Add support for global HTTP TLS client cert
What does this MR do and why?
Some customers need to configure mutual TLS authentication for Webhooks. This commit adds support for an instance-wide client certificate via two settings in gitlab.yml:
- gitlab.http_client.tls_client_cert_file
- gitlab.http_client.tls_client_cert_password
Relates to #27450 (closed)
Changelog: added
How to set up and validate locally
You can test mutual TLS authentication via https://client.badssl.com/
:
- Run
bin/rails console
. - Run
::Gitlab::HTTP_V2.get('https://client.badssl.com')
. This should fail. - Download the client cert:
curl -o /tmp/badssl.com-client.pem https://badssl.com/certs/badssl.com-client.pem
- In
config/gitlab.yml
add to thegitlab
section:
## HTTP client settings
# Filename of HTTP client pem
http_client:
tls_client_cert_file: /tmp/badssl.com-client.pem
# Filename of HTTP client pem password
tls_client_cert_password: badssl.com
- Repeat step 2. This should work now.
Edited by Stan Hu