Helm chart version fails to authenticate with a self-signed certificate in LDAPS
Summary
Helm version (https://docs.gitlab.com/ce/install/kubernetes/gitlab_chart.html) of GitLab CE supports LDAP and LDAPS authentication, but apparently LDAPS doesn't work with self-signed certificates. NOTE: This exact LDAPS configuration has been working with an Omnibus deployment for months.
Steps to reproduce
- Set up a LDAPS server with a self-signed certificate
- Get GitLab Helm chart and customize values.yaml to the specific environment
- Configure:
- LDAP server values on charts\gitlab\charts\unicorn\values.yaml
- Secret on the Kubernetes cluster with the self-signed certificate
- Custom CA secret pointing to the mentioned secret
- Install the Helm chart
- Try to log in with LDAP
- Time out after 60 seconds
What is the current bug behavior?
LDAP login fails (502 error).
What is the expected correct behavior?
GitLab reads the self-signed CA and LDAP login succeeds.
Relevant logs and/or screenshots
- charts\gitlab\charts\unicorn\values.yaml
[...]
ldap:
servers:
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'LDAP'
host: '********'
port: 689
uid: 'uid'
bind_dn: 'uid=********,ou=********,ou=********,o=********'
password: '********'
encryption: 'start_tls'
verify_certificates: true
active_directory: false
allow_username_or_email_login: true
block_auto_created_users: false
base: 'ou=********,ou=********,o=********'
user_filter: '********'
attributes:
username: ['uid']
email: ['mail']
name: 'displayName'
first_name: 'givenName'
last_name: 'sn'
[...]
-
Create secret:
kubectl create secret generic gitlab-ldapcert --from-file=ldapcertificate.crt
-
values.yaml:
[...]
customCAs:
- secret: gitlab-ldapcert
# - secret: custom-CA
# - secret: more-custom-CAs
[...]
- Result: Error 502
Started POST "/users/auth/ldapmain/callback" for xx.xx.xx.xx at 2018-11-21 15:51:42 +0000
I, [2018-11-21T15:51:42.301011 #44] INFO -- omniauth: (ldapmain) Callback phase initiated.
E, [2018-11-21T15:52:43.563119 #9] ERROR -- : worker=1 PID:44 timeout (61s > 60s), killing
E, [2018-11-21T15:52:43.579808 #9] ERROR -- : reaped #<Process::Status: pid 44 SIGKILL (signal 9)> worker=1
I, [2018-11-21T15:52:43.671783 #2757] INFO -- : worker=1 ready
Am I missing another (maybe non-documented) step?
Edited by Raul Lopez