Load the system cert pool when dialing websocket channels in workhorse (!80374) · Merge requests · GitLab.org / GitLab

Justin Lewis Salmon requested to merge jlsalmon/gitlab:workhorse-channel-cert-pool into master Feb 10, 2022

What does this MR do and why?

This MR adds support for loading the system certificate pool when dialing web socket channels from Workhorse. Previously, the system pool was being ignored which caused x509: certificate signed by unknown authority errors (and hence "Connection failed" on web terminals) when there was a reverse proxy between gitlab and the runner using a TLS cert that gitlab didn't know about. This fixes #325073 (closed).

Before

Only create a cert pool when CAPem was defined. It will also append the PEM that is specified to that pool.

So if any certificate that was trusted by the certificate wasn't being trusted.

After

Always load a system cert pool, and when CAPem is defined it will just append to the system cert pool.

This sends up trusting the certificate that the system trusted by default.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Feb 28, 2022 by Steve Xuereb

Load the system cert pool when dialing websocket channels in workhorse

What does this MR do and why?

Before

After

MR acceptance checklist

Merge request reports