Merge branch 'sh-support-mutual-tls-http-client' into 'master'

Add support for using HTTP TLS client cert

See merge request https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7349

Merged-by: Balasankar 'Balu' C <[email protected]>
Approved-by: Clemens Beck <[email protected]>
Approved-by: Andrew Patterson <[email protected]>
Approved-by: Balasankar 'Balu' C <[email protected]>
Reviewed-by: Clemens Beck <[email protected]>
Co-authored-by: Stan Hu <[email protected]>

Author: balasankarc

files/gitlab-config-template/gitlab.rb.template

@@ -192,6 +192,11 @@ external_url 'GENERATED_EXTERNAL_URL'
 ###! request (default: 10)
 # gitlab_rails['webhook_timeout'] = 10
 
+### HTTP client settings
+###! This is for setting up the mutual TLS client cert and password for the certificate file.
+# gitlab_rails['http_client']['tls_client_cert_file'] = nil
+# gitlab_rails['http_client']['tls_client_cert_password'] = nil
+
 ### GraphQL Settings
 ###! Tells the rails application how long it has to complete a GraphQL request.
 ###! We suggest this value to be higher than the database timeout value

files/gitlab-cookbooks/gitlab/attributes/default.rb

@@ -615,6 +615,8 @@
 
 default['gitlab']['gitlab_rails']['webhook_timeout'] = nil
 
+default['gitlab']['gitlab_rails']['http_client'] = {}
+
 default['gitlab']['gitlab_rails']['graphql_timeout'] = nil
 
 default['gitlab']['gitlab_rails']['initial_root_password'] = nil

files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb

@@ -110,6 +110,9 @@ production: &base
     # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
     webhook_timeout: <%= @webhook_timeout %>
 
+    ## HTTP client settings
+    http_client: <%= @http_client.to_json %>
+
     ### GraphQL Settings
     # Tells the rails application how long it has to complete a GraphQL request.
     # We suggest this value to be higher than the database timeout value

spec/chef/cookbooks/gitlab/recipes/gitlab-rails/gitlab_yml/gitlab_spec.rb

@@ -84,6 +84,34 @@
       end
     end
 
+    describe 'HTTP client settings' do
+      context 'with default configuration' do
+        it 'renders gitlab.yml with empty HTTP client settings' do
+          expect(gitlab_yml[:production][:gitlab][:http_client]).to eq({})
+        end
+      end
+
+      context 'with mutual TLS settings configured' do
+        before do
+          stub_gitlab_rb(
+            gitlab_rails: {
+              http_client: {
+                tls_client_cert_file: '/path/to/tls_cert_file',
+                tls_client_cert_password: 'somepassword'
+              }
+            }
+          )
+        end
+
+        it 'renders gitlab.yml with HTTP client settings' do
+          expect(gitlab_yml[:production][:gitlab][:http_client]).to eq(
+            tls_client_cert_file: '/path/to/tls_cert_file',
+            tls_client_cert_password: 'somepassword'
+          )
+        end
+      end
+    end
+
     describe 'SMIME email settings' do
       context 'with default configuration' do
         it 'renders gitlab.yml with SMIME email settings disabled' do