From 907f0ce8a2c3f79fb389abec6d6315cd5b711ed8 Mon Sep 17 00:00:00 2001
From: Ahmad Hassan <ahmad.hassan612@gmail.com>
Date: Fri, 21 Dec 2018 11:43:45 +0200
Subject: [PATCH] More tls gitaly docs

---
 doc/administration/gitaly/index.md    | 30 +++++++++++++++++++++++++--
 spec/lib/gitlab/gitaly_client_spec.rb |  8 +++++++
 2 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/doc/administration/gitaly/index.md b/doc/administration/gitaly/index.md
index bcb6a11cd85..cf37eaa0b61 100644
--- a/doc/administration/gitaly/index.md
+++ b/doc/administration/gitaly/index.md
@@ -221,9 +221,14 @@ Gitaly supports TLS credentials for GRPC authentication. To be able to communica
 with a gitaly instance that listens for secure connections you will need to use `tls://` url
 scheme in the `gitaly_address` of the corresponding storage entry in the gitlab configuration.
 
+The admin needs to bring their own certificate as we do not provide that automatically.
+The certificate to be used needs to be installed on all gitaly nodes and on all client nodes that communicate with it following procedures described in [GitLab custom certificate configuration](https://docs.gitlab.com/omnibus/settings/ssl.html#install-custom-public-certificates)
+
 ### Example TLS configuration
 
-Omnibus installations:
+### Omnibus installations:
+
+#### On client nodes:
 
 ```ruby
 # /etc/gitlab/gitlab.rb
@@ -235,7 +240,17 @@ git_data_dirs({
 gitlab_rails['gitaly_token'] = 'abc123secret'
 ```
 
-Source installations:
+#### On gitaly server nodes:
+
+```ruby
+gitaly['tls_listen_addr'] = "0.0.0.0:9999"
+gitaly['certificate_path'] = "path/to/cert.pem"
+gitaly['key_path'] = "path/to/key.pem"
+```
+
+### Source installations:
+
+#### On client nodes:
 
 ```yaml
 # /home/git/gitlab/config/gitlab.yml
@@ -253,6 +268,17 @@ gitlab:
     token: 'abc123secret'
 ```
 
+#### On gitaly server nodes:
+
+```toml
+# /home/git/gitaly/config.toml
+tls_listen_addr = '0.0.0.0:9999'
+
+[tls]
+certificate_path = '/path/to/cert.pem'
+key_path = '/path/to/key.pem'
+```
+
 ## Disabling or enabling the Gitaly service in a cluster environment
 
 If you are running Gitaly [as a remote
diff --git a/spec/lib/gitlab/gitaly_client_spec.rb b/spec/lib/gitlab/gitaly_client_spec.rb
index d9ae73223c6..e41a75c37a7 100644
--- a/spec/lib/gitlab/gitaly_client_spec.rb
+++ b/spec/lib/gitlab/gitaly_client_spec.rb
@@ -3,6 +3,14 @@ require 'spec_helper'
 # We stub Gitaly in `spec/support/gitaly.rb` for other tests. We don't want
 # those stubs while testing the GitalyClient itself.
 describe Gitlab::GitalyClient do
+  let(:sample_cert) { Rails.root.join('spec/fixtures/clusters/sample_cert.pem').to_s }
+
+  before do
+    allow(described_class)
+      .to receive(:stub_cert_paths)
+      .and_return([sample_cert])
+  end
+
   def stub_repos_storages(address)
     allow(Gitlab.config.repositories).to receive(:storages).and_return({
       'default' => { 'gitaly_address' => address }