From aa59b82e7e5af3621a6099f0ff6aa50c7fa0fc9a Mon Sep 17 00:00:00 2001
From: Stan Hu <stanhu@gmail.com>
Date: Thu, 11 Jan 2024 09:53:52 -0800
Subject: [PATCH 1/2] Add support for using HTTP TLS client cert

Some customers need to configure mutual TLS authentication for
Webhooks. This commit adds support for an instance-wide client
certificate via two settings added in
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/140263:

```ruby
gitlab_rails['http_client']['tls_client_cert_file'] = '/path/to/cert.pem'
gitlab_rails['http_client']['tls_client_cert_password'] = 'somepassword'
```

Relates to:

* https://gitlab.com/gitlab-org/gitlab/-/issues/27450
* https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8356

Changelog: added
---
 .../gitlab-config-template/gitlab.rb.template |  5 ++++
 .../gitlab/attributes/default.rb              |  2 ++
 .../gitlab/templates/default/gitlab.yml.erb   |  3 ++
 .../gitlab-rails/gitlab_yml/gitlab_spec.rb    | 28 +++++++++++++++++++
 4 files changed, 38 insertions(+)

diff --git a/files/gitlab-config-template/gitlab.rb.template b/files/gitlab-config-template/gitlab.rb.template
index a59a0549b8..60c3580d1f 100644
--- a/files/gitlab-config-template/gitlab.rb.template
+++ b/files/gitlab-config-template/gitlab.rb.template
@@ -191,6 +191,11 @@ external_url 'GENERATED_EXTERNAL_URL'
 ###! request (default: 10)
 # gitlab_rails['webhook_timeout'] = 10
 
+### HTTP client settings
+###! This is for setting up mutual TLS client cert and password for the cert file.
+# gitlab_rails['http_client']['tls_client_cert_file'] = nil
+# gitlab_rails['http_client']['tls_client_cert_password'] = nil
+
 ### GraphQL Settings
 ###! Tells the rails application how long it has to complete a GraphQL request.
 ###! We suggest this value to be higher than the database timeout value
diff --git a/files/gitlab-cookbooks/gitlab/attributes/default.rb b/files/gitlab-cookbooks/gitlab/attributes/default.rb
index 4680ea51fb..9d2be13bb9 100644
--- a/files/gitlab-cookbooks/gitlab/attributes/default.rb
+++ b/files/gitlab-cookbooks/gitlab/attributes/default.rb
@@ -614,6 +614,8 @@ default['gitlab']['gitlab_rails']['trusted_certs_dir'] = "/etc/gitlab/trusted-ce
 
 default['gitlab']['gitlab_rails']['webhook_timeout'] = nil
 
+default['gitlab']['gitlab_rails']['http_client'] = {}
+
 default['gitlab']['gitlab_rails']['graphql_timeout'] = nil
 
 default['gitlab']['gitlab_rails']['initial_root_password'] = nil
diff --git a/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb b/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb
index 1a378ff484..13dab0e019 100644
--- a/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb
@@ -110,6 +110,9 @@ production: &base
     # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
     webhook_timeout: <%= @webhook_timeout %>
 
+    ## HTTP client settings
+    http_client: <%= @http_client.to_json %>
+
     ### GraphQL Settings
     # Tells the rails application how long it has to complete a GraphQL request.
     # We suggest this value to be higher than the database timeout value
diff --git a/spec/chef/cookbooks/gitlab/recipes/gitlab-rails/gitlab_yml/gitlab_spec.rb b/spec/chef/cookbooks/gitlab/recipes/gitlab-rails/gitlab_yml/gitlab_spec.rb
index f57df0d746..bd3ee0f536 100644
--- a/spec/chef/cookbooks/gitlab/recipes/gitlab-rails/gitlab_yml/gitlab_spec.rb
+++ b/spec/chef/cookbooks/gitlab/recipes/gitlab-rails/gitlab_yml/gitlab_spec.rb
@@ -84,6 +84,34 @@ RSpec.describe 'gitlab::gitlab-rails' do
       end
     end
 
+    describe 'HTTP client settings' do
+      context 'with default configuration' do
+        it 'renders gitlab.yml with empty HTTP client settings' do
+          expect(gitlab_yml[:production][:gitlab][:http_client]).to eq({})
+        end
+      end
+
+      context 'with mutual TLS settings configured' do
+        before do
+          stub_gitlab_rb(
+            gitlab_rails: {
+              http_client: {
+                tls_client_cert_file: '/path/to/tls_cert_file',
+                tls_client_cert_password: 'somepassword'
+              }
+            }
+          )
+        end
+
+        it 'renders gitlab.yml with HTTP client settings' do
+          expect(gitlab_yml[:production][:gitlab][:http_client]).to eq(
+            tls_client_cert_file: '/path/to/tls_cert_file',
+            tls_client_cert_password: 'somepassword'
+          )
+        end
+      end
+    end
+
     describe 'SMIME email settings' do
       context 'with default configuration' do
         it 'renders gitlab.yml with SMIME email settings disabled' do
-- 
GitLab


From 0c843ba4534d3b374842a0ac1d2e266f7ca7997a Mon Sep 17 00:00:00 2001
From: Stan Hu <stanhu@gmail.com>
Date: Thu, 25 Jan 2024 10:41:19 -0800
Subject: [PATCH 2/2] Improve gitlab.rb.template comment for mutual TLS section

---
 files/gitlab-config-template/gitlab.rb.template | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/files/gitlab-config-template/gitlab.rb.template b/files/gitlab-config-template/gitlab.rb.template
index 60c3580d1f..aaf965d00f 100644
--- a/files/gitlab-config-template/gitlab.rb.template
+++ b/files/gitlab-config-template/gitlab.rb.template
@@ -192,7 +192,7 @@ external_url 'GENERATED_EXTERNAL_URL'
 # gitlab_rails['webhook_timeout'] = 10
 
 ### HTTP client settings
-###! This is for setting up mutual TLS client cert and password for the cert file.
+###! This is for setting up the mutual TLS client cert and password for the certificate file.
 # gitlab_rails['http_client']['tls_client_cert_file'] = nil
 # gitlab_rails['http_client']['tls_client_cert_password'] = nil
 
-- 
GitLab