From 5ae8a6f85ea92fff615a34d0cbdeaad72fd60a59 Mon Sep 17 00:00:00 2001 From: Stan Hu Date: Tue, 19 Dec 2023 13:07:47 -0800 Subject: [PATCH] Add support for global HTTP TLS client cert Some customers need to configure mutual TLS authentication for Webhooks. This commit adds support for an instance-wide client certificate via two settings in gitlab.yml: * gitlab.http_client.tls_client_cert_file * gitlab.http_client_tls_client_cert_password Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/27450 Changelog: added --- config/gitlab.yml.example | 7 +++++++ config/initializers/gitlab_http.rb | 8 ++++++++ 2 files changed, 15 insertions(+) diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index 14fb285f4f8c63..e4fd20f9454c70 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -159,6 +159,13 @@ production: &base # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10) # webhook_timeout: 10 + ## HTTP client settings + http_client: + # Filename of HTTP client pem + # tls_client_cert_file: + # PEM password (optional) + # tls_client_cert_password: + ### GraphQL Settings # Tells the rails application how long it has to complete a GraphQL request. # We suggest this value to be higher than the database timeout value diff --git a/config/initializers/gitlab_http.rb b/config/initializers/gitlab_http.rb index 8a84313a7fb926..cd891f29584ea0 100644 --- a/config/initializers/gitlab_http.rb +++ b/config/initializers/gitlab_http.rb @@ -24,3 +24,11 @@ Gitlab::SilentMode.log_info(message: message, outbound_http_request_method: http_method) end end + +if Gitlab.config.gitlab['http_client'] + pem = File.read(Gitlab.config.gitlab['http_client']['tls_client_cert_file']) + password = Gitlab.config.gitlab['http_client']['tls_client_cert_password'] + + Gitlab::HTTP_V2::Client.pem(pem, password) + Gitlab::LegacyHTTP.pem(pem, password) +end -- GitLab