Manage custom SSL certificates in /opt/gitlab/embedded/ssl/certs
This is just an idea.
If you run your own CA, you may want to tell omnibus-gitlab to trust that CA. The way to do that is to create a special symlink (based on a hash of the cert) in /opt/gitlab/embedded/ssl/certs.
It would be nice if gitlab-ctl reconfigure would manage that directory. Something like:
openssl['trusted_certs'] = %w{
/path/to/foo.pem
/path/to/bar.pem
}Then during the reconfigure:
- 'calculate' the symlink filenames for the given list of certificates
- abort if one of the certificates cannot be read
- create the symlinks in /opt/gitlab/embedded/ssl/certs
- remove any symlinks or files from /opt/gitlab/embedded/ssl/certs that we not know about
The last part is needed to reliably remove trusted certificates.
All the plumbing for something like this already exists in omnibus-gitlab, it is a matter of writing Chef cookbook code.