Add support for global HTTP TLS client cert (!140263) · Merge requests · GitLab.org / GitLab

Stan Hu requested to merge sh-add-http-client-cert-support into master Dec 19, 2023

What does this MR do and why?

Some customers need to configure mutual TLS authentication for Webhooks. This commit adds support for an instance-wide client certificate via two settings in gitlab.yml:

gitlab.http_client.tls_client_cert_file
gitlab.http_client.tls_client_cert_password

Relates to #27450 (closed)

Changelog: added

How to set up and validate locally

You can test mutual TLS authentication via https://client.badssl.com/:

Run bin/rails console.
Run ::Gitlab::HTTP_V2.get('https://client.badssl.com'). This should fail.
Download the client cert: curl -o /tmp/badssl.com-client.pem https://badssl.com/certs/badssl.com-client.pem
In config/gitlab.yml add to the gitlab section:

    ## HTTP client settings
    # Filename of HTTP client pem
    http_client:
      tls_client_cert_file: /tmp/badssl.com-client.pem
    # Filename of HTTP client pem password
      tls_client_cert_password: badssl.com

Repeat step 2. This should work now.

Edited Jan 05, 2024 by Stan Hu

Add support for global HTTP TLS client cert

What does this MR do and why?

How to set up and validate locally

Merge request reports