Merge branch 'cl-openssl-cert' into 'master'

Set the default SSL cert path when invoking indexer

See merge request gitlab-org/gitlab!26036

ee/changelogs/unreleased/cl-openssl-cert.yml

+---
+title: Set the default SSL cert path environment variables when invoking indexer
+merge_request: 26036
+author:
+type: fixed

ee/lib/gitlab/elastic/indexer.rb

@@ -83,10 +83,12 @@ module Gitlab
           'ELASTIC_CONNECTION_INFO' => elasticsearch_config(target),
           'GITALY_CONNECTION_INFO'  => gitaly_connection_info,
           'FROM_SHA'                => from_sha,
-          'TO_SHA'                  => to_sha
+          'TO_SHA'                  => to_sha,
+          'SSL_CERT_FILE'           => OpenSSL::X509::DEFAULT_CERT_FILE,
+          'SSL_CERT_DIR'            => OpenSSL::X509::DEFAULT_CERT_DIR
         }
 
-        # SSL certificates related env will be sent to child process if configured
+        # Users can override default SSL certificate path via these envs
         %w(SSL_CERT_FILE SSL_CERT_DIR).each_with_object(vars) do |key, hash|
           hash[key] = ENV[key] if ENV.key?(key)
         end

ee/spec/lib/gitlab/elastic/indexer_spec.rb

@@ -269,11 +269,14 @@ describe Gitlab::Elastic::Indexer do
     end
   end
 
-  context 'when SSL env vars are not set' do
+  context 'when SSL env vars are not set explicitly' do
+    let(:ruby_cert_file) { OpenSSL::X509::DEFAULT_CERT_FILE }
+    let(:ruby_cert_dir) { OpenSSL::X509::DEFAULT_CERT_DIR }
+
     subject { envvars }
 
-    it 'they will not be passed down to child process' do
-      is_expected.not_to include('SSL_CERT_FILE', 'SSL_CERT_DIR')
+    it 'they will be set to default values determined by Ruby' do
+      is_expected.to include('SSL_CERT_FILE' => ruby_cert_file, 'SSL_CERT_DIR' => ruby_cert_dir)
     end
   end