Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

remove secrets file management #249

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 3 additions & 18 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -206,25 +206,10 @@ class { 'gitlab::omnibus_package_repository':
```
### Gitlab secrets

To manage `/etc/gitlab/gitlab-secrets.json` the parameter `secrets` accepts a hash.
Here is an example how to use it with Hiera:
*Note:* `gitlab::secrets` parameter was removed in v3.0.0. See: [Issues#213 - Remove support for setting content of `gitlab-secrets.json`](https://github.com/voxpupuli/puppet-gitlab/issues/213)

```yaml
gitlab::secrets:
gitlab_shell:
secret_token: 'asecrettoken1234567890'
gitlab_rails:
secret_token: 'asecrettoken123456789010'
gitlab_ci:
secret_token: null
secret_key_base: 'asecrettoken123456789011'
db_key_base: 'asecrettoken123456789012'
```

*Hint 1*: This secret tokens can be generated f.e. using Ruby with `SecureRandom.hex(64)`, or
taken out of an installation without having `secrets` used.
*Hint 2*: When using the `gitlab_ci` parameter to specify the `gitlab_server`, then this parameters
must be added also to the `secrets` hash (Omnibus overrides `gitlab-secrets.json`).
When using HA role `application_role`, make sure to add the [appropriate shared secrets](https://docs.gitlab.com/ee/administration/high_availability/gitlab.html#extra-configuration-for-additional-gitlab-application-servers) to your `gitlab_rails` and `gitlab_shell` hashes to ensure front-end nodes
are configured to access all backend data-sources and repositories. If you receive 500 errors on your HA setup, this is one of the primary causes.

### LDAP configuration example

Expand Down
1 change: 0 additions & 1 deletion manifests/host_config.pp
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@
$config_dir = '/etc/gitlab',
$skip_auto_migrations = $gitlab::skip_auto_migrations,
$skip_auto_reconfigure = $gitlab::skip_auto_reconfigure,
$secrets_file = $gitlab::secrets_file,
$store_git_keys_in_db = $gitlab::store_git_keys_in_db,
) {

Expand Down
11 changes: 0 additions & 11 deletions manifests/init.pp
Original file line number Diff line number Diff line change
Expand Up @@ -245,15 +245,6 @@
# Array of roles when using a HA or Geo enabled GitLab configuration
# See: https://docs.gitlab.com/omnibus/roles/README.html for acceptable values
#
# [*secrets*]
# Default: undef
# Hash of values which will be placed into $secrets_file (by default /etc/gitlab/gitlab-secrets.json)
# If this parameter is undef, the file won't be managed.
#
# [*secrets_file*]
# Default: /etc/gitlab/gitlab-secrets.json
# Full path to secrets JSON file.
#
# [*sentinel*]
# Default: undef
# Hash of 'sentinel' config parameters.
Expand Down Expand Up @@ -386,8 +377,6 @@
Optional[Hash] $registry_nginx = undef,
Boolean $registry_nginx_eq_nginx = false,
Optional[Array] $roles = undef,
Optional[Hash] $secrets = undef,
Optional[Stdlib::Absolutepath] $secrets_file = '/etc/gitlab/gitlab-secrets.json',
Optional[Hash] $sentinel = undef,
Optional[Hash] $shell = undef,
Optional[Hash] $sidekiq = undef,
Expand Down
9 changes: 0 additions & 9 deletions manifests/omnibus_config.pp
Original file line number Diff line number Diff line change
Expand Up @@ -52,8 +52,6 @@
$registry_nginx = $gitlab::registry_nginx
$registry_nginx_eq_nginx = $gitlab::registry_nginx_eq_nginx
$registry_external_url = $gitlab::registry_external_url
$secrets = $gitlab::secrets
$secrets_file = $gitlab::secrets_file
$sentinel = $gitlab::sentinel
$service_group = $gitlab::service_group
$service_user = $gitlab::service_user
Expand Down Expand Up @@ -110,11 +108,4 @@
}
}
}

if ! empty($secrets) {
file { $secrets_file:
* => $config_file_attributes,
content => inline_template('<%= require \'json\'; JSON.pretty_generate(@secrets) + "\n" %>'),
}
}
}
22 changes: 0 additions & 22 deletions spec/classes/init_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -97,28 +97,6 @@
)
}
end
describe 'secrets' do
let(:params) do
{ secrets: {
'gitlab_shell' => {
'secret_token' => 'mysupersecrettoken1'
},
'gitlab_rails' => {
'secret_token' => 'mysupersecrettoken2'
},
'gitlab_ci' => {
'secret_token' => 'null',
'secret_key_base' => 'mysupersecrettoken3',
'db_key_base' => 'mysupersecrettoken4'
}
} }
end

it {
is_expected.to contain_file('/etc/gitlab/gitlab-secrets.json'). \
with_content(%r{{\n \"gitlab_shell\": {\n \"secret_token\": \"mysupersecrettoken1\"\n },\n \"gitlab_rails\": {\n \"secret_token\": \"mysupersecrettoken2\"\n },\n \"gitlab_ci\": {\n \"secret_token\": \"null\",\n \"secret_key_base\": \"mysupersecrettoken3\",\n \"db_key_base\": \"mysupersecrettoken4\"\n }\n}\n}m)
}
end
describe 'gitlab_rails with hash value' do
let(:params) do
{ gitlab_rails: {
Expand Down