Skip to content
Runbooks

gitlab-review-app-certs

Rough notes on TLS certs for *.gitlab-review.app

Actual repos are changing, but it looks like the new single master repo (gitlab, was gitlab-ee) will be using *.gitlab-review.app for it’s GKE k8s hosted review apps.

The cert for this is stored in a K8S secret. To replace this when it expires:

  1. Assume sslmate has autorenewed this
  2. sslmate download ‘*.gitlab-review.app’
  3. Assume the key has remained the same; it’s in the secret, and can be left
  4. cat '\*.gitlab-review.app.chained.crt' |base64|tr -d '\n'
    • Save this output somewhere handy, briefly
  6. gcloud container clusters get-credentials review-apps-ee --zone us-central1-b --project gitlab-review-apps
    • Assumes you have gcloud and kubectl generally installed and working; this adds a cluster config to your .kube/config file, and sets it to be the current context
  8. Save the existing secret: `kubectl get secret tls-cert —namespace review-apps-ee -o yaml > old-gitlab-review-app.secret
  9. kubectl edit secret tls-cert --namespace review-apps-ee
  10. Carefully replace the existing tls.crt value with the base64 encoded cert you output above. Leave tls.key alone. Save, quit

This will automatically apply (within a few seconds last time).