add option to load a custom CA cert (#353)

larscom · web-flow · commit 88fea752d275 · 2025-10-17T18:30:12.000+02:00
* add option to load a custom CA cert

* rename

* removed debug log
diff --git a/README.md b/README.md
@@ -14,7 +14,7 @@ The default functionality of Gitlab is limited at the project level. This can be
 of
 projects, potentially resulting in undetected failed pipelines.
 
-## 👉 [Demo (main branch)](https://gitlab-ci-dashboard.larscom.nl)
+## 👉 [Demo](https://gitlab-ci-dashboard.larscom.nl)
 
 <br />
 
@@ -66,13 +66,22 @@ projects, potentially resulting in undetected failed pipelines.
 2. Run docker with the required environment variables (GITLAB_BASE_URL, GITLAB_API_TOKEN)
 
 ```bash
-docker run -p 8080:8080 -e GITLAB_BASE_URL=https://gitlab.com -e GITLAB_API_TOKEN=my_token larscom/gitlab-ci-dashboard:latest
+docker run \
+  -p 8080:8080 \
+  -e GITLAB_BASE_URL=https://gitlab.com \
+  -e GITLAB_API_TOKEN=my_token \
+  larscom/gitlab-ci-dashboard:latest
 ```
 
 Or you can run it with a TOML configration file
 
 ```bash
-docker run -p 8080:8080 -v $(pwd)/config.toml:/app/config.toml larscom/gitlab-ci-dashboard:latest
+docker run \
+  -p 8080:8080 \
+  -e GITLAB_BASE_URL=https://gitlab.com \
+  -e GITLAB_API_TOKEN=my_token \
+  -v ./config.toml:/app/config.toml \
+  larscom/gitlab-ci-dashboard:latest
 ```
 
 3. Dashboard should be available at: http://localhost:8080/ showing (by default) all available groups and their
@@ -103,13 +112,39 @@ A TOML file takes precedence over environment variables, except for the `RUST_LO
 
 > An example TOML file can be found inside the `./api` folder.
 
-Mount the `config.toml` inside the container.
+Mount the `config.toml` inside the container (`/app/config.toml`)
 
 ```bash
-docker run -p 8080:8080 -v $(pwd)/config.toml:/app/config.toml larscom/gitlab-ci-dashboard:latest
+docker run \
+  -p 8080:8080 \
+  -e GITLAB_BASE_URL=https://gitlab.com \
+  -e GITLAB_API_TOKEN=my_token \
+  -v ./config.toml:/app/config.toml \
+  larscom/gitlab-ci-dashboard:latest
 ```
 
-### Environment variables
+## 📜 Custom CA certificate
+If you are running a gitlab instance that is using a TLS certificate signed with a private CA you are able to provide that CA as mount (PEM encoded)
+
+This is needed when the dashboard backend is unable to make a connection to the gitlab API over HTTPS.
+
+Mount the `ca.crt` inside the container (`/app/certs/ca.crt`)
+
+```bash
+docker run \
+  -p 8080:8080 \
+  -e GITLAB_BASE_URL=https://gitlab.com \
+  -e GITLAB_API_TOKEN=my_token \
+  -v ./ca.crt:/app/certs/ca.crt \
+  larscom/gitlab-ci-dashboard:latest
+```
+
+### Troubleshooting
+If you are still unable to connect with a custom CA cert, be sure that the gitlab server certificate contains a valid SAN (Subject Alternative Name)
+
+If there is a mismatch the HTTP client is still unable to make a proper connection.
+
+## 🌍 Environment variables
 
 | Variable                          | Type   | Description                                                                                                                        | Required | Default      |
 |-----------------------------------|--------|------------------------------------------------------------------------------------------------------------------------------------|----------|--------------|
diff --git a/api/.gitignore b/api/.gitignore
@@ -1,2 +1,3 @@
 .env
 config.toml
+certs/
diff --git a/api/Cargo.lock b/api/Cargo.lock
diff --git a/api/Cargo.toml b/api/Cargo.toml
@@ -16,7 +16,7 @@ dotenv = "0.15.0"
 env_logger = "0.11.8"
 log = "0.4.28"
 moka = { version = "0.12.11", features = ["future"] }
-reqwest = { version = "0.12.24", features = ["json"] }
+reqwest = { version = "0.12.24", features = ["json", "rustls-tls"] }
 tokio = { version = "1.48.0", features = ["sync"] }
 async-trait = "0.1.89"
 futures = "0.3.31"
diff --git a/api/src/gitlab.rs b/api/src/gitlab.rs
@@ -11,6 +11,7 @@ use reqwest::{Client, Url};
 use serde::de::DeserializeOwned;
 use serde_json::Value;
 use std::collections::HashMap;
+use std::fs;
 use tokio::sync::mpsc;
 
 #[async_trait]
@@ -79,14 +80,29 @@ struct Page<T: DeserializeOwned> {
 }
 
 impl GitlabClient {
+    fn get_ca_cert() -> Option<reqwest::Certificate> {
+        match fs::read("./certs/ca.crt") {
+            Ok(cert) => {
+                let ca = String::from_utf8_lossy(&cert);
+                log::debug!("Found custom CA cert:\n{ca}");
+                Some(reqwest::Certificate::from_pem(&cert).expect("invalid cert"))
+            }
+            Err(_) => None,
+        }
+    }
+
     pub fn new(gitlab_url: &str, gitlab_token: &str) -> Self {
-        let http_client = Client::builder()
-            .default_headers(create_http_headers(gitlab_token))
-            .build()
-            .expect("http client to be build");
+        let mut client_builder = Client::builder()
+            .use_rustls_tls()
+            .default_headers(create_http_headers(gitlab_token));
+
+        if let Some(ca) = Self::get_ca_cert() {
+            client_builder = client_builder.add_root_certificate(ca);
+        }
+
         Self {
             base_url: format!("{gitlab_url}/api/v4"),
-            http_client,
+            http_client: client_builder.build().expect("invalid client"),
         }
     }
 }
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -7,8 +7,9 @@ services:
         VERSION_ARG: docker
     env_file:
       - ./api/.env
-#    volumes:
-#      - ./api/config.toml:/app/config.toml
+    # volumes:
+    #  - ./api/config.toml:/app/config.toml
+    #  - ./api/certs/ca.crt:/app/certs/ca.crt
     environment:
       - 'TZ=Europe/Amsterdam'
     ports:

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`.env`
`2`	`2`	`config.toml`
	`3`	`+certs/`