Update proxy helm chart commands

b5f2460c · Vishal Tak · b3905c67 · b5f2460c
Commit b5f2460c authored 4 months ago by Vishal Tak
--- a/doc/user/workspace/set_up_workspaces_proxy.md
+++ b/doc/user/workspace/set_up_workspaces_proxy.md
@@ -15,8 +15,7 @@ To set up `gitlab-workspaces-proxy`, you're going to:
 1. [Generate TLS certificates](#generate-tls-certificates).
 1. [Register an app on your GitLab instance](#register-an-app-on-your-gitlab-instance).
 1. [Generate an SSH host key](#generate-an-ssh-host-key).
-1. [Export the GitLab URL](#export-the-gitlab-url).
-1. [Create a configuration secret](#create-a-configuration-secret).
+1. [Create Kubernetes secrets](#create-kubernetes-secrets).
 1. [Install the Helm chart for the proxy](#install-the-helm-chart-for-the-proxy).
 1. [Verify the Kubernetes resources](#verify-the-kubernetes-resources).
 1. [Update your DNS records](#update-your-dns-records).
@@ -35,8 +34,10 @@ You must generate TLS certificates for:
 - The domain workspaces are available on (`GITLAB_WORKSPACES_WILDCARD_DOMAIN`).
  
 You can generate certificates from any certificate authority.
+If you have [cert-manager](https://cert-manager.io/docs/) for your Kubernetes cluster, you can configure it to auto
+create and renew TLS certificates for you and skip the below steps.
  
-To generate TLS certificates:
+To manually generate TLS certificates:
  
 1. Install [Certbot](https://certbot.eff.org/) to enable HTTPS:
  
@@ -73,20 +74,25 @@ To generate TLS certificates:
   ```shell
   export WORKSPACES_DOMAIN_CERT="${HOME}/.certbot/config/live/${GITLAB_WORKSPACES_PROXY_DOMAIN}/fullchain.pem"
   export WORKSPACES_DOMAIN_KEY="${HOME}/.certbot/config/live/${GITLAB_WORKSPACES_PROXY_DOMAIN}/privkey.pem"
-   export WILDCARD_DOMAIN_CERT="${HOME}/.certbot/config/live/${GITLAB_WORKSPACES_WILDCARD_DOMAIN}/fullchain.pem"
-   export WILDCARD_DOMAIN_KEY="${HOME}/.certbot/config/live/${GITLAB_WORKSPACES_WILDCARD_DOMAIN}/privkey.pem"
+   export WILDCARD_DOMAIN_CERT="${HOME}/.certbot/config/live/${GITLAB_WORKSPACES_PROXY_DOMAIN}-0001/fullchain.pem"
+   export WILDCARD_DOMAIN_KEY="${HOME}/.certbot/config/live/${GITLAB_WORKSPACES_PROXY_DOMAIN}-0001/privkey.pem"
   ```
  
-   The `certbot` command might create a different path for the wildcard domain
-   by using the proxy domain and a `-0001` prefix:
+   The `certbot` command might save the certificate and key on a different path for the domain
+   depending on your environment. To get your exact path, check the output of the following command:
  
   ```shell
-   export WORKSPACES_DOMAIN_CERT="${HOME}/.certbot/config/live/${GITLAB_WORKSPACES_PROXY_DOMAIN}/fullchain.pem"
-   export WORKSPACES_DOMAIN_KEY="${HOME}/.certbot/config/live/${GITLAB_WORKSPACES_PROXY_DOMAIN}/privkey.pem"
-   export WILDCARD_DOMAIN_CERT="${HOME}/.certbot/config/live/${GITLAB_WORKSPACES_PROXY_DOMAIN}-0001/fullchain.pem"
-   export WILDCARD_DOMAIN_KEY="${HOME}/.certbot/config/live/${GITLAB_WORKSPACES_PROXY_DOMAIN}-0001/privkey.pem"
+   certbot certificates \
+     --config-dir ~/.certbot/config \
+     --logs-dir ~/.certbot/logs \
+     --work-dir ~/.certbot/work
   ```
  
+NOTE:
+You will have to renew your certificates when they get expired.
+For example, Let's Encrypt certificates are valid for three months by default.
+To auto renew certificates, check [cert-manager](https://cert-manager.io/docs/).
+
 Now that you've generated the certificates, it's time to register an app on your GitLab instance.
  
 ## Register an app on your GitLab instance
@@ -97,12 +103,14 @@ To register an app on your GitLab instance:
 1. Set the redirect URI to `https://${GITLAB_WORKSPACES_PROXY_DOMAIN}/auth/callback`.
 1. Select the **Trusted** checkbox.
 1. Set the scopes to `api`, `read_user`, `openid`, and `profile`.
-1. Export your `CLIENT_ID`, `CLIENT_SECRET`, and `REDIRECT_URI`:
+1. Export your `GITLAB_URL`, `CLIENT_ID`, `CLIENT_SECRET`, `REDIRECT_URI`, and `SIGNING_KEY`:
  
   ```shell
+   export GITLAB_URL="https://gitlab.com"
   export CLIENT_ID="your_application_id"
   export CLIENT_SECRET="your_application_secret"
   export REDIRECT_URI="https://${GITLAB_WORKSPACES_PROXY_DOMAIN}/auth/callback"
+   export SIGNING_KEY="make_up_a_random_key_consisting_of_letters_numbers_and_special_chars"
   ```
  
 1. Store the client ID and generated secret in a safe place (for example, 1Password).
@@ -120,26 +128,34 @@ export SSH_HOST_KEY=$(pwd)/ssh-host-key
  
 You can also generate an ECDSA key instead.
  
-## Export the GitLab URL
-
-To export the `GITLAB_URL` environment variable, run this command:
-
-```shell
-export GITLAB_URL="https://gitlab.com"
-```
-
 Next, you'll create a configuration secret for the proxy.
  
-## Create a configuration secret
-
-To create a configuration secret for the proxy:
+## Create Kubernetes secrets
  
-1. Create a signing key and store the key in a safe place (for example, 1Password).
-1. Export your `SIGNING_KEY`:
+To create the secrets:
  
-   ```shell
-   export SIGNING_KEY="make_up_a_random_key_consisting_of_letters_numbers_and_special_chars"
-   ```
+```shell
+kubectl create namespace gitlab-workspaces
+
+kubectl create secret generic gitlab-workspaces-proxy-config \
+  --namespace="gitlab-workspaces" \
+  --from-literal="auth.client_id=${CLIENT_ID}" \
+  --from-literal="auth.client_secret=${CLIENT_SECRET}" \
+  --from-literal="auth.host=${GITLAB_URL}" \
+  --from-literal="auth.redirect_uri=${REDIRECT_URI}" \
+  --from-literal="auth.signing_key=${SIGNING_KEY}" \
+  --from-literal="ssh.host_key=$(cat ${SSH_HOST_KEY})"
+
+kubectl create secret tls gitlab-workspace-proxy-tls \
+  --namespace="gitlab-workspaces" \
+  --cert="${WORKSPACES_DOMAIN_CERT}" \
+  --key="${WORKSPACES_DOMAIN_KEY}"
+
+kubectl create secret tls gitlab-workspace-proxy-wildcard-tls \
+  --namespace="gitlab-workspaces" \
+  --cert="${WILDCARD_DOMAIN_CERT}" \
+  --key="${WILDCARD_DOMAIN_KEY}"
+```
  
 ## Install the Helm chart for the proxy
  
@@ -159,29 +175,22 @@ To install the Helm chart for the proxy:
  
   helm upgrade --install gitlab-workspaces-proxy \
     gitlab-workspaces-proxy/gitlab-workspaces-proxy \
-     --version 0.1.15 \
-     --namespace=gitlab-workspaces \
-     --create-namespace \
-     --set="auth.client_id=${CLIENT_ID}" \
-     --set="auth.client_secret=${CLIENT_SECRET}" \
-     --set="auth.host=${GITLAB_URL}" \
-     --set="auth.redirect_uri=${REDIRECT_URI}" \
-     --set="auth.signing_key=${SIGNING_KEY}" \
-     --set="ingress.host.workspaceDomain=${GITLAB_WORKSPACES_PROXY_DOMAIN}" \
-     --set="ingress.host.wildcardDomain=${GITLAB_WORKSPACES_WILDCARD_DOMAIN}" \
-     --set="ingress.tls.workspaceDomainCert=$(cat ${WORKSPACES_DOMAIN_CERT})" \
-     --set="ingress.tls.workspaceDomainKey=$(cat ${WORKSPACES_DOMAIN_KEY})" \
-     --set="ingress.tls.wildcardDomainCert=$(cat ${WILDCARD_DOMAIN_CERT})" \
-     --set="ingress.tls.wildcardDomainKey=$(cat ${WILDCARD_DOMAIN_KEY})" \
-     --set="ssh.host_key=$(cat ${SSH_HOST_KEY})" \
+     --version=0.1.16 \
+     --namespace="gitlab-workspaces" \
+     --set="ingress.enabled=true" \
+     --set="ingress.hosts[0].host=${GITLAB_WORKSPACES_PROXY_DOMAIN}" \
+     --set="ingress.hosts[0].paths[0].path=/" \
+     --set="ingress.hosts[0].paths[0].pathType=ImplementationSpecific" \
+     --set="ingress.hosts[1].host=${GITLAB_WORKSPACES_WILDCARD_DOMAIN}" \
+     --set="ingress.hosts[1].paths[0].path=/" \
+     --set="ingress.hosts[1].paths[0].pathType=ImplementationSpecific" \
+     --set="ingress.tls[0].hosts[0]=${GITLAB_WORKSPACES_PROXY_DOMAIN}" \
+     --set="ingress.tls[0].secretName=gitlab-workspace-proxy-tls" \
+     --set="ingress.tls[1].hosts[0]=${GITLAB_WORKSPACES_WILDCARD_DOMAIN}" \
+     --set="ingress.tls[1].secretName=gitlab-workspace-proxy-wildcard-tls" \
     --set="ingress.className=nginx"
   ```
  
-   NOTE:
-   You might have to renew your certificates.
-   For example, Let's Encrypt certificates are valid for three months by default.
-   When you get new certificates, run the previous `helm` command again to update the certificates.
-
 Let's now verify the Kubernetes resources.
  
 ## Verify the Kubernetes resources