From 5204971ce003f5c0ce6b1c06b533b5cf9a0dd53f Mon Sep 17 00:00:00 2001 From: Yannis Mazzer Date: Mon, 5 Sep 2022 11:13:53 +0200 Subject: [PATCH] #2420 Handle encrypted_settings_key_base variable to allow restoring backups from gitlab instances not running from this image and using encrypted settings feature. --- README.md | 9 ++++++++- assets/runtime/config/gitlabhq/secrets.yml | 1 + assets/runtime/env-defaults | 1 + assets/runtime/functions | 3 ++- contrib/docker-swarm/docker-compose.yml | 1 + docker-compose.swarm.yml | 1 + docs/docker-compose-keycloak.yml | 1 + docs/docker-compose-registry.yml | 1 + docs/docker-swarm-traefik-registry.md | 1 + docs/s3_compatible_storage.md | 1 + kubernetes/gitlab-rc.yml | 2 ++ 11 files changed, 20 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index aa990f09..fe5d5075 100644 --- a/README.md +++ b/README.md @@ -149,11 +149,12 @@ The quickest way to get started is using [docker-compose](https://docs.docker.co wget https://raw.githubusercontent.com/sameersbn/docker-gitlab/master/docker-compose.yml ``` -Generate random strings that are at least `64` characters long for each of `GITLAB_SECRETS_OTP_KEY_BASE`, `GITLAB_SECRETS_DB_KEY_BASE`, and `GITLAB_SECRETS_SECRET_KEY_BASE`. These values are used for the following: +Generate random strings that are at least `64` characters long for each of `GITLAB_SECRETS_OTP_KEY_BASE`, `GITLAB_SECRETS_DB_KEY_BASE`, `GITLAB_SECRETS_SECRET_KEY_BASE`, `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE`. These values are used for the following: - `GITLAB_SECRETS_OTP_KEY_BASE` is used to encrypt 2FA secrets in the database. If you lose or rotate this secret, none of your users will be able to log in using 2FA. - `GITLAB_SECRETS_DB_KEY_BASE` is used to encrypt CI secret variables, as well as import credentials, in the database. If you lose or rotate this secret, you will not be able to use existing CI secrets. - `GITLAB_SECRETS_SECRET_KEY_BASE` is used for password reset links, and other 'standard' auth features. If you lose or rotate this secret, password reset tokens in emails will reset. +- `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE` is used for reading settings from encrypted files such as SMTP or LDAP credentials. > **Tip**: You can generate a random string using `pwgen -Bsv1 64` and assign it as the value of `GITLAB_SECRETS_DB_KEY_BASE`. @@ -194,6 +195,7 @@ docker run --name gitlab -d \ --env 'GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alpha-numeric-string' \ --env 'GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alpha-numeric-string' \ --env 'GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alpha-numeric-string' \ + --env 'GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alpha-numeric-string' \ --volume /srv/docker/gitlab/gitlab:/home/git/data \ sameersbn/gitlab:17.0.1 ``` @@ -886,6 +888,10 @@ Encryption key for session secrets. Ensure that your key is at least 64 characte Encryption key for OTP related stuff with GitLab. Ensure that your key is at least 64 characters long and that you don't lose it. **If you lose or change this secret, 2FA will stop working for all users.** You can generate one using `pwgen -Bsv1 64`. No defaults. +##### `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE` + + Encryption key for encrypted settings related stuff with GitLab. Ensure that your key is at least 64 characters long and that you don't lose it. **If you lose or change this secret, encrypted settings will not work and might cause errors in merge requests and so on** You can generate one using `pwgen -Bsv1 64`. No defaults. + ##### `GITLAB_TIMEZONE` Configure the timezone for the gitlab application. This configuration does not effect cron jobs. Defaults to `UTC`. See the list of [acceptable values](http://api.rubyonrails.org/classes/ActiveSupport/TimeZone.html). For settings the container timezone which will effect cron, see variable `TZ` @@ -2726,6 +2732,7 @@ Replace `x.x.x` with the version you are upgrading from. For example, if you are > **Note**: Since GitLab `8.0.0` you need to provide the `GITLAB_SECRETS_DB_KEY_BASE` parameter while starting the image. > **Note**: Since GitLab `8.11.0` you need to provide the `GITLAB_SECRETS_SECRET_KEY_BASE` and `GITLAB_SECRETS_OTP_KEY_BASE` parameters while starting the image. These should initially both have the same value as the contents of the `/home/git/data/.secret` file. See [Available Configuration Parameters](#available-configuration-parameters) for more information on these parameters. +> **Note**: Since Gitlab 13.7 you need to provide the `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE` parameter while starting the image. If not provided, the key will be generated by gitlab. So you can start the image without setting this parameter. But you will lose the key when you shutting down the container without taking a backup of `secrets.yml`. ```bash docker run --name gitlab -d [OPTIONS] sameersbn/gitlab:17.0.1 diff --git a/assets/runtime/config/gitlabhq/secrets.yml b/assets/runtime/config/gitlabhq/secrets.yml index 769d956a..eae882dc 100644 --- a/assets/runtime/config/gitlabhq/secrets.yml +++ b/assets/runtime/config/gitlabhq/secrets.yml @@ -6,6 +6,7 @@ production: db_key_base: {{GITLAB_SECRETS_DB_KEY_BASE}} secret_key_base: {{GITLAB_SECRETS_SECRET_KEY_BASE}} otp_key_base: {{GITLAB_SECRETS_OTP_KEY_BASE}} + encrypted_settings_key_base: {{GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE}} development: db_key_base: development diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 86e0bd83..2484a142 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -254,6 +254,7 @@ GITLAB_MATTERMOST_URL=${GITLAB_MATTERMOST_URL:-https://mattermost.example.com} GITLAB_SECRETS_DB_KEY_BASE=${GITLAB_SECRETS_DB_KEY_BASE:-} GITLAB_SECRETS_SECRET_KEY_BASE=${GITLAB_SECRETS_SECRET_KEY_BASE:-} GITLAB_SECRETS_OTP_KEY_BASE=${GITLAB_SECRETS_OTP_KEY_BASE:-} +GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=${GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE:-} GITLAB_NOTIFY_ON_BROKEN_BUILDS=${GITLAB_NOTIFY_ON_BROKEN_BUILDS:-true} GITLAB_NOTIFY_PUSHER=${GITLAB_NOTIFY_PUSHER:-false} diff --git a/assets/runtime/functions b/assets/runtime/functions index 8c6aad29..5a24e9bc 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -858,7 +858,8 @@ gitlab_configure_secrets() { update_template ${GITLAB_SECRETS_CONFIG} \ GITLAB_SECRETS_DB_KEY_BASE \ GITLAB_SECRETS_SECRET_KEY_BASE \ - GITLAB_SECRETS_OTP_KEY_BASE + GITLAB_SECRETS_OTP_KEY_BASE \ + GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE local shell_secret="${GITLAB_INSTALL_DIR}/.gitlab_shell_secret" if [[ ! -f "${shell_secret}" ]]; then diff --git a/contrib/docker-swarm/docker-compose.yml b/contrib/docker-swarm/docker-compose.yml index 0dc5f9b3..4ec1365b 100644 --- a/contrib/docker-swarm/docker-compose.yml +++ b/contrib/docker-swarm/docker-compose.yml @@ -61,6 +61,7 @@ services: - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string + - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_ROOT_PASSWORD= - GITLAB_ROOT_EMAIL= diff --git a/docker-compose.swarm.yml b/docker-compose.swarm.yml index f2336334..a3c46243 100644 --- a/docker-compose.swarm.yml +++ b/docker-compose.swarm.yml @@ -123,6 +123,7 @@ services: - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string + - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_ROOT_PASSWORD= - GITLAB_ROOT_EMAIL= diff --git a/docs/docker-compose-keycloak.yml b/docs/docker-compose-keycloak.yml index cc34a3f1..b12fdb47 100644 --- a/docs/docker-compose-keycloak.yml +++ b/docs/docker-compose-keycloak.yml @@ -57,6 +57,7 @@ services: - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string + - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_ROOT_PASSWORD= - GITLAB_ROOT_EMAIL= diff --git a/docs/docker-compose-registry.yml b/docs/docker-compose-registry.yml index 1112ec87..a6984ef6 100644 --- a/docs/docker-compose-registry.yml +++ b/docs/docker-compose-registry.yml @@ -58,6 +58,7 @@ services: - GITLAB_SECRETS_DB_KEY_BASE=secret - GITLAB_SECRETS_SECRET_KEY_BASE=secret - GITLAB_SECRETS_OTP_KEY_BASE=secret + - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=secret - GITLAB_REGISTRY_ENABLED=true - GITLAB_REGISTRY_HOST=registry.example.com diff --git a/docs/docker-swarm-traefik-registry.md b/docs/docker-swarm-traefik-registry.md index 7f941efb..62384b64 100644 --- a/docs/docker-swarm-traefik-registry.md +++ b/docs/docker-swarm-traefik-registry.md @@ -151,6 +151,7 @@ You can copy it and set it in the file like: - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string +- GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string ``` There are several other settings that you might want to configure, like email accounts for notifications, SMTP credentials to send emails, etc. diff --git a/docs/s3_compatible_storage.md b/docs/s3_compatible_storage.md index b6e9f3db..ca281b70 100644 --- a/docs/s3_compatible_storage.md +++ b/docs/s3_compatible_storage.md @@ -122,6 +122,7 @@ services: - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string + - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_ROOT_PASSWORD= - GITLAB_ROOT_EMAIL= - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true diff --git a/kubernetes/gitlab-rc.yml b/kubernetes/gitlab-rc.yml index b03ca8d4..d2cf1629 100644 --- a/kubernetes/gitlab-rc.yml +++ b/kubernetes/gitlab-rc.yml @@ -27,6 +27,8 @@ spec: value: long-and-random-alpha-numeric-string - name: GITLAB_SECRETS_OTP_KEY_BASE value: long-and-random-alpha-numeric-string + - name: GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE + value: long-and-random-alpha-numeric-string - name: GITLAB_ROOT_PASSWORD value: