Ensure custom certificates work in FIPS builds
What does this MR do?
Ensure custom certificates work in FIPS builds.
- Bundle cacerts always, irrespective of openssl being bundled or not.
- Use available c_rehash. If openssl is bundled, use that. Else try to find the system one and use that.
- Set
SSL_CERT_DIR
for all services. This MR adds it togitlab-rails
andgitlab-exporter
Testing
- Setup an external Redis using self-signed certificates in a VM. (For now, you might have to monkey patch Redis conf to make it work under TLS. !5770 (merged) should improve this).
- In a FIPS machine, install the FIPS build from this MR.
- Add the root/intermediate CA certificates of the Redis VM to
/etc/gitlab/trusted-certs
in the FIPS VM - Run reconfigure in FIPS VM
- Confirm that the certificates added to
trusted-certs
are hashed and symlinked in/opt/gitlab/embedded/ssl/certs
. - Confirm that GitLab <=> Redis interaction works fine. (Logging in should work, for example.)
Related issues
Closes #6317 (closed)
Checklist
See Definition of done.
For anything in this list which will not be completed, please provide a reason in the MR discussion
Required
-
Merge Request Title, and Description are up to date, accurate, and descriptive -
MR targeting the appropriate branch -
MR has a green pipeline on GitLab.com -
Pipeline is green on dev.gitlab.org if the change is touching anything besides documentation or internal cookbooks -
trigger-package
has a green pipeline running against latest commit
Expected (please provide an explanation if not completing)
-
Test plan indicating conditions for success has been posted and passes -
Documentation created/updated -
Tests added -
Integration tests added to GitLab QA -
Equivalent MR/issue for the GitLab Chart opened
Edited by DJ Mountney