Updating to 14.9.2 broke our ldap custom-CA
Summary
We upgraded from 14.8.2 to 14.9.2 and since then we get these CA Errors in our webservice pod (see relevant logs).
when doing an openssl connect to our ldap it says verify ok
the CA is also appended inside the proper file inside the pod itself (/etc/ssl/certs/ca-certificates.crt)
maybe this is related to #2792 ? None of the files here are hashed.
git@gitlab-webservice-default-76648d8dfd-mv9vl:/$ ls /etc/ssl/certs/
ca-bundle.crt ca-bundle.trust.crt ca-certificates.crt
Steps to reproduce
Do a Helm Upgrade
Configuration used
global:
appConfig:
ldap:
preventSignin: false
servers:
main:
active_directory: false
attributes:
email: mail
name: displayName
username: uid
base: xxx
bind_dn: xxx
ca_file: /etc/ssl/certs/ca-cert-ldap-cert.pem
encryption: simple_tls
host: ldap.otc-service.internal
label: LDAP
password:
key: password
secret: ldapuser
port: 636
uid: uid
verify_certificates: true
certificates:
customCAs:
- secret: ldap-ca-secret
(The ldap config here hasn't been touched for the last 2.5 years)
Current behavior
We're getting these ldap errors, but logging in via SAML is still possible. Albeit we face an increased 500 error rate
Expected behavior
The ldap CA is trusted by all components.
Versions
- Chart: gitlab-5.9.2
Relevant logs
Net::LDAP::Error (SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)):