gitserver: include system certificates for git (!41253) · Merge requests · Administrator / sourcegraph

Administrator requested to merge k/tls-git into main Sep 02, 2022

Created by: keegancsmith

When specifying certificates for tls.external site configuration we adjust the TLS configuration for go and git. In the case of go we would respect both the certificates specified as well as the system certificate authorities. For git we would only respect the custom certificates. This lead to customers either including system certificates in the site configuration, or baking in the custom certificates into our docker images.

We now will include system certificates for git if running on linux. Given we deploy on Linux this is fine. It isn't possible to support all operating systems, since not all OSs expose certificates. For example darwin does not. This is also why the x509 package in go doesn't expose system certificates, since it can't do it cross platform.

As such we introduce the cacert package which is a modification the x509 to expose the system certificates on Linux.

Test Plan: modified unit tests to output the certificate, validated the certificate included the system certifications. Additionally validated the code did not error on non-linux systems.

Fixes https://github.com/sourcegraph/sourcegraph/issues/38128 Fixes https://github.com/sourcegraph/customer/issues/1136

gitserver: include system certificates for git

Merge request reports