From aa59b82e7e5af3621a6099f0ff6aa50c7fa0fc9a Mon Sep 17 00:00:00 2001 From: Stan Hu <stanhu@gmail.com> Date: Thu, 11 Jan 2024 09:53:52 -0800 Subject: [PATCH 1/2] Add support for using HTTP TLS client cert Some customers need to configure mutual TLS authentication for Webhooks. This commit adds support for an instance-wide client certificate via two settings added in https://gitlab.com/gitlab-org/gitlab/-/merge_requests/140263: ```ruby gitlab_rails['http_client']['tls_client_cert_file'] = '/path/to/cert.pem' gitlab_rails['http_client']['tls_client_cert_password'] = 'somepassword' ``` Relates to: * https://gitlab.com/gitlab-org/gitlab/-/issues/27450 * https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8356 Changelog: added --- .../gitlab-config-template/gitlab.rb.template | 5 ++++ .../gitlab/attributes/default.rb | 2 ++ .../gitlab/templates/default/gitlab.yml.erb | 3 ++ .../gitlab-rails/gitlab_yml/gitlab_spec.rb | 28 +++++++++++++++++++ 4 files changed, 38 insertions(+) diff --git a/files/gitlab-config-template/gitlab.rb.template b/files/gitlab-config-template/gitlab.rb.template index a59a0549b8..60c3580d1f 100644 --- a/files/gitlab-config-template/gitlab.rb.template +++ b/files/gitlab-config-template/gitlab.rb.template @@ -191,6 +191,11 @@ external_url 'GENERATED_EXTERNAL_URL' ###! request (default: 10) # gitlab_rails['webhook_timeout'] = 10 +### HTTP client settings +###! This is for setting up mutual TLS client cert and password for the cert file. +# gitlab_rails['http_client']['tls_client_cert_file'] = nil +# gitlab_rails['http_client']['tls_client_cert_password'] = nil + ### GraphQL Settings ###! Tells the rails application how long it has to complete a GraphQL request. ###! We suggest this value to be higher than the database timeout value diff --git a/files/gitlab-cookbooks/gitlab/attributes/default.rb b/files/gitlab-cookbooks/gitlab/attributes/default.rb index 4680ea51fb..9d2be13bb9 100644 --- a/files/gitlab-cookbooks/gitlab/attributes/default.rb +++ b/files/gitlab-cookbooks/gitlab/attributes/default.rb @@ -614,6 +614,8 @@ default['gitlab']['gitlab_rails']['trusted_certs_dir'] = "/etc/gitlab/trusted-ce default['gitlab']['gitlab_rails']['webhook_timeout'] = nil +default['gitlab']['gitlab_rails']['http_client'] = {} + default['gitlab']['gitlab_rails']['graphql_timeout'] = nil default['gitlab']['gitlab_rails']['initial_root_password'] = nil diff --git a/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb b/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb index 1a378ff484..13dab0e019 100644 --- a/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb +++ b/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb @@ -110,6 +110,9 @@ production: &base # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10) webhook_timeout: <%= @webhook_timeout %> + ## HTTP client settings + http_client: <%= @http_client.to_json %> + ### GraphQL Settings # Tells the rails application how long it has to complete a GraphQL request. # We suggest this value to be higher than the database timeout value diff --git a/spec/chef/cookbooks/gitlab/recipes/gitlab-rails/gitlab_yml/gitlab_spec.rb b/spec/chef/cookbooks/gitlab/recipes/gitlab-rails/gitlab_yml/gitlab_spec.rb index f57df0d746..bd3ee0f536 100644 --- a/spec/chef/cookbooks/gitlab/recipes/gitlab-rails/gitlab_yml/gitlab_spec.rb +++ b/spec/chef/cookbooks/gitlab/recipes/gitlab-rails/gitlab_yml/gitlab_spec.rb @@ -84,6 +84,34 @@ RSpec.describe 'gitlab::gitlab-rails' do end end + describe 'HTTP client settings' do + context 'with default configuration' do + it 'renders gitlab.yml with empty HTTP client settings' do + expect(gitlab_yml[:production][:gitlab][:http_client]).to eq({}) + end + end + + context 'with mutual TLS settings configured' do + before do + stub_gitlab_rb( + gitlab_rails: { + http_client: { + tls_client_cert_file: '/path/to/tls_cert_file', + tls_client_cert_password: 'somepassword' + } + } + ) + end + + it 'renders gitlab.yml with HTTP client settings' do + expect(gitlab_yml[:production][:gitlab][:http_client]).to eq( + tls_client_cert_file: '/path/to/tls_cert_file', + tls_client_cert_password: 'somepassword' + ) + end + end + end + describe 'SMIME email settings' do context 'with default configuration' do it 'renders gitlab.yml with SMIME email settings disabled' do -- GitLab From 0c843ba4534d3b374842a0ac1d2e266f7ca7997a Mon Sep 17 00:00:00 2001 From: Stan Hu <stanhu@gmail.com> Date: Thu, 25 Jan 2024 10:41:19 -0800 Subject: [PATCH 2/2] Improve gitlab.rb.template comment for mutual TLS section --- files/gitlab-config-template/gitlab.rb.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/gitlab-config-template/gitlab.rb.template b/files/gitlab-config-template/gitlab.rb.template index 60c3580d1f..aaf965d00f 100644 --- a/files/gitlab-config-template/gitlab.rb.template +++ b/files/gitlab-config-template/gitlab.rb.template @@ -192,7 +192,7 @@ external_url 'GENERATED_EXTERNAL_URL' # gitlab_rails['webhook_timeout'] = 10 ### HTTP client settings -###! This is for setting up mutual TLS client cert and password for the cert file. +###! This is for setting up the mutual TLS client cert and password for the certificate file. # gitlab_rails['http_client']['tls_client_cert_file'] = nil # gitlab_rails['http_client']['tls_client_cert_password'] = nil -- GitLab