From c2fca72b675bd1292e3092613ccbde93f3624fca Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Sun, 17 Apr 2016 19:33:24 +0530 Subject: [PATCH 1/7] gitlab-shell: upgrade to v.2.7.2 --- Changelog.md | 3 +++ Dockerfile | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index cbe8a6e4..3f3f5f83 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,6 +2,9 @@ This file only reflects the changes that are made in this image. Please refer to the upstream GitLab [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) for the list of changes in GitLab. +**latest** +- gitlab-shell: upgrade to v.2.7.2 + **8.6.7** - added `GITLAB_SIGNUP_ENABLED` option to enable/disable signups - gitlab: upgrade to CE v8.6.7 diff --git a/Dockerfile b/Dockerfile index fa1e2fb5..3467cca0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM sameersbn/ubuntu:14.04.20160422 MAINTAINER sameer@damagehead.com ENV GITLAB_VERSION=8.6.7 \ - GITLAB_SHELL_VERSION=2.6.12 \ + GITLAB_SHELL_VERSION=2.7.2 \ GITLAB_WORKHORSE_VERSION=0.7.1 \ GOLANG_VERSION=1.5.3 \ GITLAB_USER="git" \ From 800840f706e09b750f3bc3a81ef20615a697532f Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Sun, 24 Apr 2016 12:00:33 +0530 Subject: [PATCH 2/7] gitlab: upgrade to CE v8.7.0 --- Changelog.md | 1 + Dockerfile | 2 +- assets/build/install.sh | 1 + assets/runtime/config/gitlabhq/gitlab.yml | 33 +++++++++++++++++++++-- 4 files changed, 34 insertions(+), 3 deletions(-) diff --git a/Changelog.md b/Changelog.md index 3f3f5f83..e30f8a72 100644 --- a/Changelog.md +++ b/Changelog.md @@ -4,6 +4,7 @@ This file only reflects the changes that are made in this image. Please refer to **latest** - gitlab-shell: upgrade to v.2.7.2 +- gitlab: upgrade to CE v8.7.0 **8.6.7** - added `GITLAB_SIGNUP_ENABLED` option to enable/disable signups diff --git a/Dockerfile b/Dockerfile index 3467cca0..74129b2a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM sameersbn/ubuntu:14.04.20160422 MAINTAINER sameer@damagehead.com -ENV GITLAB_VERSION=8.6.7 \ +ENV GITLAB_VERSION=8.7.0 \ GITLAB_SHELL_VERSION=2.7.2 \ GITLAB_WORKHORSE_VERSION=0.7.1 \ GOLANG_VERSION=1.5.3 \ diff --git a/assets/build/install.sh b/assets/build/install.sh index 8bc608cf..dde94832 100755 --- a/assets/build/install.sh +++ b/assets/build/install.sh @@ -43,6 +43,7 @@ EOF # configure git for ${GITLAB_USER} exec_as_git git config --global core.autocrlf input +exec_as_git git config --global gc.auto 0 # install gitlab-shell echo "Downloading gitlab-workhorse v.${GITLAB_SHELL_VERSION}..." diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index 83037543..3af5ca82 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -46,6 +46,15 @@ production: &base # relative_url_root: {{GITLAB_RELATIVE_URL_ROOT}} + # Trusted Proxies + # Customize if you have GitLab behind a reverse proxy which is running on a different machine. + # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address. + trusted_proxies: + # Examples: + #- 192.168.1.0/24 + #- 192.168.2.1 + #- 2001:0db8::/32 + # Uncomment and customize if you can't use the default user to run GitLab (default: 'git') # user: git @@ -83,7 +92,7 @@ production: &base # This happens when the commit is pushed or merged into the default branch of a project. # When not specified the default issue_closing_pattern as specified below will be used. # Tip: you can test your closing pattern at http://rubular.com. - # issue_closing_pattern: '((?:[Cc]los(?:e[sd]?|ing)|[Ff]ix(?:e[sd]|ing)?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?))+)' + # issue_closing_pattern: '((?:[Cc]los(?:e[sd]?|ing)|[Ff]ix(?:e[sd]|ing)?|[Rr]esolv(?:e[sd]?|ing))(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)' ## Default project features settings default_projects_features: @@ -109,7 +118,7 @@ production: &base enabled: {{GITLAB_INCOMING_EMAIL_ENABLED}} # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to. - # The `%{key}` placeholder is added after the user part, after a `+` character, before the `@`. + # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`). address: "{{GITLAB_INCOMING_EMAIL_ADDRESS}}" # Email account username @@ -158,7 +167,17 @@ production: &base # Flag stuck CI builds as failed stuck_ci_builds_worker: cron: "0 0 * * *" + # Periodically run 'git fsck' on all repositories. If started more than + # once per hour you will have concurrent 'git fsck' jobs. + repository_check_worker: + cron: "20 * * * *" + # Send admin emails once a day + admin_email_worker: + cron: "0 0 * * *" + # Remove outdated repository archives + repository_archive_cache_worker: + cron: "0 * * * *" # # 2. GitLab CI settings @@ -295,6 +314,7 @@ production: &base # using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none. # User accounts will be created automatically when authentication was successful. allow_single_sign_on: {{OAUTH_ALLOW_SSO}} + # Locks down those users until they have been cleared by the admin (default: true). block_auto_created_users: {{OAUTH_BLOCK_AUTO_CREATED_USERS}} # Look up new users in LDAP servers. If a match is found (same uid), automatically @@ -306,6 +326,13 @@ production: &base # (default: false) auto_link_saml_user: {{OAUTH_AUTO_LINK_SAML_USER}} + # Set different Omniauth providers as external so that all users creating accounts + # via these providers will not be able to have access to internal projects. You + # will need to use the full name of the provider, like `google_oauth2` for Google. + # Refer to the examples below for the full names of the supported providers. + # (default: []) + external_providers: [] + ## Auth providers # Uncomment the following lines and fill in the data of the auth provider you want to use # If your favorite auth provider is not listed you can use others: @@ -349,6 +376,8 @@ production: &base app_secret: '{{OAUTH_TWITTER_APP_SECRET}}' } - { name: 'saml', label: '{{OAUTH_SAML_LABEL}}', + groups_attribute: 'Groups', + external_groups: ['Contractors', 'Freelancers'], args: { assertion_consumer_service_url: '{{OAUTH_SAML_ASSERTION_CONSUMER_SERVICE_URL}}', idp_cert_fingerprint: '{{OAUTH_SAML_IDP_CERT_FINGERPRINT}}', From 7c3e63f521f522f0e22b1a2787418b2d6b664db1 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Sun, 24 Apr 2016 12:19:43 +0530 Subject: [PATCH 3/7] revert `rake gitlab:setup` changes from gitlabhq/gitlabhq@a54af831bae023770bf9b2633cc45ec0d5f5a66a The `db:setup` rake task attempts to DROP an existing gitlab database. This operation can only be performed by a superuser or users with the required privileges. In the context of this image this is not required anyway and may well be an oversight by GitLab Inc. --- assets/build/install.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/assets/build/install.sh b/assets/build/install.sh index dde94832..b3c84a0f 100755 --- a/assets/build/install.sh +++ b/assets/build/install.sh @@ -84,6 +84,9 @@ exec_as_git git clone -q -b v${GITLAB_VERSION} --depth 1 ${GITLAB_CLONE_URL} ${G # remove HSTS config from the default headers, we configure it in nginx exec_as_git sed -i "/headers\['Strict-Transport-Security'\]/d" ${GITLAB_INSTALL_DIR}/app/controllers/application_controller.rb +# revert `rake gitlab:setup` changes from gitlabhq/gitlabhq@a54af831bae023770bf9b2633cc45ec0d5f5a66a +exec_as_git sed -i 's/db:reset/db:setup/' ${GITLAB_INSTALL_DIR}/lib/tasks/gitlab/setup.rake + cd ${GITLAB_INSTALL_DIR} # install gems, use local cache if available From dff208c70ca0699ab70947861e7105b221886f00 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Sun, 24 Apr 2016 15:51:41 +0530 Subject: [PATCH 4/7] do not add `+%{key}` placeholder to `GITLAB_INCOMING_EMAIL_ADDRESS` by default Closes #670 --- README.md | 7 +++++-- assets/runtime/env-defaults | 3 --- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index b1b4632e..da5cdefe 100644 --- a/README.md +++ b/README.md @@ -457,15 +457,18 @@ Please refer the [Available Configuration Parameters](#available-configuration-p #### Reply by email -Since version `8.0.0` GitLab adds support for commenting on issues by replying to emails. Please read the [documentation on reply by email](http://doc.gitlab.com/ce/incoming_email/README.html) to understand the requirements of this feature. +Since version `8.0.0` GitLab adds support for commenting on issues by replying to emails. To enable this feature you need to provide IMAP configuration parameters that will allow GitLab to connect to your mail server and read mails. Additionally, you may need to specify `GITLAB_INCOMING_EMAIL_ADDRESS` if your incoming email address is not the same as the `IMAP_USER`. +If your email provider supports email [sub-addressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing) then you should add the `+%{key}` placeholder after the user part of the email address, eg. `GITLAB_INCOMING_EMAIL_ADDRESS=reply+%{key}@example.com`. Please read the [documentation on reply by email](http://doc.gitlab.com/ce/incoming_email/README.html) to understand the requirements for this feature. + If you are using Gmail then all you need to do is: ```bash docker run --name gitlab -d \ --env 'IMAP_USER=USER@gmail.com' --env 'IMAP_PASS=PASSWORD' \ + --env 'GITLAB_INCOMING_EMAIL_ADDRESS=USER+%{key}@gmail.com' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ sameersbn/gitlab:8.6.7-1 ``` @@ -783,7 +786,7 @@ Below is the complete list of available options that can be used to customize yo - **GITLAB_EMAIL_DISPLAY_NAME**: The name displayed in emails sent out by the GitLab mailer. Defaults to `GitLab`. - **GITLAB_EMAIL_REPLY_TO**: The reply-to address of emails sent out by GitLab. Defaults to value of `GITLAB_EMAIL`, else defaults to `noreply@example.com`. - **GITLAB_EMAIL_ENABLED**: Enable or disable gitlab mailer. Defaults to the `SMTP_ENABLED` configuration. -- **GITLAB_INCOMING_EMAIL_ADDRESS**: The incoming email address for reply by email. Defaults to the value of `IMAP_USER`, else defaults to `reply@example.com`. +- **GITLAB_INCOMING_EMAIL_ADDRESS**: The incoming email address for reply by email. Defaults to the value of `IMAP_USER`, else defaults to `reply@example.com`. Please read the [reply by email](http://doc.gitlab.com/ce/incoming_email/README.html) documentation to curretly set this parameter. - **GITLAB_INCOMING_EMAIL_ENABLED**: Enable or disable gitlab reply by email feature. Defaults to the value of `IMAP_ENABLED`. - **GITLAB_SIGNUP_ENABLED**: Enable or disable user signups (first run only). Default is `true`. - **GITLAB_USERNAME_CHANGE**: Enable or disable ability for users to change their username. Defaults is `true`. diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index c5939b37..1057f180 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -184,9 +184,6 @@ IMAP_ENABLED=${IMAP_ENABLED:-false} GITLAB_INCOMING_EMAIL_ENABLED=${GITLAB_INCOMING_EMAIL_ENABLED:-${IMAP_ENABLED}} GITLAB_INCOMING_EMAIL_ADDRESS=${GITLAB_INCOMING_EMAIL_ADDRESS:-${IMAP_USER}} GITLAB_INCOMING_EMAIL_ADDRESS=${GITLAB_INCOMING_EMAIL_ADDRESS:-reply@example.com} -if ! grep -q '+%{key}@' <<< $GITLAB_INCOMING_EMAIL_ADDRESS; then - GITLAB_INCOMING_EMAIL_ADDRESS=$(sed 's/@/+%{key}@/' <<< $GITLAB_INCOMING_EMAIL_ADDRESS) -fi ## LDAP LDAP_ENABLED=${LDAP_ENABLED:-false} From 5cbf70aa475347e96d664b487760beeeac63d0d1 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Sun, 24 Apr 2016 20:10:01 +0530 Subject: [PATCH 5/7] SSO: `OAUTH_ALLOW_SSO` now specifies a comma separated list of providers. --- Changelog.md | 1 + README.md | 6 +++--- assets/runtime/config/gitlabhq/gitlab.yml | 2 +- assets/runtime/env-defaults | 2 +- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/Changelog.md b/Changelog.md index e30f8a72..3f6f1256 100644 --- a/Changelog.md +++ b/Changelog.md @@ -5,6 +5,7 @@ This file only reflects the changes that are made in this image. Please refer to **latest** - gitlab-shell: upgrade to v.2.7.2 - gitlab: upgrade to CE v8.7.0 +- SSO: `OAUTH_ALLOW_SSO` now specifies a comma separated list of providers. **8.6.7** - added `GITLAB_SIGNUP_ENABLED` option to enable/disable signups diff --git a/README.md b/README.md index da5cdefe..6a18318e 100644 --- a/README.md +++ b/README.md @@ -661,7 +661,7 @@ Once you have the client ID and secret keys generated, configure them using the For example, if your client ID is `xxx.apps.googleusercontent.com` and client secret key is `yyy`, then adding `--env 'OAUTH_GOOGLE_API_KEY=xxx.apps.googleusercontent.com' --env 'OAUTH_GOOGLE_APP_SECRET=yyy'` to the docker run command enables support for Google OAuth. -You can also restrict logins to a single domain by adding `--env 'OAUTH_GOOGLE_RESTRICT_DOMAIN=example.com'`. This is particularly useful when combined with `--env 'OAUTH_ALLOW_SSO=true'` and `--env 'OAUTH_BLOCK_AUTO_CREATED_USERS=false'`. +You can also restrict logins to a single domain by adding `--env 'OAUTH_GOOGLE_RESTRICT_DOMAIN=example.com'`. #### Facebook @@ -883,8 +883,8 @@ Below is the complete list of available options that can be used to customize yo - **LDAP_BASE**: Base where we can search for users. No default. - **LDAP_USER_FILTER**: Filter LDAP users. No default. - **OAUTH_ENABLED**: Enable OAuth support. Defaults to `true` if any of the support OAuth providers is configured, else defaults to `false`. -- **OAUTH_AUTO_SIGN_IN_WITH_PROVIDER**: Automatically sign in with a specific OAuth provider without showing GitLab sign-in page. Accepted values are `google_oauth2`, `twitter`, `github`, `gitlab`, `bitbucket` and `saml`. No default. -- **OAUTH_ALLOW_SSO**: This allows users to login without having a user account first. User accounts will be created automatically when authentication was successful. Defaults to `false`. +- **OAUTH_AUTO_SIGN_IN_WITH_PROVIDER**: Automatically sign in with a specific OAuth provider without showing GitLab sign-in page. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default. +- **OAUTH_ALLOW_SSO**: Comma separated list of oauth providers for single sign-on. This allows users to login without having a user account. The account is created automatically when authentication is successful. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default. - **OAUTH_BLOCK_AUTO_CREATED_USERS**: Locks down those users until they have been cleared by the admin. Defaults to `true`. - **OAUTH_AUTO_LINK_LDAP_USER**: Look up new users in LDAP servers. If a match is found (same uid), automatically link the omniauth identity with the LDAP account. Defaults to `false`. - **OAUTH_AUTO_LINK_SAML_USER**: Allow users with existing accounts to login and auto link their account via SAML login, without having to do a manual login first and manually add SAML. Defaults to `false`. diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index 3af5ca82..06f1a9b1 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -313,7 +313,7 @@ production: &base # This allows users to login without having a user account first. Define the allowed providers # using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none. # User accounts will be created automatically when authentication was successful. - allow_single_sign_on: {{OAUTH_ALLOW_SSO}} + allow_single_sign_on: [{{OAUTH_ALLOW_SSO}}] # Locks down those users until they have been cleared by the admin (default: true). block_auto_created_users: {{OAUTH_BLOCK_AUTO_CREATED_USERS}} diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 1057f180..96a4edeb 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -213,7 +213,7 @@ GITLAB_GRAVATAR_HTTPS_URL=${GITLAB_GRAVATAR_HTTPS_URL:-} ## OAUTH OAUTH_ENABLED=${OAUTH_ENABLED:-} OAUTH_AUTO_SIGN_IN_WITH_PROVIDER=${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER:-} -OAUTH_ALLOW_SSO=${OAUTH_ALLOW_SSO:-false} +OAUTH_ALLOW_SSO=${OAUTH_ALLOW_SSO:-} OAUTH_BLOCK_AUTO_CREATED_USERS=${OAUTH_BLOCK_AUTO_CREATED_USERS:-true} OAUTH_AUTO_LINK_LDAP_USER=${OAUTH_AUTO_LINK_LDAP_USER:-false} OAUTH_AUTO_LINK_SAML_USER=${OAUTH_AUTO_LINK_SAML_USER:-false} From 54a593f868a8d1ea84fba1188b35ad1b98ff1dc9 Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Sun, 24 Apr 2016 20:17:52 +0530 Subject: [PATCH 6/7] OAuth: Added `OAUTH_EXTERNAL_PROVIDERS` to specify external oauth providers. --- Changelog.md | 1 + README.md | 1 + assets/runtime/config/gitlabhq/gitlab.yml | 2 +- assets/runtime/env-defaults | 1 + assets/runtime/functions | 3 ++- 5 files changed, 6 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index 3f6f1256..9c5b33dd 100644 --- a/Changelog.md +++ b/Changelog.md @@ -6,6 +6,7 @@ This file only reflects the changes that are made in this image. Please refer to - gitlab-shell: upgrade to v.2.7.2 - gitlab: upgrade to CE v8.7.0 - SSO: `OAUTH_ALLOW_SSO` now specifies a comma separated list of providers. +- OAuth: Added `OAUTH_EXTERNAL_PROVIDERS` to specify external oauth providers. **8.6.7** - added `GITLAB_SIGNUP_ENABLED` option to enable/disable signups diff --git a/README.md b/README.md index 6a18318e..86c75244 100644 --- a/README.md +++ b/README.md @@ -888,6 +888,7 @@ Below is the complete list of available options that can be used to customize yo - **OAUTH_BLOCK_AUTO_CREATED_USERS**: Locks down those users until they have been cleared by the admin. Defaults to `true`. - **OAUTH_AUTO_LINK_LDAP_USER**: Look up new users in LDAP servers. If a match is found (same uid), automatically link the omniauth identity with the LDAP account. Defaults to `false`. - **OAUTH_AUTO_LINK_SAML_USER**: Allow users with existing accounts to login and auto link their account via SAML login, without having to do a manual login first and manually add SAML. Defaults to `false`. +- **OAUTH_EXTERNAL_PROVIDERS**: Comma separated list if oauth providers to disallow access to `internal` projects. Users creating accounts via these providers will have access internal projects. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default. - **OAUTH_CAS3_LABEL**: The "Sign in with" button label. Defaults to "cas3". - **OAUTH_CAS3_SERVER**: CAS3 server URL. No defaults. - **OAUTH_CAS3_DISABLE_SSL_VERIFICATION**: Disable CAS3 SSL verification. Defaults to `false`. diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index 06f1a9b1..96722956 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -331,7 +331,7 @@ production: &base # will need to use the full name of the provider, like `google_oauth2` for Google. # Refer to the examples below for the full names of the supported providers. # (default: []) - external_providers: [] + external_providers: [{{OAUTH_EXTERNAL_PROVIDERS}}] ## Auth providers # Uncomment the following lines and fill in the data of the auth provider you want to use diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 96a4edeb..1355669b 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -217,6 +217,7 @@ OAUTH_ALLOW_SSO=${OAUTH_ALLOW_SSO:-} OAUTH_BLOCK_AUTO_CREATED_USERS=${OAUTH_BLOCK_AUTO_CREATED_USERS:-true} OAUTH_AUTO_LINK_LDAP_USER=${OAUTH_AUTO_LINK_LDAP_USER:-false} OAUTH_AUTO_LINK_SAML_USER=${OAUTH_AUTO_LINK_SAML_USER:-false} +OAUTH_EXTERNAL_PROVIDERS=${OAUTH_EXTERNAL_PROVIDERS:-} ### GOOGLE OAUTH_GOOGLE_API_KEY=${OAUTH_GOOGLE_API_KEY:-} diff --git a/assets/runtime/functions b/assets/runtime/functions index 4bd5c7d4..c41e609b 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -590,7 +590,8 @@ gitlab_configure_oauth() { OAUTH_ALLOW_SSO \ OAUTH_BLOCK_AUTO_CREATED_USERS \ OAUTH_AUTO_LINK_LDAP_USER \ - OAUTH_AUTO_LINK_SAML_USER + OAUTH_AUTO_LINK_SAML_USER \ + OAUTH_EXTERNAL_PROVIDERS case ${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER} in cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2) From e725f4945cfce15a906464790233f4be90dba93d Mon Sep 17 00:00:00 2001 From: Sameer Naik Date: Sun, 24 Apr 2016 21:16:26 +0530 Subject: [PATCH 7/7] Exposed `GITLAB_TRUSTED_PROXIES` configuration parameter --- Changelog.md | 1 + README.md | 1 + assets/runtime/config/gitlabhq/gitlab.yml | 5 +---- assets/runtime/env-defaults | 1 + assets/runtime/functions | 10 ++++++++++ 5 files changed, 14 insertions(+), 4 deletions(-) diff --git a/Changelog.md b/Changelog.md index 9c5b33dd..1464dd6c 100644 --- a/Changelog.md +++ b/Changelog.md @@ -7,6 +7,7 @@ This file only reflects the changes that are made in this image. Please refer to - gitlab: upgrade to CE v8.7.0 - SSO: `OAUTH_ALLOW_SSO` now specifies a comma separated list of providers. - OAuth: Added `OAUTH_EXTERNAL_PROVIDERS` to specify external oauth providers. +- Exposed `GITLAB_TRUSTED_PROXIES` configuration parameter **8.6.7** - added `GITLAB_SIGNUP_ENABLED` option to enable/disable signups diff --git a/README.md b/README.md index 86c75244..30a56005 100644 --- a/README.md +++ b/README.md @@ -819,6 +819,7 @@ Below is the complete list of available options that can be used to customize yo - **GITLAB_SSH_HOST**: The ssh host. Defaults to **GITLAB_HOST**. - **GITLAB_SSH_PORT**: The ssh port number. Defaults to `22`. - **GITLAB_RELATIVE_URL_ROOT**: The relative url of the GitLab server, e.g. `/git`. No default. +- **GITLAB_TRUSTED_PROXIES**: Add IP address reverse proxy to trusted proxy list, otherwise users will appear signed in from that address. Currently only a single entry is permitted. No defaults. - **GITLAB_HTTPS**: Set to `true` to enable https support, disabled by default. - **SSL_SELF_SIGNED**: Set to `true` when using self signed ssl certificates. `false` by default. - **SSL_CERTIFICATE_PATH**: Location of the ssl certificate. Defaults to `/home/git/data/certs/gitlab.crt` diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index 96722956..04959783 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -50,10 +50,7 @@ production: &base # Customize if you have GitLab behind a reverse proxy which is running on a different machine. # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address. trusted_proxies: - # Examples: - #- 192.168.1.0/24 - #- 192.168.2.1 - #- 2001:0db8::/32 + - {{GITLAB_TRUSTED_PROXIES}} # Uncomment and customize if you can't use the default user to run GitLab (default: 'git') # user: git diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 1355669b..6ecdc8a0 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -71,6 +71,7 @@ GITLAB_PROJECTS_WIKI=${GITLAB_PROJECTS_WIKI:-true} GITLAB_PROJECTS_SNIPPETS=${GITLAB_PROJECTS_SNIPPETS:-false} GITLAB_PROJECTS_BUILDS=${GITLAB_PROJECTS_BUILDS:-true} GITLAB_RELATIVE_URL_ROOT=${GITLAB_RELATIVE_URL_ROOT:-} +GITLAB_TRUSTED_PROXIES=${GITLAB_TRUSTED_PROXIES:-} if [[ -z ${GITLAB_RELATIVE_URL_ROOT} || ${GITLAB_RELATIVE_URL_ROOT} == / ]]; then # should not be set to `/` GITLAB_RELATIVE_URL_ROOT= fi diff --git a/assets/runtime/functions b/assets/runtime/functions index c41e609b..82c2f7d9 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -294,6 +294,15 @@ gitlab_configure_relative_url() { fi } +gitlab_configure_trusted_proxies() { + if [[ -n ${GITLAB_TRUSTED_PROXIES} ]]; then + echo "Configuring gitlab::trusted_proxies..." + update_template ${GITLAB_CONFIG} GITLAB_TRUSTED_PROXIES + else + exec_as_git sed -i "/{{GITLAB_TRUSTED_PROXIES}}/d" ${GITLAB_CONFIG} + fi +} + gitlab_configure_timezone() { echo "Configuring gitlab::timezone..." update_template ${GITLAB_CONFIG} GITLAB_TIMEZONE @@ -1109,6 +1118,7 @@ configure_gitlab() { gitlab_configure_sidekiq gitlab_configure_gitlab_workhorse gitlab_configure_relative_url + gitlab_configure_trusted_proxies gitlab_configure_unicorn gitlab_configure_timezone gitlab_configure_rack_attack