diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-07-08 06:09:21 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-07-08 06:09:21 +0300 |
commit | 4ec82c35f26a370589b7dd5fa9ca6ee4a079c62b (patch) | |
tree | 7fed6790d2b809c74e2931055256898cb631225d /lib/gitlab/metrics | |
parent | 5487465d35110ef72c2e7cea7ef031c3ddf4dcbc (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'lib/gitlab/metrics')
-rw-r--r-- | lib/gitlab/metrics/exporter/base_exporter.rb | 43 |
1 files changed, 30 insertions, 13 deletions
diff --git a/lib/gitlab/metrics/exporter/base_exporter.rb b/lib/gitlab/metrics/exporter/base_exporter.rb index fc271a24cf2..858a0a120cc 100644 --- a/lib/gitlab/metrics/exporter/base_exporter.rb +++ b/lib/gitlab/metrics/exporter/base_exporter.rb @@ -7,6 +7,8 @@ module Gitlab module Metrics module Exporter class BaseExporter < Daemon + CERT_REGEX = /-----BEGIN CERTIFICATE-----(?:.|\n)+?-----END CERTIFICATE-----/.freeze + attr_reader :server # @param settings [Hash] SettingsLogic hash containing the `*_exporter` config @@ -45,19 +47,7 @@ module Gitlab AccessLog: access_log } - if settings['tls_enabled'] - # This monkey-patches WEBrick::GenericServer, so never require this unless TLS is enabled. - require 'webrick/ssl' - - server_config.merge!({ - SSLEnable: true, - SSLCertificate: OpenSSL::X509::Certificate.new(File.binread(settings['tls_cert_path'])), - SSLPrivateKey: OpenSSL::PKey.read(File.binread(settings['tls_key_path'])), - # SSLStartImmediately is true by default according to the docs, but when WEBrick creates the - # SSLServer internally, the switch was always nil for some reason. Setting this explicitly fixes this. - SSLStartImmediately: true - }) - end + server_config.merge!(ssl_config) if settings['tls_enabled'] @server = ::WEBrick::HTTPServer.new(server_config) server.mount '/', Rack::Handler::WEBrick, rack_app @@ -100,6 +90,33 @@ module Gitlab run -> (env) { [404, {}, ['']] } end end + + def ssl_config + # This monkey-patches WEBrick::GenericServer, so never require this unless TLS is enabled. + require 'webrick/ssl' + + certs = load_ca_certs_bundle(File.binread(settings['tls_cert_path'])) + + { + SSLEnable: true, + SSLCertificate: certs.shift, + SSLPrivateKey: OpenSSL::PKey.read(File.binread(settings['tls_key_path'])), + # SSLStartImmediately is true by default according to the docs, but when WEBrick creates the + # SSLServer internally, the switch was always nil for some reason. Setting this explicitly fixes this. + SSLStartImmediately: true, + SSLExtraChainCert: certs + } + end + + # In Ruby OpenSSL v3.0.0, this can be replaced by OpenSSL::X509::Certificate.load + # https://github.com/ruby/openssl/issues/254 + def load_ca_certs_bundle(ca_certs_string) + return [] unless ca_certs_string + + ca_certs_string.scan(CERT_REGEX).map do |ca_cert_string| + OpenSSL::X509::Certificate.new(ca_cert_string) + end + end end end end |