Support mutual TLS when calling the GitLab API
What does this MR do?
Support mutual TLS when calling the GitLab API
Added two new flags client-cert-key-pairs
and ca-certs
.
Related Issue: #548
Please refer to the pervious discussion and review comments for more details. !663 (closed)
Changelog: added
Steps to generate self signed certificate:
- Login to your Gitlab Pages instance and go to
/etc/gitlab/ssl
location.
cd /etc/gitlab/ssl
- Create a
test.txt
file with the following content. ThesubjectAltName
can include either DNS, IP, or both depending on the setup. You can update the DNS and IP values as needed.:
subjectAltName = DNS:localhost,IP:127.0.0.1
# Generating certificate authority:
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -subj "/C=CN/ST=GD/L=SZ/O=GitLab, Inc./CN=GitLab Root CA" -out ca.crt
# Generating client certificate and signing using certificate authority
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 9999 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -extfile test.txt
# Verifying signed certificate
openssl verify -CAfile ca.crt client.crt
- To provide full certificate chain, append content of
ca.crt
intoclient.crt
. - On both GitLab and GitLab pages instances, copy
client.crt
into/etc/gitlab/trusted-certs
.
TODO
-
Feature flag -
Added feature flag: -
This feature does not require a feature flag
-
-
I added the Changelog
trailer to the commits that need to be included in the changelog (e.g.Changelog: added
) -
I added unit tests or they are not required -
I added acceptance tests or they are not required -
I added documentation (or it's not required) -
I followed code review guidelines -
I followed Go Style guidelines
/cc @vshushlin
Edited by Naman Jagdish Gala