Skip to content

Add support for global HTTP TLS client cert

Stan Hu requested to merge sh-add-http-client-cert-support into master

What does this MR do and why?

Some customers need to configure mutual TLS authentication for Webhooks. This commit adds support for an instance-wide client certificate via two settings in gitlab.yml:

  • gitlab.http_client.tls_client_cert_file
  • gitlab.http_client.tls_client_cert_password

Relates to #27450 (closed)

Changelog: added

How to set up and validate locally

You can test mutual TLS authentication via https://client.badssl.com/:

  1. Run bin/rails console.
  2. Run ::Gitlab::HTTP_V2.get('https://client.badssl.com'). This should fail.
  3. Download the client cert: curl -o /tmp/badssl.com-client.pem https://badssl.com/certs/badssl.com-client.pem
  4. In config/gitlab.yml add to the gitlab section:
    ## HTTP client settings
    # Filename of HTTP client pem
    http_client:
      tls_client_cert_file: /tmp/badssl.com-client.pem
    # Filename of HTTP client pem password
      tls_client_cert_password: badssl.com
  1. Repeat step 2. This should work now.
Edited by Stan Hu

Merge request reports

Loading