Skip to content

feat(backend): support custom SSL root CAs for internal GitLab instances#1058

Draft
jeremyeder wants to merge 2 commits intomainfrom
fix/custom-ssl-ca-support
Draft

feat(backend): support custom SSL root CAs for internal GitLab instances#1058
jeremyeder wants to merge 2 commits intomainfrom
fix/custom-ssl-ca-support

Conversation

@jeremyeder
Copy link
Copy Markdown
Contributor

@jeremyeder jeremyeder commented Mar 26, 2026

Summary

  • Adds httputil package with a shared http.Transport that loads additional CA certificates from the CUSTOM_CA_BUNDLE environment variable, appending them to the system cert pool
  • Updates all outbound HTTP clients connecting to user-configured hosts (ValidateGitLabToken, ValidateGitHubToken, ValidateJiraToken, ValidateGoogleToken, gitlab.NewClient) to use the shared transport
  • Transport mirrors net/http.DefaultTransport settings (proxy, HTTP/2, dial timeouts, keep-alive) and falls back gracefully to Go defaults on any CA loading failure

Closes #1038

Test plan

  • Set CUSTOM_CA_BUNDLE to a valid PEM file with a corporate CA and verify connections to an internal GitLab instance succeed
  • Verify connections to public hosts (gitlab.com, github.com, googleapis.com) still work without CUSTOM_CA_BUNDLE set
  • Set CUSTOM_CA_BUNDLE to a nonexistent path and verify the backend starts with a warning log and falls back to system CAs
  • Set CUSTOM_CA_BUNDLE to a file with invalid PEM content and verify the backend starts with a warning and falls back to system CAs
  • Verify HTTP_PROXY/HTTPS_PROXY environment variables are still respected

🤖 Generated with Claude Code

@jeremyeder @claude
feat(backend): support custom SSL root CAs for internal GitLab instances
7df6bd4 
Add a shared httputil package that loads additional CA certificates from
the CUSTOM_CA_BUNDLE environment variable and applies them to a reusable
http.Transport. Update all outbound HTTP clients that connect to
user-configured hosts (GitLab, GitHub, Jira, Google OAuth) to use the
shared transport.

The transport mirrors net/http.DefaultTransport settings (proxy, HTTP/2,
dial timeouts, keep-alive) and gracefully falls back to Go defaults if
the bundle file is unreadable or contains no valid PEM certificates.

Closes #1038

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Mar 26, 2026
edited
Loading

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3f0841ac-6cf3-47d2-8d15-f5c3e04c3f22

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/custom-ssl-ca-support

Comment @coderabbitai help to get the list of available commands and usage tips.

@ktdreyer
Copy link
Copy Markdown
Contributor

ktdreyer commented Mar 26, 2026

What do you think about the first option (config.openshift.io/inject-trusted-cabundle: "true")? That seems more elegant, if it works.

@jeremyeder @claude
fix(backend): add package comment to satisfy staticcheck ST1000
49aee43 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support custom SSL root CAs for internal GitLab instances

2 participants

@jeremyeder @ktdreyer