From 0b00812269168e855fc2950424865095f8bb6db9 Mon Sep 17 00:00:00 2001
From: marc0777 <marcofincato777@gmail.com>
Date: Tue, 5 Aug 2025 11:55:01 +0200
Subject: [PATCH] feat: allow configuring gitlab ssl verification

---
 docs/docs/installation/gitlab.md          | 3 +++
 pr_agent/git_providers/gitlab_provider.py | 4 +++-
 pr_agent/settings/configuration.toml      | 2 ++
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/docs/docs/installation/gitlab.md b/docs/docs/installation/gitlab.md
index 7e587617..69ea715a 100644
--- a/docs/docs/installation/gitlab.md
+++ b/docs/docs/installation/gitlab.md
@@ -42,6 +42,9 @@ Note that if your base branches are not protected, don't set the variables as `p
 
 > **Note**: The `$CI_SERVER_FQDN` variable is available starting from GitLab version 16.10. If you're using an earlier version, this variable will not be available. However, you can combine `$CI_SERVER_HOST` and `$CI_SERVER_PORT` to achieve the same result. Please ensure you're using a compatible version or adjust your configuration.
 
+> **Note**: The `gitlab__SSL_VERIFY` environment variable can be used to specify the path to a custom CA certificate bundle for SSL verification. GitLab exposes the `$CI_SERVER_TLS_CA_FILE` variable, which points to the custom CA certificate file configured in your GitLab instance.
+> Alternatively, SSL verification can be disabled entirely by setting `gitlab__SSL_VERIFY=false`, although this is not recommended.
+
 ## Run a GitLab webhook server
 
 1. In GitLab create a new user and give it "Reporter" role ("Developer" if using Pro version of the agent) for the intended group or project.
diff --git a/pr_agent/git_providers/gitlab_provider.py b/pr_agent/git_providers/gitlab_provider.py
index e8eb2c97..84e7707d 100644
--- a/pr_agent/git_providers/gitlab_provider.py
+++ b/pr_agent/git_providers/gitlab_provider.py
@@ -32,12 +32,14 @@ class GitLabProvider(GitProvider):
         if not gitlab_url:
             raise ValueError("GitLab URL is not set in the config file")
         self.gitlab_url = gitlab_url
+        ssl_verify = get_settings().get("GITLAB.SSL_VERIFY", True)
         gitlab_access_token = get_settings().get("GITLAB.PERSONAL_ACCESS_TOKEN", None)
         if not gitlab_access_token:
             raise ValueError("GitLab personal access token is not set in the config file")
         self.gl = gitlab.Gitlab(
             url=gitlab_url,
-            oauth_token=gitlab_access_token
+            oauth_token=gitlab_access_token,
+            ssl_verify=ssl_verify
         )
         self.max_comment_chars = 65000
         self.id_project = None
diff --git a/pr_agent/settings/configuration.toml b/pr_agent/settings/configuration.toml
index 80bfc639..d1963f01 100644
--- a/pr_agent/settings/configuration.toml
+++ b/pr_agent/settings/configuration.toml
@@ -284,6 +284,8 @@ push_commands = [
     "/describe",
     "/review",
 ]
+# Configure SSL validation for GitLab. Can be either set to the path of a custom CA or disabled entirely.
+# ssl_verify = true
 
 [gitea_app]
 url = "https://gitea.com"