#2420 …Handle encrypted_settings_key_base variable

[ymazzer]

#2420 Handle encrypted_settings_key_base variable to allow restoring backups from gitlab instances not running from this image and using encrypted settings feature.

[kkimurak]

Hi, thank you for your contribution. Generally looks good.
I have commented on whether the parameter GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE should be required or not. I would appreciate it if you could confirm it.

[ymazzer]

Hi,

Just a little up, to check whether you can merge it?

[kkimurak]

Sorry for late, LGTM. Thank you for your contribution.

When I reviewed it again, I noticed that there were some codes report error when secret variables were not set. If your first code followed them, I might have done an unnecessary (and confusing) review.

Btw, I'm just a one of contributor. So please ask @sachilles to merge this PR by yourself (I'll enclose the mention in a code block to avoid pinging maintainers if it's not necessary - i.e. this comment does not send him notifications)

[kkimurak]

Suggested change

	Generate random strings that are at least `64` characters long for each of `GITLAB_SECRETS_OTP_KEY_BASE`, `GITLAB_SECRETS_DB_KEY_BASE`, `GITLAB_SECRETS_SECRET_KEY_BASE`, `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE`. These values are used for the following:
	Generate random strings that are at least `64` characters long for each of `GITLAB_SECRETS_OTP_KEY_BASE`, `GITLAB_SECRETS_DB_KEY_BASE`, `GITLAB_SECRETS_SECRET_KEY_BASE` and `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE`. These values are used for the following:

[ymazzer]

Hi,

Juste a little gentle reminder on this PR to know what is still required to merge?

[ymazzer]

Hi,

I just updated the PR to work on top of 16.7.0, this feature is quite important for gitlab instances migrated from other installation methods to sameersbn/docker-gitlab docker image.

Could you please merge it?

[ymazzer]

Hi,

I just updated the PR to work on top of 16.7.0, this feature is quite important for gitlab instances migrated from other installation methods to sameersbn/docker-gitlab docker image.

Could you please merge it?

I forgot to mention @sachilles as recommended before :)

[ymazzer]

@sachilles What can I do to make it ok for merge?

[sachilles]

@ymazzer Thanks for your contribution and sorry for my late reply. I'll review your PR.

[sachilles]

Is it problematic if GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE is not set?

For all other variables there is an explicit check to avoid empty strings. Should this check applied to GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE as well?

[ymazzer]

Hi @sachilles,

Sorry for the delay, I was not notified of your mention.

Well gitlab starts, restarts and upgrades correctly without it within the current image. As long as you do not set it, it is ok.

But:

• if you set it on a newly created instance, you need to keep it to make sure the secret is not overriden and to be able to decode already stored encrypted settings;
• if you set it on an existing instance, you need to make sure to use the existing value of encrypted_settings_key_base inside /home/git/gitlab/config/secrets.yml if it exists, of not to set it if it is empty unless you never used encrypted settings.

By default this option is not set, and can be ignored. Thus it seems to me it should not warn neither block the user if it is not set (cf. https://docs.gitlab.com/ee/administration/encrypted_configuration.html)