Gitlab + Keycloak integration on Classified Environments --- 500 Error (possible External CA issue)

Bug

We are currently deploying BB release 1.1.0 or later.

We have successfully integrated Gitlab + Keycloak in our UC2S (unclassified) environment using the SSO button on the main page of Gitlab. However, we cannot get Gitlab + Keycloak to work on SIPRNet or JWICS following those same procedures. When we click the Gitlab SSO login button, it gives us a 500 error. We have observed error logs in the webservice pod about certificate failure; something along the lines of "OpenID connect fails with OpenIDConnect::Discovery::DiscoveryFailed (SSL_connect returned=1 errno=0 state=error: certificate verify failed".

This issue in particular seems to be the best place that has described the issue / error we have observed. https://gitlab.com/gitlab-org/charts/gitlab/-/issues/1436

We have followed these instructions in our environments and confirmed external CAs were in the Gitlab services pod. (We edited the /bigbang/gitlab/charts/values.yaml to enable customCA secret)

https://docs.gitlab.com/charts/charts/globals.html#custom-certificate-authorities

We also put the MGMT cluster certificate in the list of certs as well, but still received 500 error.

Ultimately, we still get the 500 error after trying some of the external CA configuration above.

Please contact William Townsend, Goran Osim or Jason Crothers for more details.

BigBang Version

We tried 1.2.0 version in UC2S; 1.1.0/1.1.1 was used in SIPR/JWICS.

Edited Mar 15, 2021 by will.townsend

Admin message

Gitlab + Keycloak integration on Classified Environments --- 500 Error (possible External CA issue)

Bug

BigBang Version