Host Gitlab MySQL database remotely, force encrypted connection

Hi all, I have a set of replicated mariadb servers running already and I would like to transition my Gitlab database to use that pool instead of a local mysql installation. Rather than run a VPN between the two sites, I’d prefer to use TLS for simplicity. Is it possible to configure Gitlab to use client certificates to encrypt database traffic? I didn’t see anything in the documentation but figure there must be a way to pass custom options to the database interface.


If you are using GitLab installed from source, this is very simple. Just edit config/database.yml to add the following options:

sslkey: /path/to/client-key.pem
sslcert: /path/to/client-cert.pem
sslca: /path/to/ca-cert.pem
sslcapath: /path/to/certificates

If you’ve connected to the MySQL server from the command line using encryption, these are the same arguments that you passed to it as --ssl-capath=/path/to/certificates --ssl-ca=/path/to/ca-cert.pem --ssl-cert=/path/to/client-cert.pem --ssl-key=/path/to/client-key.pem

If you are using Omnibus (EE), you won’t be able to do it so easily because the Omnibus version of database.yml doesn’t have the option to specify sslkey, sslcert, or sslcapath, it only has sslca. You could open a Merge Request in the Omnibus package to add support.

NOTE I don’t know if it is still true, and it may also depend heavily on your network, but last time I checked, MySQL’s built-in connection encryption was an order of magnitude slower than using a VPN or an SSH tunnel.