Merge branch '4181-ssl-password-file' into 'master'

Support specifying ssl_password_file for nginx

Closes #4181

See merge request https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/6367

Merged-by: DJ Mountney <[email protected]>
Approved-by: Jason Young <[email protected]>
Approved-by: DJ Mountney <[email protected]>
Co-authored-by: Balasankar "Balu" C <[email protected]>

Author: twk3

.gitignore

@@ -38,3 +38,5 @@ spec/examples.txt
 .projections.json
 
 coverage/
+
+junit_rspec.xml

doc/settings/ssl.md

@@ -221,10 +221,12 @@ To enable HTTPS:
    the password when you reconfigure GitLab. In that case, Omnibus GitLab
    fails silently with no error messages.
 
-   To remove the password from the key:
+   To specify the password for the key file, store the password in a text file
+   (for example, `/etc/gitlab/ssl/key_file_password.txt`) and add the following
+   to `/etc/gitlab/gitlab.rb`:
 
-   ```shell
-   openssl rsa -in certificate_before.key -out certificate_after.key
+   ```ruby
+   nginx['ssl_password_file'] = '/etc/gitlab/ssl/key_file_password.txt'
    ```
 
 1. Reconfigure GitLab:

files/gitlab-config-template/gitlab.rb.template

@@ -1436,6 +1436,7 @@ external_url 'GENERATED_EXTERNAL_URL'
 # nginx['ssl_session_timeout'] = "1d"
 
 # nginx['ssl_dhparam'] = nil # Path to dhparams.pem, eg. /etc/gitlab/ssl/dhparams.pem
+# nginx['ssl_password_file'] = nil # Path to file with passphrases for ssl certificate secret keys
 # nginx['listen_addresses'] = ['*', '[::]']
 
 ##! **Defaults to forcing web browsers to always communicate using only HTTPS**

files/gitlab-cookbooks/gitlab/attributes/default.rb

@@ -711,6 +711,7 @@
 default['gitlab']['nginx']['ssl_session_tickets'] = "off"
 default['gitlab']['nginx']['ssl_session_timeout'] = "1d" # settings from by https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&ocsp=false&guideline=5.6
 default['gitlab']['nginx']['ssl_dhparam'] = nil # Path to dhparam.pem
+default['gitlab']['nginx']['ssl_password_file'] = nil
 default['gitlab']['nginx']['listen_addresses'] = ['*']
 default['gitlab']['nginx']['listen_port'] = nil # override only if you have a reverse proxy
 default['gitlab']['nginx']['listen_https'] = nil # override only if your reverse proxy internally communicates over HTTP

files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb

@@ -98,6 +98,10 @@ server { ## HTTPS server
   <% if @ssl_dhparam %>
   ssl_dhparam <%= @ssl_dhparam %>;
   <% end %>
+
+  <% if @ssl_password_file %>
+  ssl_password_file '<%= @ssl_password_file %>';
+  <% end %>
   <% end %>
 
   ## Real IP Module Config

files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-mattermost-http.conf.erb

@@ -59,6 +59,10 @@ server { ## HTTPS server
   <% if @ssl_dhparam %>
   ssl_dhparam <%= @ssl_dhparam %>;
   <% end %>
+
+  <% if @ssl_password_file %>
+  ssl_password_file '<%= @ssl_password_file %>';
+  <% end %>
   <% end %>
 
   ## Real IP Module Config

files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-pages-http.conf.erb

@@ -57,6 +57,10 @@ server {
   <% if @ssl_dhparam %>
   ssl_dhparam <%= @ssl_dhparam %>;
   <% end %>
+
+  <% if @ssl_password_file %>
+  ssl_password_file '<%= @ssl_password_file %>';
+  <% end %>
   <% end %>
 
   ## Real IP Module Config

files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-registry-http.conf.erb

@@ -71,6 +71,10 @@ server { ## HTTPS server
   <% if @ssl_dhparam %>
   ssl_dhparam <%= @ssl_dhparam %>;
   <% end %>
+
+  <% if @ssl_password_file %>
+  ssl_password_file '<%= @ssl_password_file %>';
+  <% end %>
   <% end %>
 
   ## Real IP Module Config

spec/chef/cookbooks/gitlab/recipes/nginx_spec.rb

@@ -307,6 +307,49 @@
         expect(content).to include("ssl_verify_depth 7")
       }
     end
+
+    describe 'ssl_password_file' do
+      context 'by default' do
+        it 'does not set ssl_password_file' do
+          http_conf.each_value do |conf|
+            expect(chef_run).to render_file(conf).with_content { |content|
+              expect(content).not_to include("ssl_password_file")
+            }
+          end
+        end
+      end
+
+      context 'when explicitly specified' do
+        before do
+          stub_gitlab_rb(
+            external_url: 'https://localhost',
+            mattermost_external_url: 'https://mattermost.localhost',
+            registry_external_url: 'https://registry.localhost',
+            pages_external_url: 'https://pages.localhost',
+            nginx: {
+              ssl_password_file: '/etc/gitlab/ssl/gitlab_password_file.txt'
+            },
+            mattermost_nginx: {
+              ssl_password_file: '/etc/gitlab/ssl/mattermost_password_file.txt'
+            },
+            pages_nginx: {
+              ssl_password_file: '/etc/gitlab/ssl/pages_password_file.txt'
+            },
+            registry_nginx: {
+              ssl_password_file: '/etc/gitlab/ssl/registry_password_file.txt'
+            }
+          )
+        end
+
+        it "sets ssl_password_file correctly in nginx config" do
+          http_conf.each do |service, conf|
+            expect(chef_run).to render_file(conf).with_content { |content|
+              expect(content).to include("ssl_password_file '/etc/gitlab/ssl/#{service}_password_file.txt';")
+            }
+          end
+        end
+      end
+    end
   end
 
   context 'when is enabled' do