Mutual TLS between GitLab and Gitaly

Problem to solve

Allow mutual TLS between GitLab and Gitaly when using an external Gitaly server.

Proposal

Send the GitLab certificate in the connection string in https://gitlab.com/gitlab-org/gitlab/blob/master/lib%2Fgitlab%2Fhttp.rb. We will also need to set the certificate path in gitlab.yml.

Example for http.rb (https://gitlab.com/gitlab-org/gitlab/blob/master/lib%2Fgitlab%2Fhttp.rb#L22):

if Gitlab.config['pem_cert'] and Gitlab.config['ssl_ca_file']
  pem File.read(Gitlab.config['pem_cert']), Gitlab.config('pem_cert_passphrase']
  ssl_ca_file Gitlab.config['ssl_ca_file]
end

Example for gitlab.yml:

production: &base
   #
   # 1. Gitlab app settings
   pem_cert: /path/to/combined/cert/and/key/file
   ssl_ca_file: /path/to/the/ca/chain/gitlab/uses/file

Links / references

Customer ticket: 32 in the Federal instance

The customer is willing to contribute an MR.

/cc @kchasse

Edited Aug 04, 2020 by Aric Buerer