP login succeeds.

Relevant logs and/or screenshots

  • charts\gitlab\charts\unicorn\values.yaml
[...]
ldap:
  servers:
    main: # 'main' is the GitLab 'provider ID' of this LDAP server
      label: 'LDAP'
      host: '********'
      port: 689
      uid: 'uid'
      bind_dn: 'uid=********,ou=********,ou=********,o=********'
      password: '********'
      encryption: 'start_tls'
      verify_certificates: true
      active_directory: false
      allow_username_or_email_login: true
      block_auto_created_users: false
      base: 'ou=********,ou=********,o=********'
      user_filter: '********'
      attributes:
        username: ['uid']
        email:    ['mail']
        name:       'displayName'
        first_name: 'givenName'
        last_name:  'sn'
[...]

  • Create secret: kubectl create secret generic gitlab-ldapcert --from-file=ldapcertificate.crt

  • values.yaml:

[...]
    customCAs:
    - secret: gitlab-ldapcert
    # - secret: custom-CA
    # - secret: more-custom-CAs
[...]
  • Result: Error 502
Started POST "/users/auth/ldapmain/callback" for xx.xx.xx.xx at 2018-11-21 15:51:42 +0000
I, [2018-11-21T15:51:42.301011 #44]  INFO -- omniauth: (ldapmain) Callback phase initiated.
E, [2018-11-21T15:52:43.563119 #9] ERROR -- : worker=1 PID:44 timeout (61s > 60s), killing
E, [2018-11-21T15:52:43.579808 #9] ERROR -- : reaped #<Process::Status: pid 44 SIGKILL (signal 9)> worker=1
I, [2018-11-21T15:52:43.671783 #2757]  INFO -- : worker=1 ready

Am I missing another (maybe non-documented) step?

Edited by Raul Lopez