WIP Kube exec proxy

• check licenses of new code
• restrict websocket connections to signed-in GitLab users
• disable websocket endpoint by default

Added 3 commits:

• 67d98415 - Add console demo from Gravitational Inc.
• 9bcbfc90 - Add terminal dependencies
• 67376ca7 - Add insecure websocket endpoint

Added 7 commits:

• 67376ca7...8abee43f - 6 commits from branch master
• 862e96cd - Merge branch 'master' of https://gitlab.com/gitlab-org/gitlab-workhorse into kube-exec-proxy

Added 1 commit:

• 55f35da5 - Fix goroutine leak if socket closes before command

Working on security features in https://gitlab.com/gitlab-org/gitlab-workhorse/merge_requests/75 to prevent conflict with demo today. cc @ayufan

We should think about how long a terminal websocket is supposed to last. The way this is implemented now, even if you block or remove the user from GitLab, their terminal websocket keeps working.

If everything is quiet for long enough NGINX will terminate the websocket connection. That is not a security mechanism. So perhaps we need some sort of polling from gitlab-workhorse to gitlab-ce to see if the user is still allowed to access the terminal.

Added 2 commits:

• 71cb83be - Disable terminal by default
• 20c49518 - Verify session in gitlab-rails for terminal

Marked the task restrict websocket connections to signed-in GitLab users as completed

Marked the task disable websocket endpoint by default as completed

Mentioned in merge request !75 (closed)

@JobV could you comment whether these licenses are OK:

• https://gitlab.com/gitlab-org/gitlab-workhorse/blob/kube-exec-proxy/vendor/github.com/kr/pty/License
• https://gitlab.com/gitlab-org/gitlab-workhorse/blob/kube-exec-proxy/vendor/golang.org/x/net/LICENSE
• https://gitlab.com/gitlab-org/gitlab-workhorse/blob/kube-exec-proxy/vendor/golang.org/x/text/LICENSE
• https://gitlab.com/gitlab-org/gitlab-workhorse/blob/kube-exec-proxy/internal/terminal/LICENSE

@JobV also:

• https://gitlab.com/gitlab-org/gitlab-workhorse/blob/kube-exec-proxy/vendor/golang.org/x/text/PATENTS
• https://gitlab.com/gitlab-org/gitlab-workhorse/blob/kube-exec-proxy/vendor/golang.org/x/net/PATENTS

These discouraging words are appropriate for the moment. The feature is still hard-coded to open a Bash shell as the application user on the GitLab server.

Now they are appropriate for a different reason: the current implementation exposes Openshift/Kubernetes bearer tokens to the GitLab server via kubectl process status lines.

@jacobvosmaer-gitlab they are all fine.

Great work @jacobvosmaer-gitlab. This is quite the MR!

Added 1 commit:

• f8b30f5d - Start 'kubectl exec' instead of bash

Thanks @JobV

Thanks @stanhu , it contains work from Ev, I did not do it alone.

Marked the task check licenses of new code as completed

Added 1 commit:

• 970975b2 - Use openshift token and server from gitlab-rails

Added 1 commit:

• 6d0f6739 - Reduce security: skip certificate verification

Mentioned in merge request !83 (merged)

mentioned in commit d01ee210

Superseded by !83 (merged)

closed