Skip to content

Add support for custom CA certificates

Related to https://gitlab.com/gitlab-com/request-for-help/-/issues/2371

Currently, deploying AI Gateway with self-signed certificates requires manual certificate bundle modifications. We should add proper support for custom CA certificates following the pattern established in the main GitLab Helm chart.

Proposed changes:

  1. Add global.certificates.customCAs configuration to values.yaml
  2. Make template changes
  3. Update documentation on how to set custom CA during helm upgrade

Details in https://gitlab.com/gitlab-com/request-for-help/-/issues/2371#note_2352833428

Example MR for reference: gitlab@91e6ec33

Workaround:

One workaround to allow the AI Gateway to trust a self-managed GitLab instance's certificate which is signed by a custom CA is to add the CA root certificate to the CA bundle from the AIGW container.

This workaround does not allow for changes being made to the root CA bundle in later versions of the chart.

For a Helm chart deployment of the AIGW this can be done as follows:

  1. Append the custom CA root certificate to the local file, e.g.: cat customCA-root.crt >> ca-certificates.crt
  2. Copy the /etc/ssl/certs/ca-certificates.crt bundle file from the AIGW container to a local file, e.g.: kubectl cp -n gitlab ai-gateway-55d697ff9d-j9pc6:/etc/ssl/certs/ca-certificates.crt ca-certificates.crt.
  3. Create a new secret from the local file e.g. kubectl create secret generic ca-certificates -n gitlab --from-file=cacertificates.crt=ca-certificates.crt
  4. Define a volume and volumeMount using the secret in the chart values.yml , which creates the /tmp/ca-certificates.crt file in the container, e.g:
volumes:
  - name: cacerts
    secret:
      secretName: ca-certificates
      optional: false

volumeMounts:
  - name: cacerts
    mountPath: "/tmp"
    readOnly: true
  1. Set the REQUESTS_CA_BUNDLE and SSL_CERT_FILE environment variables to point to the mounted file, e.g.:
extraEnvironmentVariables:
  - name: REQUESTS_CA_BUNDLE
    value: /tmp/ca-certificates.crt
  - name: SSL_CERT_FILE
    value: /tmp/ca-certificates.crt
  1. Redeploy the chart.

For a docker deployment a similar approach can be used - mount the local file in the container via the --volume /root/ca-certificates.crt:/tmp/ca-certificates.crt option.

Edited by Shem Gyll