k8s: gitlab: switch to gitlab-sshd with Kerberos auth enabled
Before merging
-
Save keytab
content in Vaultk8s-prod-1/gitlab/keytabs
. -
Run terraform apply
insecrets/clusters/prod-1/
. -
Restore saved keytab to the http
key in Vaultk8s-prod-1/gitlab/keytabs
. -
Create a keytab for principal host/gitlab.cri.epita.fr@CRI.EPITA.FR
. -
Put the keytab in base64 format in Vault, k8s-prod-1/gitlab/keytabs
, keyhost
.
Validation
- Ensure
dns_canonicalize_hostname = false
andrdns = false
is present in your/etc/krb5.conf
file. - Get a Kerberos ticket for your principal with
kinit $LOGIN@CRI.EPITA.FR
. - Sign-in to GitLab with
Kerberos
auth to associate your account with your Kerberos principal (only required once). - Enable GSSAPI in
~/.ssh/config
for GitLab:Host gitlab.cri.epita.fr GSSAPIAuthentication yes
- Clone any repo with SSH:
$ GIT_SSH_COMMAND=`ssh -v` git clone git@gitlab.cri.epita.fr:$REPO_PATH
-
Authenticated to gitlab.cri.epita.fr ([91.243.117.180]:22) using "gssapi-with-mic"
should appear in the output