If you are using GitLab installed from source, this is very simple. Just edit
config/database.yml to add the following options:
If you’ve connected to the MySQL server from the command line using encryption, these are the same arguments that you passed to it as
--ssl-capath=/path/to/certificates --ssl-ca=/path/to/ca-cert.pem --ssl-cert=/path/to/client-cert.pem --ssl-key=/path/to/client-key.pem
If you are using Omnibus (EE), you won’t be able to do it so easily because the Omnibus version of
database.yml doesn’t have the option to specify
sslcapath, it only has
sslca. You could open a Merge Request in the Omnibus package to add support.
NOTE I don’t know if it is still true, and it may also depend heavily on your network, but last time I checked, MySQL’s built-in connection encryption was an order of magnitude slower than using a VPN or an SSH tunnel.