New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#2420 …Handle encrypted_settings_key_base variable #2631
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, thank you for your contribution. Generally looks good.
I have commented on whether the parameter GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE
should be required or not. I would appreciate it if you could confirm it.
Hi, Just a little up, to check whether you can merge it? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for late, LGTM. Thank you for your contribution.
When I reviewed it again, I noticed that there were some codes report error when secret variables were not set. If your first code followed them, I might have done an unnecessary (and confusing) review.
Btw, I'm just a one of contributor. So please ask @sachilles
to merge this PR by yourself (I'll enclose the mention in a code block to avoid pinging maintainers if it's not necessary - i.e. this comment does not send him notifications)
@@ -148,11 +148,12 @@ The quickest way to get started is using [docker-compose](https://docs.docker.co | |||
wget https://raw.githubusercontent.com/sameersbn/docker-gitlab/master/docker-compose.yml | |||
``` | |||
|
|||
Generate random strings that are at least `64` characters long for each of `GITLAB_SECRETS_OTP_KEY_BASE`, `GITLAB_SECRETS_DB_KEY_BASE`, and `GITLAB_SECRETS_SECRET_KEY_BASE`. These values are used for the following: | |||
Generate random strings that are at least `64` characters long for each of `GITLAB_SECRETS_OTP_KEY_BASE`, `GITLAB_SECRETS_DB_KEY_BASE`, `GITLAB_SECRETS_SECRET_KEY_BASE`, `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE`. These values are used for the following: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generate random strings that are at least `64` characters long for each of `GITLAB_SECRETS_OTP_KEY_BASE`, `GITLAB_SECRETS_DB_KEY_BASE`, `GITLAB_SECRETS_SECRET_KEY_BASE`, `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE`. These values are used for the following: | |
Generate random strings that are at least `64` characters long for each of `GITLAB_SECRETS_OTP_KEY_BASE`, `GITLAB_SECRETS_DB_KEY_BASE`, `GITLAB_SECRETS_SECRET_KEY_BASE` and `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE`. These values are used for the following: |
Hi, Juste a little gentle reminder on this PR to know what is still required to merge? |
2fa1e8a
to
48b30eb
Compare
Hi, I just updated the PR to work on top of Could you please merge it? |
I forgot to mention @sachilles as recommended before :) |
48b30eb
to
734fd99
Compare
@sachilles What can I do to make it ok for merge? |
@ymazzer Thanks for your contribution and sorry for my late reply. I'll review your PR. |
@@ -858,7 +858,8 @@ gitlab_configure_secrets() { | |||
update_template ${GITLAB_SECRETS_CONFIG} \ | |||
GITLAB_SECRETS_DB_KEY_BASE \ | |||
GITLAB_SECRETS_SECRET_KEY_BASE \ | |||
GITLAB_SECRETS_OTP_KEY_BASE | |||
GITLAB_SECRETS_OTP_KEY_BASE \ | |||
GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it problematic if GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE
is not set?
For all other variables there is an explicit check to avoid empty strings. Should this check applied to GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE
as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @sachilles,
Sorry for the delay, I was not notified of your mention.
Well gitlab starts, restarts and upgrades correctly without it within the current image. As long as you do not set it, it is ok.
But:
- if you set it on a newly created instance, you need to keep it to make sure the secret is not overriden and to be able to decode already stored encrypted settings;
- if you set it on an existing instance, you need to make sure to use the existing value of
encrypted_settings_key_base
inside/home/git/gitlab/config/secrets.yml
if it exists, of not to set it if it is empty unless you never used encrypted settings.
By default this option is not set, and can be ignored. Thus it seems to me it should not warn neither block the user if it is not set (cf. https://docs.gitlab.com/ee/administration/encrypted_configuration.html)
…estoring backups from gitlab instances not running from this image and using encrypted settings feature.
734fd99
to
b7bd5a9
Compare
#2420 Handle encrypted_settings_key_base variable to allow restoring backups from gitlab instances not running from this image and using encrypted settings feature.