Adds default ca_path to gitlab-shell for trusted certs

By default, the HTTP client inside gitlab-shell did not receive any custom certificate paths, so it uses the default system location. Adding ca_path to the default makes it also load the trusted-certs symlinked certs in its pool of trusted certs.

Adds default ca_path to gitlab-shell for trusted certs
8612d224 · Catalin Irimie · 2d899432 · 8612d224 · 8612d224 · 8612d224
Commit 8612d224 authored 4 years ago by Catalin Irimie
--- a/changelogs/unreleased/cat-add-trustedcerts-default-gitlabshell.yml
+++ b/changelogs/unreleased/cat-add-trustedcerts-default-gitlabshell.yml
+---
+title: Add default ca_path to gitlab-shell for trusted certs
+merge_request: 4655
+author:
+type: fixed
--- a/files/gitlab-cookbooks/gitlab/attributes/default.rb
+++ b/files/gitlab-cookbooks/gitlab/attributes/default.rb
@@ -584,7 +584,9 @@ default['gitlab']['gitlab-shell']['log_directory'] = "/var/log/gitlab/gitlab-she
 default['gitlab']['gitlab-shell']['log_level'] = nil
 default['gitlab']['gitlab-shell']['log_format'] = "json"
 default['gitlab']['gitlab-shell']['audit_usernames'] = nil
-default['gitlab']['gitlab-shell']['http_settings'] = nil
+default['gitlab']['gitlab-shell']['http_settings'] = {
+  ca_path: "#{node['package']['install-dir']}/embedded/ssl/certs"
+}
 default['gitlab']['gitlab-shell']['auth_file'] = nil
 default['gitlab']['gitlab-shell']['git_trace_log_file'] = nil
 default['gitlab']['gitlab-shell']['custom_hooks_dir'] = nil

--- a/spec/chef/recipes/gitaly_spec.rb
+++ b/spec/chef/recipes/gitaly_spec.rb
@@ -82,6 +82,7 @@ RSpec.describe 'gitaly' do
        expect(content).to include("internal_socket_dir = '/var/opt/gitlab/gitaly/internal_sockets'")
        expect(content).to include("bin_dir = '/opt/gitlab/embedded/bin'")
        expect(content).to include(%(rugged_git_config_search_path = "/opt/gitlab/embedded/etc"))
+        expect(content).to include("ca_path = '/opt/gitlab/embedded/ssl/certs'")
      }
  
      expect(chef_run).not_to render_file(config_path)

--- a/spec/chef/recipes/gitlab-shell_spec.rb
+++ b/spec/chef/recipes/gitlab-shell_spec.rb
@@ -50,7 +50,8 @@ RSpec.describe 'gitlab::gitlab-shell' do
          custom_hooks_dir: nil,
          migration: { enabled: true, features: [] },
          gitlab_url: 'http+unix://%2Fvar%2Fopt%2Fgitlab%2Fgitlab-workhorse%2Fsockets%2Fsocket',
-          gitlab_relative_path: ''
+          gitlab_relative_path: '',
+          http_settings: { ca_path: "/opt/gitlab/embedded/ssl/certs" }
        )
      )
    end