Implement configuration and support for SmartCard / CAC
Summary
Implement Smartcard/CAC Authentication in GitLab introduces support for SmartCard / CAC Functionality was merged into GitLab-EE, and configuration has been MR'd to Omnibus GitLab. This functionality appears currently targeted for the 11.6 release.
We are hearing growing demand to also support Smartcard/CAC in the Helm chart.
Configuration used
gitlab.yml
## Smartcard authentication settings
smartcard:
# Allow smartcard authentication
enabled: {{ include "gitlab.appConfig.smartcard.enabled" $ }}
# Path to a file containing a CA certificate
ca_file: {{ include "gitlab.appConfig.smartcard.caFile" $ | quote }}
# Port where the client side certificate is requested by the webserver (NGINX/Apache)
client_certificate_required_port: {{ include "gitlab.appConfig.smartcard.requiredPort" $ }}Implementation Notes
This feature can not be implemented without changing the configuration of SmartCard Authentication, using alternate host name rather than port (explained in gitlab-org/gitlab#10526 (closed)).
Once this change is applied, Chart can leverage the existing nginx-ingress (possibly with custom configuration) to handle client TLS authentication, which is needed for SmartCard Authentication.
Another implementation consideration is that both nginx-ingress and workhorse need the CA. Where and how the user can provide the CA Secret needs to be addressed by the implementation. One possibility is to use global.certificates.customCAs (check the following comments of #988 (comment 147196309)).
Last but not least, Smartcard authentication against LDAP must be added as well. This feature is supported by Omnibus.