Add support for using HTTP TLS client cert

stanhu · balasankarc · commit 51697fdb3d6a · 2024-01-26T16:33:22.000Z
Some customers need to configure mutual TLS authentication for Webhooks. This commit adds support for an instance-wide client certificate via two settings added in https://gitlab.com/gitlab-org/gitlab/-/merge_requests/140263: ```ruby gitlab_rails['http_client']['tls_client_cert_file'] = '/path/to/cert.pem' gitlab_rails['http_client']['tls_client_cert_password'] = 'somepassword' ``` Relates to: * https://gitlab.com/gitlab-org/gitlab/-/issues/27450 * https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8356 Changelog: added
diff --git a/files/gitlab-config-template/gitlab.rb.template b/files/gitlab-config-template/gitlab.rb.template
@@ -192,6 +192,11 @@ external_url 'GENERATED_EXTERNAL_URL'
 ###! request (default: 10)
 # gitlab_rails['webhook_timeout'] = 10
 
+### HTTP client settings
+###! This is for setting up the mutual TLS client cert and password for the certificate file.
+# gitlab_rails['http_client']['tls_client_cert_file'] = nil
+# gitlab_rails['http_client']['tls_client_cert_password'] = nil
+
 ### GraphQL Settings
 ###! Tells the rails application how long it has to complete a GraphQL request.
 ###! We suggest this value to be higher than the database timeout value
diff --git a/files/gitlab-cookbooks/gitlab/attributes/default.rb b/files/gitlab-cookbooks/gitlab/attributes/default.rb
@@ -615,6 +615,8 @@
 
 default['gitlab']['gitlab_rails']['webhook_timeout'] = nil
 
+default['gitlab']['gitlab_rails']['http_client'] = {}
+
 default['gitlab']['gitlab_rails']['graphql_timeout'] = nil
 
 default['gitlab']['gitlab_rails']['initial_root_password'] = nil
diff --git a/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb b/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb
@@ -110,6 +110,9 @@ production: &base
     # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
     webhook_timeout: <%= @webhook_timeout %>
 
+    ## HTTP client settings
+    http_client: <%= @http_client.to_json %>
+
     ### GraphQL Settings
     # Tells the rails application how long it has to complete a GraphQL request.
     # We suggest this value to be higher than the database timeout value
diff --git a/spec/chef/cookbooks/gitlab/recipes/gitlab-rails/gitlab_yml/gitlab_spec.rb b/spec/chef/cookbooks/gitlab/recipes/gitlab-rails/gitlab_yml/gitlab_spec.rb
@@ -84,6 +84,34 @@
       end
     end
 
+    describe 'HTTP client settings' do
+      context 'with default configuration' do
+        it 'renders gitlab.yml with empty HTTP client settings' do
+          expect(gitlab_yml[:production][:gitlab][:http_client]).to eq({})
+        end
+      end
+
+      context 'with mutual TLS settings configured' do
+        before do
+          stub_gitlab_rb(
+            gitlab_rails: {
+              http_client: {
+                tls_client_cert_file: '/path/to/tls_cert_file',
+                tls_client_cert_password: 'somepassword'
+              }
+            }
+          )
+        end
+
+        it 'renders gitlab.yml with HTTP client settings' do
+          expect(gitlab_yml[:production][:gitlab][:http_client]).to eq(
+            tls_client_cert_file: '/path/to/tls_cert_file',
+            tls_client_cert_password: 'somepassword'
+          )
+        end
+      end
+    end
+
     describe 'SMIME email settings' do
       context 'with default configuration' do
         it 'renders gitlab.yml with SMIME email settings disabled' do
