Add support for custom CA certificates
Related to https://gitlab.com/gitlab-com/request-for-help/-/issues/2371
Currently, deploying AI Gateway with self-signed certificates requires manual certificate bundle modifications. We should add proper support for custom CA certificates following the pattern established in the main GitLab Helm chart.
Proposed changes:
- Add
global.certificates.customCAs
configuration to values.yaml - Make template changes
- Update documentation on how to set custom CA during
helm upgrade
Details in https://gitlab.com/gitlab-com/request-for-help/-/issues/2371#note_2352833428
Example MR for reference: gitlab@91e6ec33
Workaround:
One workaround to allow the AI Gateway to trust a self-managed GitLab instance's certificate which is signed by a custom CA is to add the CA root certificate to the CA bundle from the AIGW container.
This workaround does not allow for changes being made to the root CA bundle in later versions of the chart.
For a Helm chart deployment of the AIGW this can be done as follows:
- Copy the
/etc/ssl/certs/ca-certificates.crt
bundle file from the AIGW container to a local file, e.g.:kubectl cp -n gitlab ai-gateway-55d697ff9d-j9pc6:/etc/ssl/certs/ca-certificates.crt ca-certificates.crt
. - Append the custom CA root certificate to the local file, e.g.:
cat customCA-root.crt >> ca-certificates.crt
- Create a new secret from the local file e.g.
kubectl create secret generic ca-certificates -n gitlab --from-file=cacertificates.crt=ca-certificates.crt
- Define a volume and volumeMount using the secret in the chart
values.yml
, which creates the/tmp/ca-certificates.crt
file in the container, e.g:
volumes:
- name: cacerts
secret:
secretName: ca-certificates
optional: false
volumeMounts:
- name: cacerts
mountPath: "/tmp"
readOnly: true
- Set the
REQUESTS_CA_BUNDLE
andSSL_CERT_FILE
environment variables to point to the mounted file, e.g.:
extraEnvironmentVariables:
- name: REQUESTS_CA_BUNDLE
value: /tmp/ca-certificates.crt
- name: SSL_CERT_FILE
value: /tmp/ca-certificates.crt
- Redeploy the chart.
For a docker deployment a similar approach can be used - mount the local file in the container via the --volume /root/ca-certificates.crt:/tmp/ca-certificates.crt
option.