From e383d8429685e095a7401544132566c4f9a7e67c Mon Sep 17 00:00:00 2001
From: Michael Eischer <michael.eischer@robotics-erlangen.de>
Date: Sun, 16 Jul 2017 20:30:33 +0200
Subject: [PATCH] Generate secrets on container startup

---
 assets/build/install.sh  |  3 +++
 assets/runtime/functions | 12 ++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/assets/build/install.sh b/assets/build/install.sh
index 8519ddfa..fde47a92 100755
--- a/assets/build/install.sh
+++ b/assets/build/install.sh
@@ -156,6 +156,9 @@ exec_as_git bundle exec rake gitlab:assets:compile USE_DB=false SKIP_STORAGE_VAL
 # remove auto generated ${GITLAB_DATA_DIR}/config/secrets.yml
 rm -rf ${GITLAB_DATA_DIR}/config/secrets.yml
 
+# remove gitlab shell and workhorse secrets
+rm -f ${GITLAB_INSTALL_DIR}/.gitlab_shell_secret ${GITLAB_INSTALL_DIR}/.gitlab_workhorse_secret
+
 exec_as_git mkdir -p ${GITLAB_INSTALL_DIR}/tmp/pids/ ${GITLAB_INSTALL_DIR}/tmp/sockets/
 chmod -R u+rwX ${GITLAB_INSTALL_DIR}/tmp
 
diff --git a/assets/runtime/functions b/assets/runtime/functions
index df051332..e03d6a39 100644
--- a/assets/runtime/functions
+++ b/assets/runtime/functions
@@ -710,6 +710,18 @@ gitlab_configure_secrets() {
   GITLAB_SECRETS_DB_KEY_BASE \
   GITLAB_SECRETS_SECRET_KEY_BASE \
   GITLAB_SECRETS_OTP_KEY_BASE
+
+  local shell_secret="${GITLAB_INSTALL_DIR}/.gitlab_shell_secret"
+  if [[ ! -f "${shell_secret}" ]]; then
+    exec_as_git openssl rand -hex -out "${shell_secret}" 16
+    chmod 600 "${shell_secret}"
+  fi
+
+  local workhorse_secret="${GITLAB_INSTALL_DIR}/.gitlab_workhorse_secret"
+  if [[ ! -f "${workhorse_secret}" ]]; then
+    exec_as_git openssl rand -base64 -out "${workhorse_secret}" 32
+    chmod 600 "${workhorse_secret}"
+  fi
 }
 
 gitlab_configure_sidekiq() {