Ensure custom certificates work in FIPS builds

Balasankar 'Balu' Crequested to merge
6317-ssl-cacerts into master

What does this MR do?

Ensure custom certificates work in FIPS builds.

  1. Bundle cacerts always, irrespective of openssl being bundled or not.
  2. Use available c_rehash. If openssl is bundled, use that. Else try to find the system one and use that.
  3. Set SSL_CERT_DIR for all services. This MR adds it to gitlab-rails and gitlab-exporter

Testing

  1. Setup an external Redis using self-signed certificates in a VM. (For now, you might have to monkey patch Redis conf to make it work under TLS. !5770 (merged) should improve this).
  2. In a FIPS machine, install the FIPS build from this MR.
  3. Add the root/intermediate CA certificates of the Redis VM to /etc/gitlab/trusted-certs in the FIPS VM
  4. Run reconfigure in FIPS VM
  5. Confirm that the certificates added to trusted-certs are hashed and symlinked in /opt/gitlab/embedded/ssl/certs.
  6. Confirm that GitLab <=> Redis interaction works fine. (Logging in should work, for example.)

Related issues

Closes #6317 (closed)

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion

Required

  • Merge Request Title, and Description are up to date, accurate, and descriptive
  • MR targeting the appropriate branch
  • MR has a green pipeline on GitLab.com
  • Pipeline is green on dev.gitlab.org if the change is touching anything besides documentation or internal cookbooks
  • trigger-package has a green pipeline running against latest commit

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes
  • Documentation created/updated
  • Tests added
  • Integration tests added to GitLab QA
  • Equivalent MR/issue for the GitLab Chart opened
Edited by DJ Mountney

Merge request reports