►
From YouTube: Smartcard Authentication in Charts -2020-09-03
Description
MR: https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/1510
Related documentation:
https://docs.gitlab.com/ee/administration/auth/smartcard.html
https://gitlab.com/gitlab-org/charts/gitlab/-/blob/master/doc/installation/secrets.md#smartcard-authentication
https://gitlab.com/gitlab-org/charts/gitlab/-/blob/master/doc/charts/globals.md#smartcard-authentication-settings
A
Hello,
everyone
and
welcome
to
this
week's
distribution
demo,
I'm
going
to
be
demoing,
a
change
that
just
went
in
a
couple
days
ago
to
our
helm,
charts
that
add
support
for
configuring
smart
card
authentication.
A
This
is
a
feature
that's
been
in
git
lab
for
several
releases
and
supported
in
omnibus,
but
we
weren't
able
to
support
it
previously
in
the
charts
due
to
the
nginx
ingress
that
we
use
in
the
charts
not
not
really
being
able
to
support
it
running
through
running
on
a
separate
port,
which
is
how
it
works
for
or
how
it
was
working
by
default
for
the
rest
of
normal
gitlab
installations.
A
So
recently
a
change
went
in
that
enabled
it
to
work
on
a
regular
port
port,
8d
port
443,
but
under
a
different
domain,
and
that
enabled
us
to
make
use
of
that
with
the
helm
chart.
So
I'm
going
to
show
that
in
use
today
and
this
feature
will
be
coming
out
in
13.4
at
the
end
of
the
month.
A
So
if
I
jump
over
to
my
project
jump
over
to
my
instance,
I've
set
up
a
very
default
kubernetes
install
using
the
helm
chart
and
it's
very,
very
bones.
All
I've
basically
done
at
this
point
is
log
in
and
upload
an
ee
license
as
the
smart
core
authentication
is
an
ee
premium
feature,
so
I've
done
that
I've
uploaded
my
license.
A
A
A
A
A
For
this
feature,
so
typically,
if
you
have
a
smart
card,
your
administrator-
and
we
have-
we
have
some
docs
on
this
in
our
by
going
to
the
smart
card
authentication,
we
have
some
regular
docs
that
get
lab
around
smart
card
authentication,
but.
A
A
That
ca
has
been
signed
with
that
and
that's
how
we
will
know
that
we
will
validate
that's
how
the
system
will
validate
against
the
certificate
and
let
you
log
in
so.
In
that
case,
I
am
going
to
I've
already
done
something
similar
without
a
smart
card.
I've
just
replicated
a
ca
search
and
then
my
own.
A
A
A
So
I've
already
created
a
couple
certificates.
I
have
my
ca
certificate
and
signing
requests,
and
then
I
have
my
private
certificate
and
it's
also
been
exported
into
a
p12
key,
which
is
what
the
browser
is
going
to
be
able
to
use.
A
A
And
it
has
one
interesting
point
of
the
the
key
name
that
we
create
needs
to
be
ca.crt
and
so
that's
being
controlled
here
and
that's
a
restriction
placed
on
us
by
the
nginx
ingress.
The
current
support
in
the
version
of
nginx
ingress
we're
using
basically
doesn't
let
you
configure
what
file
path
it's
looking
in,
so
it
only
works
for
that
file
path.
A
Certain
so
now,
we've
created
that
in
our
global
in
our
charts
global
document,
we've
now
added
a
section
on
the
settings
around
smart
card
authentication,
and
so
basically,
I'm
going
to
need
to
go
in
and
enable
smart
card
and
provide
it
that
secret
key
that
I
just
created
and
then
the
rest
of
these
are
the
client
certificate
required
host.
A
Is
the
host
name
that
we'll
be
using
to
authenticate
against.
We
automatically
populate
it
by
default
with,
if
you
provide
the
helm
chart
with
if
you
provided
it
with
like
a
wild
card
domain,
we'll
just
prepend
like
smart
card
of
the
smart
card
subdomain
to
that
wildcard
domain.
Otherwise
you
can
configure
it
manually
here
and
then
there's
a
few
other
options
that
we
won't
be
using
for
the
browser
just
certificate
demo.
A
A
A
B
B
A
That's
a
good
question,
I'm
not
sure.
Actually,
if
we've
enabled
the
alternate
domain
for
omni
west
or
if
we've
just
so
the
rails,
the
rails
code
base
supports
either
one
but
in
omnibus.
In
order
to
support
the
domain,
we
would
have
had
to
provide
an
additional
like
server
configuration
for
an
additional
server
name
address.
A
I'm
not
aware
that
we've
actually
done
that
it's
possible-
maybe
I
just
missed,
missed
that
config
coming
through
but
yeah
as
far
as
I.
As
far
as
I'm
aware
off
the
top
of
my
head,
I
don't
think
we've
provided
that.
A
So
I'm
using
k9s
here
just
to
monitor
my
my
name
space
in
the
cluster,
so
we
can
kind
of
get
an
idea
of
when
the
changes
are
rolled
out.
A
A
A
A
A
A
A
A
Okay,
that
should
hopefully
be
enough
to
have
this
enabled
now
on
enough
of
the
pods
that
we
won't
get
any
errors.
A
So
nothing
should
really
change
from
my
login
root
instance
here.
But
if
I
open
up
a
second
browser-
and
I
navigate
here.
A
A
A
A
A
A
Happened
right
before
this
demo,
I
was
working
on
something
else
and
I'm
now
on
the
4-3
staple
branch.
Okay,
like
I
said
this
is
only
this
is
only
in
master
and
will
be
released
in
the
13.4.
A
A
A
A
A
A
I
haven't
added
my
cert
to
this
browser
yet
so,
if
I
try
to
log
in,
I
just
get
a
bad
bad
request,
but
you
can
see
from
here
that
we
have
in
this
case
we
have
this
smart
card
domain,
but
it's
not
on
any
custom
port.
So
that's
that's
the
ability
we
needed
in
order
to
make
this
work
in
the
charts.
So
I'm
going
to
go
ahead
and
open
up
my
preferences
and
add
my
certificate
here
into.
A
A
A
And
that
is
it
sorry
for
the
for
the
bit
of
the
mix
up
there
with
running
the
wrong
instance.
It
was
initially
running
master,
but
then,
when
I
did
that
I
did
an
earlier
upgrade,
I
actually
upgraded
it
to
a
to
an
older
version.
B
A
Yeah
so
for
I
believe
for
the
first
time
you
do
it
like.
If
you
had
a
card,
I
think
you
have
to
add
it
as
a
device
like
under
security
devices,
gotcha.
Okay,
that's
how
it
gets
wired
up
and
okay,
and
so
that's
how
that's
how
a
firefox
would
know
about
it,
and
then
it
would
do
a
very
similar
thing
in
in
that,
like
it
would
ask
where
you
want
to
like,
where
you
want
to
get
that
auth
from
when
you
load
load.
A
The
page
like
firefox
would
ask
you
which
device
you
want:
okay
and
then
how
that
device
works.
I
think
at
that
point
is
up
to
the
device
and
it
depending
on
the
device.
You
might
need
an
additional,
like
extension
to
firefox.
So
if
the
device
is
just
always
there,
I
think
it
works
by
default,
but
I
think
there's
other
other
settings
that
need
to
happen
if
it's
a
device
that
like
is
kind
of
like
a
ubc
where
it
needs
some
capacitance
on
it
or
something
like
that
before
before
it
activates.
A
Yeah,
the
important
thing
is
that
that
device
gives
somehow,
through
a
plug-in
or
otherwise,
that
device
gives
a
firefox
certificate
that
identifies
you.
That
has
that
email
set
and
that's
something
that
has
been
has
been
has
a
a
root
certificate
authority.
That
is
the
same
that
has
been
given
to
gitlab.
B
A
If
not,
that's
the
demo
for
the
week
thanks
everyone
for
coming
out
thanks
dj.