Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Distribution Team Demos / 3 Sep 2020
GitLab / Distribution Team Demos / 3 Sep 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Smartcard Authentication in Charts -2020-09-03

Description

MR: https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/1510

Related documentation:
https://docs.gitlab.com/ee/administration/auth/smartcard.html
https://gitlab.com/gitlab-org/charts/gitlab/-/blob/master/doc/installation/secrets.md#smartcard-authentication
https://gitlab.com/gitlab-org/charts/gitlab/-/blob/master/doc/charts/globals.md#smartcard-authentication-settings

A

Hello, everyone and welcome to this week's uh distribution demo, uh I'm going to be demoing, uh a change that just went in a couple days ago to our helm, charts that add support for configuring smart card authentication.

A

This is a feature that's been in git lab for several releases and supported in omnibus, but uh we weren't able to support it previously in the charts uh due to the nginx ingress that we use in the charts uh not not really being able to support it running uh through running on a separate port, which is how it works uh for or how it was working by default for the rest of uh normal gitlab installations.

A

uh So uh recently a change went in that enabled it to work uh on a regular port port, 8d port 443, but under a different domain, and that enabled us to make use of that uh with the helm chart. So I'm going to show that in use today and this feature will be coming out in 13.4 at the end of the month.

A

So if I jump over to my project uh jump over to my instance, I've set up a very default kubernetes install using the helm chart and it's very, very bones. uh All I've basically done at this point is log in and upload an ee license as the smart core authentication is an ee premium feature, so I've done that I've uploaded my license.

A

The next step I'm going to do is to create a new user that I'm going to use for my user for logging.

A

In.

A

I'm just going to create a user for myself and.

A

Use a real email for this.

A

So this is the user we're going to attempt to log in as using smart card authentication. So I don't have a smart card here. What I do have is a ubi key that can be turned into smart colored mode, but by default it's it's in.

A

Its default one-time password mode or what you can do is have your browser, provide certificates so for ease of demo. I'm just going to have the browser provide certificates.

A

For this feature, so typically, if you have a smart card, your administrator- and we have- we have some docs on this in our uh by going to the smart card authentication, we have some regular docs that get lab around smart card authentication, but.

B

Normally.

A

Your administrators will have access to the root cert key for your smart card devices. So that's what we need to provide git lab with and then, as the end user. My device is able to provide a certificate to the browser that is uh has been created using that key.

A

That ca has been signed with that and that's how we will know that we will validate that's how the system will validate against the certificate and let you log in so. In that case, I am going to I've already done something similar without a smart card. I've just replicated a ca search and then my own.

A

Private.

A

Cert.

A

Too many terminals open I'm just going to put a new one.

A

So I've already created a couple certificates. I have my uh ca certificate and signing requests, and then I have my um private certificate and it's also been exported into a p12 uh key, which is what the browser is going to be able to use.

A

So I'm just going to follow the documentation that we have on this around creating a key. So we have in the charts. We have some new documentation and secrets around creating the certificate authority key.

A

And it has one interesting point of the the key name that we create needs to be ca.crt and so that's being controlled here and that's a restriction placed on us by the nginx ingress. um The current support in the version of nginx ingress we're using um basically doesn't let you configure what file path it's looking in, so it only works for that file path.

A

So I can call the secret whatever I want, but I need.

A

So we want the pen here, but I need to make sure that the key name, let's see.

A

Certain so now, we've created that uh in our global um in our charts global document, we've now added a section on the settings around smart card authentication, um and so basically, I'm going to need to go in and enable smart card and provide it that secret key that I just created um and then the rest of these are the client certificate required host.

A

Is the host name that we'll be using to authenticate against. We automatically populate it um by default with, if you provide the helm chart with if you provided it with like a wild card domain, uh we'll just prepend like smart card of the smart card subdomain to that wildcard domain. Otherwise you can configure it manually here and then there's a few other options that we won't be using for the browser just certificate demo.

A

So I'm just going to go into my charts, folder.

A

Lab chart- and I configured this cluster using uh this config file. Basically so this is this- is my cluster right now very, very bare bones: config.

A

So I'm going to add.

A

Config.

A

And the ca secret I just created was.

A

There's my instance, so I'm just going to upgrade that instance pass this config.

A

File.

B

Hey dj, while that's running, I was curious. You mentioned that omnibus has had this feature for a while, and it's able to use an alternate port.

B

This operates a little bit differently. I was curious.

B

Is that functionality to run on a different domain also going to be available in omnibus, or are they going to be essentially disparate or different? Different.

A

uh That's a good question, um I'm not sure. Actually, if we've enabled the alternate uh domain for omni west or if we've just uh so the rails, the rails code base supports either one um but in omnibus. In order to support the domain, we would have had to provide an additional uh like server configuration for an additional server name address.

A

I'm not aware that we've actually done that uh it's possible- maybe I just missed, missed that config coming through but yeah as far as I. As far as I'm aware off the top of my head, I don't think we've um provided that.

B

Gotcha just curious.

A

So I'm using k9s here just to monitor my uh my name space in the cluster, so we can kind of get an idea of when the changes are rolled out.

A

As we see it, bringing up new web service and psychic pods.

A

A little.

A

Fun.

A

So one thing that should be interesting is because I deployed from from master. I know we have an ongoing uh issue with two factor auth in master. So hopefully does that doesn't impact this demo, but I guess we'll.

A

See.

A

You.

A

You.

A

We're just about rolled out enough to start taking a look.

A

Here.

A

You.

A

Okay, that should hopefully be enough uh to have this enabled now on enough of the pods that we won't get any errors.

A

um So nothing should really change from my login root instance here. But if I open up a second browser- and I navigate here.

A

That actually did not work as.

A

Expected.

A

What happened.

A

Here.

A

So what I was expecting to see is the login page should have an additional login option for smart.

A

Card my ass jump into one of these and see.

A

What's going on.

A

Well, we are missing.

A

Our.

A

Secret, that's certainly one.

A

Problem.

A

I'm just going to check the config to see if.

A

The settings made.

A

Through.

A

And they did not.

A

Oh, I know what.

A

Happened uh right before this demo, I was working on something else and I'm now on the 4-3 staple branch. Okay, like I said this is only this is only in master and will be released in the 13.4.

A

Release.

A

Unfortunately, that means we have to wait for it to roll it.

A

Again,.

A

Luckily, this time around, we probably only need to wait as long as this one. Until this one terminates, which is the last remaining old web service, and then we should be able to check.

A

Again,.

A

You.

A

Okay, so if I refresh the page now there we go so now we have a smart card option for logging in so yeah I I had to be on master.

A

um I haven't added my cert to this browser yet so, if I try to log in, I just get a bad bad request, but you can see from here that we have in this case we have this smart card domain, but it's not on any custom port. So that's that's the ability we needed um in order to make this work in the charts. So I'm going to go ahead and open up my preferences and add my certificate here into.

A

Firefox.

A

So in my certificates I can just go and import.

A

From that p12 key from the smart card test and the the email specified in this key matches, my unique email, as is in the gitlab.

A

Instance,.

A

And now firefox is aware of the certificate.

A

So now, if I hit this login with smart card, firefox should ask me if I want to present that certificate to this website.

A

That's what it's supposed to do.

A

Apparently it was cached yeah, so this is what it's supposed to do it's supposed to. Let you pick a certificate uh you can see. I have my email address listed.

A

Here, because this is a demo, I'm not going to bother to remember the decision, but if I just hit okay, it should then log me in as that user, which it did.

A

And that is it sorry for the uh for the bit of the mix up there with running the wrong instance. It was initially running master, but then, when I did that I did an earlier upgrade, I actually upgraded it to a to an older version.

A

So that's it. Does anyone have any questions.

B

In terms of the user experience, if you actually had a card, I've never had a card and used gitlab, and so I'm curious, like what obviously firefox doesn't prompt you, I'm curious. What that what that looks like or if we know.

A

Yeah so for I believe for the first time you do it like. If you had a card, I think you have to add it as a device like under security devices, gotcha. Okay, uh that's how it gets wired up and okay, and so that's how um that's how a firefox would know about it, uh and then it would do a very similar thing in in that, like it would ask where you want to like, where you want to get that auth from when you load load.

A

The page um like firefox would ask you which device you want: uh okay and then how that device works. I think at that point is up to the device uh and it depending on the device. You might need an additional, uh like extension to firefox. So if the device is just always there, I think it works by default, but I think there's other other settings that need to happen if it's a device that like is kind of like a ubc where it needs some capacitance on it or something like that before before it activates.

A

Yeah, the important thing is that that device gives somehow, through a plug-in or otherwise, that device gives a firefox uh certificate that identifies you. That has that email set and that's something that has been has been uh has a a root certificate authority. That is the same that has been given to gitlab.

B

Gotcha.

A

Any other questions.

A

If not, that's the uh demo for the week thanks everyone for coming out thanks dj.