Draft: Fix LetsEncrypt when NGINX SSL config is set
What does this MR do?
When LetsEncrypt is enabled, Omnibus previously defaulted to setting
the registry NGINX to
/etc/gitlab/ssl/#{uri.host}.{crt,key}. However, if the main NGINX
SSL cert/key is explicitly set to /etc/gitlab/ssl/nginx.{crt,key},
LetsEncrypt will use that filename but the registry NGINX will be
configured to use the FQDN-based filename, which won't ever be
created. This causes a Chef failure when using LetsEncrypt since NGINX
won't be able to find the FQDN-based filename.
To fix this, every NGINX should default to the main NGINX SSL config.
There are a number of case to consider. Here's an example:
nginx['ssl_certificate'] |
registry_external_url |
registry_nginx['ssl_certificate'] | letsencrypt['enable'] | Expected result for registry_nginx['ssl_certificate'] |
|---|---|---|---|---|
/etc/gitlab/ssl/nginx.crt |
https://dev.gitlab.org:5005 |
/etc/gitlab/ssl/registry.crt |
true |
/etc/gitlab/ssl/nginx.crt |
/etc/gitlab/ssl/nginx.crt |
https://dev.gitlab.org:5005 |
/etc/gitlab/ssl/registry.crt |
false |
/etc/gitlab/ssl/registry.crt |
nil |
https://dev.gitlab.org:5005 |
/etc/gitlab/ssl/registry.crt |
true |
/etc/gitlab/ssl/dev.gitlab.org.crt |
nil |
https://dev.gitlab.org:5005 |
/etc/gitlab/ssl/registry.crt |
false |
/etc/gitlab/ssl/registry.crt |
Related issues
Relates to #7458 (closed)
Checklist
See Definition of done.
For anything in this list which will not be completed, please provide a reason in the MR discussion
Required
-
Merge Request Title, and Description are up to date, accurate, and descriptive -
MR targeting the appropriate branch -
MR has a green pipeline on GitLab.com -
Pipeline is green on dev.gitlab.org if the change is touching anything besides documentation or internal cookbooks -
trigger-packagehas a green pipeline running against latest commit
Expected (please provide an explanation if not completing)
-
Test plan indicating conditions for success has been posted and passes -
Documentation created/updated -
Tests added -
Integration tests added to GitLab QA -
Equivalent MR/issue for the GitLab Chart opened
Edited by Stan Hu