Gitlab QA: Switching to using a root certificate
Counterpart MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/54799
Root Certificate Authority
The goal of this change is to clean up any certificate related scenarios.
Removing the need for trusting self-signed certificates
I removed the need to trust self-signed certificates by creating my own certificate authority that can be trusted by any system and thus any certificate request that is signed by this authority is automatically trusted by the host.
After a review of the current setup, I had to have new certificates that are all signed by one Certification Authority. This makes it possible to have a central authority that we can add to the root certificates of every instance and thus trust it by default. For client authentication this way is the closest to a real live usage of this feature.
Node | File | Creation Command |
---|---|---|
CA | ca.key |
openssl genrsa -out ca.key 4096 |
CA | ca.crt |
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt |
CA | ca.pem |
cat ca.key ca.crt > ca.pem |
GitLab | gitlab.test.key |
openssl genrsa -out gitlab.test.key 4096 |
GitLab | gitlab.test.csr |
openssl req -new -key gitlab.test.key -out gitlab.test.csr |
GitLab | gitlab.test.crt |
openssl x509 -req -days 3650 -in gitlab.test.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out gitlab.test.crt |
Gitaly | gitaly.test.key |
openssl genrsa -out gitaly.test.key 4096 |
Gitaly | gitaly.test.csr |
openssl req -new -key gitaly.test.key -out gitaly.test.csr |
Gitaly | gitaly.test.crt |
openssl x509 -req -days 3650 -in gitaly.test.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out gitaly.test.crt |
The subject for the nodes is kept simple and consists of:
subject=C = US, ST = California, L = San Francisco, O = <Node> Server, CN = <node>.test
Similarly, the subject for the authority is:
subject=C = US, ST = California, L = San Francisco, O = GitLab Authority
Cleaning up old scenarios
There were two old scenarios that are based on SSL and use it on their test setup. These are LDAP with TLS
and mTLS between GitLab and Gitaly
. Since there is no need for trusting some self-signed certificate if the specs
image is already trusting our GitLab Authority, I removed this call from the scenario.
I also cleaned up the volume linking on the components gitlab
and specs
. We do not need to trust the certificates of the servers any more by putting them in the trusted-certs folder. They are all signed by our authority and thus by trusting the authority, we trust the server certificates.
A good way to understand this is: The gitaly server
does not need to have a copy of the gitlab server
ID for comparison, when gitlab server
has a signed document by the authority, and gitaly
knows that signature to be correct. gitaly
trusts the authority, so this is enough.