Gitlab CAC signed commits
REPO1 added support for validated CAC signed commits. Find out what it takes to add CAC signed commits so we can determine if this is a feature that should be added to BigBang. GBSD and other customers will want most likely want this feature.
Activity
Tim explained that there is an issue in upstream Gitlab with using x.509 certs for signed commits. He opened an upstream gitlab issue
https://gitlab.com/gitlab-org/gitlab/-/issues/293697
There will not be any immediate upstream fix. They put it on a future roadmap for app version 13.10
Here is the relevant part:
Our solution is to add additional volume mounts to all Deployments, StatefulSets, Jobs, and CronJobs where the /etc/ssl/certs/ volume is mounted. The volumes mounts we patched onto these objects are the following:- mountPath: /etc/pki/tls/certs/ name: etc-ssl-certs # This is the name of the volume containing the certs created by alpine-certificates in /etc/ssl/certs/ readOnly: true - mountPath: /etc/pki/tls/cert.pem subPath: ca-bundle.crt # Mount specifically ca-bundle.crt from etc-ssl-certs volume to /etc/pki/tls/cert.pem name: etc-ssl-certs readOnly: truePlatfromOne REPO1 has a "hacky" workaround to volume mount the DOD cert bundle into the directory location where Gitlab is expecting it. And the DOD cert bundle has to be added to the deployment as as k8s secret. Here is the Merge Request:
https://repo1.dso.mil/platform-one/private/big-bang/ironbank/ironbank-bootstrap/-/merge_requests/145
This is the most relevant part of the code other than creating the secrets from the cert files
https://repo1.dso.mil/platform-one/private/big-bang/ironbank/ironbank-bootstrap/-/tree/master/apps/gitlab/base/components/add-dod-caTim confirmed that this an appropriate feature to have in BigBang Gitlab.
notes:
- user email on CAC needs to match email in Gitlab and the email in Gitlab needs to be verified. This is manual and not part of automation.
- existing gitlab-runner pods needs to be manually updated
gitlab-rake gitlab:x509:update_signatures
Edited by kevin.wilderadded kindfeature + 1 deleted label
added statusdoing label
changed milestone to %1.3.0
created merge request !309 (merged) to address this issue
mentioned in merge request !309 (merged)
-
This is code complete as far as I know. These two branches
https://repo1.dso.mil/platform-one/big-bang/apps/developer-tools/gitlab/-/tree/177-gitlab-cac-signed-commits
https://repo1.dso.mil/platform-one/big-bang/bigbang/-/tree/177-gitlab-cac-signed-commitsBut I have no way to test because my CAC does not currently have an associated email. That is in progress and could take a number of days.
Tim Seagren has not had time yet to test for me.
Edited by kevin.wilder -
Rails Conselo Notes
https://docs.gitlab.com/ee/administration/operations/rails_console.html
https://docs.gitlab.com/ee/administration/troubleshooting/navigating_gitlab_via_rails_console.html
https://docs.gitlab.com/ee/administration/troubleshooting/gitlab_rails_cheat_sheet.html
use the task-runner pod[git@gitlab-task-runner-f645d48d5-gz2sq /]$ /srv/gitlab/bin/rails console -------------------------------------------------------------------------------- Ruby: ruby 2.7.2p137 (2020-10-01 revision 5445e04352) [x86_64-linux] GitLab: 13.8.0-ee (ee) EE GitLab Shell: 13.15.0 PostgreSQL: 11.9 -------------------------------------------------------------------------------- Loading production environment (Rails 6.0.3.4) irb(main):001:0>Edited by kevin.wilder -
force confirm user email
https://gist.github.com/macdja38/3d62d4f251bd7c46f0128bb6a9d35544On your gitlab server run `gitlab-rails console production` Find your user via `user = User.find_by(email: "youroldemail@example.com")` Optionally change the user's email with `user.email = "yournewemail@example.com"` Then run `user.save!` Get the user's token with `user.confirmation_token` https://`PutYourGitlabHere`/users/confirmation?confirmation_token=`PutYourTokenHere` I used this to change my email on a gitlab instance without an email server.Edited by kevin.wilder -
More notes on commit signing
https://docs.gitlab.com/ee/user/project/repository/x509_signed_commits/
linuxgpgsm --list-secret-keys 
Tested with this commit, everything looks good!
changed iteration to Big Bang Iterations Mar 9, 2021 - Mar 15, 2021
removed milestone %1.3.0
added 1 deleted label and removed statusdoing label
closed with merge request !309 (merged)
mentioned in commit 64ad1435