- Prerequisites
- Generate TLS certificates
- Register an app on your GitLab instance
- Generate an SSH host key
- Export the GitLab URL
- Create a configuration secret
- Verify the Kubernetes resources
- Update your DNS records
Tutorial: Set up the GitLab workspaces proxy
-
Introduced in GitLab 15.11 with a flag named
remote_development_feature_flag. Disabled by default. - Enabled on GitLab.com and self-managed in GitLab 16.0.
-
Generally available in GitLab 16.7. Feature flag
remote_development_feature_flagremoved.
In this tutorial, you’ll learn how to set up the GitLab workspaces proxy to authenticate and authorize workspaces in your cluster.
To set up gitlab-workspaces-proxy, you’re going to:
- Generate TLS certificates.
- Register an app on your GitLab instance.
- Generate an SSH host key.
- Export the GitLab URL.
- Create a configuration secret.
- Verify the Kubernetes resources.
- Update your DNS records.
Prerequisites
- An installed Ingress controller
- A running Kubernetes cluster
-
helm3.11.0 and later andkubectlon your local machine
Generate TLS certificates
You must generate TLS certificates for:
- The domain
gitlab-workspaces-proxylistens on (GITLAB_WORKSPACES_PROXY_DOMAIN). - The domain workspaces are available on (
GITLAB_WORKSPACES_WILDCARD_DOMAIN).
You can generate certificates from any certificate authority.
To generate TLS certificates:
-
Install Certbot to enable HTTPS:
brew install certbot -
Generate Let’s Encrypt certificates with ACME DNS and create
TXTrecords in your DNS provider:export EMAIL="YOUR_EMAIL@example.dev" export GITLAB_WORKSPACES_PROXY_DOMAIN="workspaces.example.dev" export GITLAB_WORKSPACES_WILDCARD_DOMAIN="*.workspaces.example.dev" certbot -d "${GITLAB_WORKSPACES_PROXY_DOMAIN}" \ -m "${EMAIL}" \ --config-dir ~/.certbot/config \ --logs-dir ~/.certbot/logs \ --work-dir ~/.certbot/work \ --manual \ --preferred-challenges dns certonly certbot -d "${GITLAB_WORKSPACES_WILDCARD_DOMAIN}" \ -m "${EMAIL}" \ --config-dir ~/.certbot/config \ --logs-dir ~/.certbot/logs \ --work-dir ~/.certbot/work \ --manual \ --preferred-challenges dns certonly -
Update the following environment variables with the certificate directories from the output:
export WORKSPACES_DOMAIN_CERT="${HOME}/.certbot/config/live/${GITLAB_WORKSPACES_PROXY_DOMAIN}/fullchain.pem" export WORKSPACES_DOMAIN_KEY="${HOME}/.certbot/config/live/${GITLAB_WORKSPACES_PROXY_DOMAIN}/privkey.pem" export WILDCARD_DOMAIN_CERT="${HOME}/.certbot/config/live/${GITLAB_WORKSPACES_WILDCARD_DOMAIN}/fullchain.pem" export WILDCARD_DOMAIN_KEY="${HOME}/.certbot/config/live/${GITLAB_WORKSPACES_WILDCARD_DOMAIN}/privkey.pem"The
certbotcommand might create a different path for the wildcard domain by using the proxy domain and a-0001prefix:export WORKSPACES_DOMAIN_CERT="${HOME}/.certbot/config/live/${GITLAB_WORKSPACES_PROXY_DOMAIN}/fullchain.pem" export WORKSPACES_DOMAIN_KEY="${HOME}/.certbot/config/live/${GITLAB_WORKSPACES_PROXY_DOMAIN}/privkey.pem" export WILDCARD_DOMAIN_CERT="${HOME}/.certbot/config/live/${GITLAB_WORKSPACES_PROXY_DOMAIN}-0001/fullchain.pem" export WILDCARD_DOMAIN_KEY="${HOME}/.certbot/config/live/${GITLAB_WORKSPACES_PROXY_DOMAIN}-0001/privkey.pem"
Now that you’ve generated the certificates, it’s time to register an app on your GitLab instance.
Register an app on your GitLab instance
To register an app on your GitLab instance:
- Configure GitLab as an OAuth 2.0 identity provider.
- Set the redirect URI to
https://${GITLAB_WORKSPACES_PROXY_DOMAIN}/auth/callback. - Set the scopes to
api,read_user,openid, andprofile. -
Export your
CLIENT_ID,CLIENT_SECRET, andREDIRECT_URI:export CLIENT_ID="your_application_id" export CLIENT_SECRET="your_application_secret" export REDIRECT_URI="https://${GITLAB_WORKSPACES_PROXY_DOMAIN}/auth/callback" - Store the client ID and generated secret in a safe place (for example, 1Password).
Next, you’ll generate an SSH host key and export the GitLab URL.
Generate an SSH host key
To generate an RSA key, run this command:
ssh-keygen -f ssh-host-key -N '' -t rsa
export SSH_HOST_KEY=$(pwd)/ssh-host-key
You can also generate an ECDSA key instead.
Export the GitLab URL
To export the GITLAB_URL environment variable, run this command:
export GITLAB_URL="https://gitlab.com"
Next, you’ll create a configuration secret for the proxy.
Create a configuration secret
To create a configuration secret for the proxy:
- Create a signing key and store the key in a safe place (for example, 1Password).
-
Export your
SIGNING_KEY:export SIGNING_KEY="make_up_a_random_key_consisting_of_letters_numbers_and_special_chars" -
Add the
helmrepository:helm repo add gitlab-workspaces-proxy \ https://gitlab.com/api/v4/projects/gitlab-org%2fremote-development%2fgitlab-workspaces-proxy/packages/helm/devel -
Modify the
ingress.classNameparameter if you’re using a different Ingress class:helm repo update helm upgrade --install gitlab-workspaces-proxy \ gitlab-workspaces-proxy/gitlab-workspaces-proxy \ --version 0.1.12 \ --namespace=gitlab-workspaces \ --create-namespace \ --set="auth.client_id=${CLIENT_ID}" \ --set="auth.client_secret=${CLIENT_SECRET}" \ --set="auth.host=${GITLAB_URL}" \ --set="auth.redirect_uri=${REDIRECT_URI}" \ --set="auth.signing_key=${SIGNING_KEY}" \ --set="ingress.host.workspaceDomain=${GITLAB_WORKSPACES_PROXY_DOMAIN}" \ --set="ingress.host.wildcardDomain=${GITLAB_WORKSPACES_WILDCARD_DOMAIN}" \ --set="ingress.tls.workspaceDomainCert=$(cat ${WORKSPACES_DOMAIN_CERT})" \ --set="ingress.tls.workspaceDomainKey=$(cat ${WORKSPACES_DOMAIN_KEY})" \ --set="ingress.tls.wildcardDomainCert=$(cat ${WILDCARD_DOMAIN_CERT})" \ --set="ingress.tls.wildcardDomainKey=$(cat ${WILDCARD_DOMAIN_KEY})" \ --set="ssh.host_key=$(cat ${SSH_HOST_KEY})" \ --set="ingress.className=nginx"You might have to renew your certificates. For example, Let’s Encrypt certificates are valid for three months by default. When you get new certificates, run the previoushelmcommand again to update the certificates.
Let’s now verify the Kubernetes resources.
Verify the Kubernetes resources
-
Verify the following Kubernetes resources:
-
The configuration secret:
kubectl -n gitlab-workspaces get secret gitlab-workspaces-proxy -o=go-template='{{index .data "config.yaml"}}' | base64 -d -
The Ingress class for the
gitlab-workspacesnamespace:kubectl -n gitlab-workspaces get ingressIf you deploy the GitLab Helm chart to any namespace other than
gitlab-workspaces, update the namespace in the GitLab agent configuration:remote_development: gitlab_workspaces_proxy: namespace: "<custom-gitlab-workspaces-proxy-namespace>"
-
-
Verify the pods are running:
kubectl -n gitlab-workspaces get pods
You can now start updating your DNS records.
Update your DNS records
To update your DNS records:
- Point
${GITLAB_WORKSPACES_PROXY_DOMAIN}and${GITLAB_WORKSPACES_WILDCARD_DOMAIN}to the load balancer exposed by the Ingress controller. -
From a terminal, run this command to check if
gitlab-workspaces-proxyis accessible:curl --verbose --location ${GITLAB_WORKSPACES_PROXY_DOMAIN}This command returns a
400 Bad Requesterror until you create a workspace in GitLab. -
From another terminal, run this command:
kubectl -n gitlab-workspaces logs -f -l app.kubernetes.io/name=gitlab-workspaces-proxyThe logs show a
could not find upstream workspace upstream not founderror.
You’re all set! You can now use the GitLab workspaces proxy to authenticate and authorize workspaces in your cluster.