Unable to configure SSL client certificates for PostgreSQL
Summary
Although the Rails codebase supports the ability to configure SSL client certificates for use with PostgreSQL, there are no options to provide this information to Omnibus via the gitlab.rb
We know this functionality, as it is actively used in GitLab cloud native Helm chart.
Client has gitlab and Database installed on separate servers. They have set up the system to use SSL over the connection to the database (per https://docs.gitlab.com/omnibus/settings/database.html), however we are not sure how to configure the application to use client certificates to authenticate into the database. Any thoughts?
This affects master
and all released versions.
Steps to reproduce
Run PostgreSQL on a separate instance from the application, with SSL client certificates configured (for example, Google CloudSQL)
What is the current bug behavior?
The only way to configure client certificates is:
- manual management client ceritificate & key on the filesystem
- Workaround suggestion:
/etc/gitlab/
, ensure files are readable bygit
user.
- Workaround suggestion:
- the addition of
PGSSLCERT
&PGSSLKEY
environment variables for all components that need them
Example addition to /etc/gitlab/gitlab.rb
gitlab_rails['env'] = {
'BUNDLE_GEMFILE' => "/opt/gitlab/embedded/service/gitlab-rails/Gemfile",
'PATH' => "/opt/gitlab/bin:/opt/gitlab/embedded/bin:/bin:/usr/bin",
'PGSSLCERT' => "/etc/gitlab/pg.client.cert",
'PGSSLKEY' => "/etc/gitlab/pg.client.key",
}
What is the expected correct behavior?
Provide gitlab_rails['db_sslcert']
& gitlab_rails['db_sslkey']
, and all components needed access are thus configured automatically via the rendered database.yml