Skip to content

k8s: gitlab: switch to gitlab-sshd with Kerberos auth enabled

Marin Hannache requested to merge add-kerberos-support-for-gitlab-ssh into main

Before merging

  1. Save keytab content in Vault k8s-prod-1/gitlab/keytabs.
  2. Run terraform apply in secrets/clusters/prod-1/.
  3. Restore saved keytab to the http key in Vault k8s-prod-1/gitlab/keytabs.
  4. Create a keytab for principal host/gitlab.cri.epita.fr@CRI.EPITA.FR.
  5. Put the keytab in base64 format in Vault, k8s-prod-1/gitlab/keytabs, key host.

Validation

  1. Ensure dns_canonicalize_hostname = false and rdns = false is present in your /etc/krb5.conf file.
  2. Get a Kerberos ticket for your principal with kinit $LOGIN@CRI.EPITA.FR.
  3. Sign-in to GitLab with Kerberos auth to associate your account with your Kerberos principal (only required once).
  4. Enable GSSAPI in ~/.ssh/config for GitLab: 
    Host gitlab.cri.epita.fr
  GSSAPIAuthentication yes
  5. Clone any repo with SSH: 
    $ GIT_SSH_COMMAND=`ssh -v` git clone git@gitlab.cri.epita.fr:$REPO_PATH
  6. Authenticated to gitlab.cri.epita.fr ([91.243.117.180]:22) using "gssapi-with-mic" should appear in the output
Edited by Nicolas Froger

Merge request reports