Merge pull request #2631 from datailor-fr/f/encrypted-key-base

#2420  …Handle encrypted_settings_key_base variable

README.md

@@ -149,11 +149,12 @@ The quickest way to get started is using [docker-compose](https://docs.docker.co
 wget https://raw.githubusercontent.com/sameersbn/docker-gitlab/master/docker-compose.yml
 ```
 
-Generate random strings that are at least `64` characters long for each of `GITLAB_SECRETS_OTP_KEY_BASE`, `GITLAB_SECRETS_DB_KEY_BASE`, and `GITLAB_SECRETS_SECRET_KEY_BASE`. These values are used for the following:
+Generate random strings that are at least `64` characters long for each of `GITLAB_SECRETS_OTP_KEY_BASE`, `GITLAB_SECRETS_DB_KEY_BASE`, `GITLAB_SECRETS_SECRET_KEY_BASE`, `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE`. These values are used for the following:
 
 - `GITLAB_SECRETS_OTP_KEY_BASE` is used to encrypt 2FA secrets in the database. If you lose or rotate this secret, none of your users will be able to log in using 2FA.
 - `GITLAB_SECRETS_DB_KEY_BASE` is used to encrypt CI secret variables, as well as import credentials, in the database. If you lose or rotate this secret, you will not be able to use existing CI secrets.
 - `GITLAB_SECRETS_SECRET_KEY_BASE` is used for password reset links, and other 'standard' auth features. If you lose or rotate this secret, password reset tokens in emails will reset.
+- `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE` is used for reading settings from encrypted files such as SMTP or LDAP credentials.
 
 > **Tip**: You can generate a random string using `pwgen -Bsv1 64` and assign it as the value of `GITLAB_SECRETS_DB_KEY_BASE`.
 
@@ -194,6 +195,7 @@ docker run --name gitlab -d \
     --env 'GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alpha-numeric-string' \
     --env 'GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alpha-numeric-string' \
     --env 'GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alpha-numeric-string' \
+    --env 'GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alpha-numeric-string' \
     --volume /srv/docker/gitlab/gitlab:/home/git/data \
     sameersbn/gitlab:17.0.1
 ```
@@ -886,6 +888,10 @@ Encryption key for session secrets. Ensure that your key is at least 64 characte
 
  Encryption key for OTP related stuff with  GitLab. Ensure that your key is at least 64 characters long and that you don't lose it. **If you lose or change this secret, 2FA will stop working for all users.** You can generate one using `pwgen -Bsv1 64`. No defaults.
 
+##### `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE`
+
+ Encryption key for encrypted settings related stuff with GitLab. Ensure that your key is at least 64 characters long and that you don't lose it. **If you lose or change this secret, encrypted settings will not work and might cause errors in merge requests and so on** You can generate one using `pwgen -Bsv1 64`. No defaults.
+
 ##### `GITLAB_TIMEZONE`
 
 Configure the timezone for the gitlab application. This configuration does not effect cron jobs. Defaults to `UTC`. See the list of [acceptable values](http://api.rubyonrails.org/classes/ActiveSupport/TimeZone.html). For settings the container timezone which will effect cron, see variable `TZ`
@@ -2726,6 +2732,7 @@ Replace `x.x.x` with the version you are upgrading from. For example, if you are
 
 > **Note**: Since GitLab `8.0.0` you need to provide the `GITLAB_SECRETS_DB_KEY_BASE` parameter while starting the image.
 > **Note**: Since GitLab `8.11.0` you need to provide the `GITLAB_SECRETS_SECRET_KEY_BASE` and `GITLAB_SECRETS_OTP_KEY_BASE` parameters while starting the image. These should initially both have the same value as the contents of the `/home/git/data/.secret` file. See [Available Configuration Parameters](#available-configuration-parameters) for more information on these parameters.
+> **Note**: Since Gitlab 13.7 you need to provide the `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE` parameter while starting the image.  If not provided, the key will be generated by gitlab. So you can start the image without setting this parameter. But you will lose the key when you shutting down the container without taking a backup of `secrets.yml`.
 
 ```bash
 docker run --name gitlab -d [OPTIONS] sameersbn/gitlab:17.0.1

assets/runtime/config/gitlabhq/secrets.yml

@@ -6,6 +6,7 @@ production:
   db_key_base: {{GITLAB_SECRETS_DB_KEY_BASE}}
   secret_key_base: {{GITLAB_SECRETS_SECRET_KEY_BASE}}
   otp_key_base: {{GITLAB_SECRETS_OTP_KEY_BASE}}
+  encrypted_settings_key_base: {{GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE}}
 
 development:
   db_key_base: development

assets/runtime/env-defaults

@@ -254,6 +254,7 @@ GITLAB_MATTERMOST_URL=${GITLAB_MATTERMOST_URL:-https://mattermost.example.com}
 GITLAB_SECRETS_DB_KEY_BASE=${GITLAB_SECRETS_DB_KEY_BASE:-}
 GITLAB_SECRETS_SECRET_KEY_BASE=${GITLAB_SECRETS_SECRET_KEY_BASE:-}
 GITLAB_SECRETS_OTP_KEY_BASE=${GITLAB_SECRETS_OTP_KEY_BASE:-}
+GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=${GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE:-}
 GITLAB_NOTIFY_ON_BROKEN_BUILDS=${GITLAB_NOTIFY_ON_BROKEN_BUILDS:-true}
 GITLAB_NOTIFY_PUSHER=${GITLAB_NOTIFY_PUSHER:-false}
 

assets/runtime/functions

@@ -858,7 +858,8 @@ gitlab_configure_secrets() {
   update_template ${GITLAB_SECRETS_CONFIG} \
   GITLAB_SECRETS_DB_KEY_BASE \
   GITLAB_SECRETS_SECRET_KEY_BASE \
-  GITLAB_SECRETS_OTP_KEY_BASE
+  GITLAB_SECRETS_OTP_KEY_BASE \
+  GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE
 
   local shell_secret="${GITLAB_INSTALL_DIR}/.gitlab_shell_secret"
   if [[ ! -f "${shell_secret}" ]]; then

contrib/docker-swarm/docker-compose.yml

@@ -61,6 +61,7 @@ services:
     - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string
     - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
     - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
+    - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string
 
     - GITLAB_ROOT_PASSWORD=
     - GITLAB_ROOT_EMAIL=

docker-compose.swarm.yml

@@ -123,6 +123,7 @@ services:
     - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string
     - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
     - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
+    - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string
 
     - GITLAB_ROOT_PASSWORD=
     - GITLAB_ROOT_EMAIL=

docs/docker-compose-keycloak.yml

@@ -57,6 +57,7 @@ services:
     - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string
     - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
     - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
+    - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string
 
     - GITLAB_ROOT_PASSWORD=<root-password>
     - GITLAB_ROOT_EMAIL=

docs/docker-compose-registry.yml

@@ -58,6 +58,7 @@ services:
     - GITLAB_SECRETS_DB_KEY_BASE=secret
     - GITLAB_SECRETS_SECRET_KEY_BASE=secret
     - GITLAB_SECRETS_OTP_KEY_BASE=secret
+    - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=secret
 
     - GITLAB_REGISTRY_ENABLED=true
     - GITLAB_REGISTRY_HOST=registry.example.com

docs/docker-swarm-traefik-registry.md

@@ -151,6 +151,7 @@ You can copy it and set it in the file like:
 - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string
 - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
 - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
+- GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string
 ```
 
 There are several other settings that you might want to configure, like email accounts for notifications, SMTP credentials to send emails, etc.

docs/s3_compatible_storage.md

@@ -122,6 +122,7 @@ services:
     - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string
     - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
     - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
+    - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string
     - GITLAB_ROOT_PASSWORD=
     - GITLAB_ROOT_EMAIL=
     - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true

kubernetes/gitlab-rc.yml

@@ -27,6 +27,8 @@ spec:
           value: long-and-random-alpha-numeric-string
         - name: GITLAB_SECRETS_OTP_KEY_BASE
           value: long-and-random-alpha-numeric-string
+        - name: GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE
+          value: long-and-random-alpha-numeric-string
 
         - name: GITLAB_ROOT_PASSWORD
           value: