sameersbn#2420 Handle encrypted_settings_key_base variable to allow r…

…estoring backups from gitlab instances not running from this image and using encrypted settings feature.
datailor-fr · Sep 5, 2022 · 784b02e · 784b02e
1 parent 73a3596
commit 784b02e
Show file tree

Hide file tree

Showing 12 changed files with 28 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -148,11 +148,12 @@ The quickest way to get started is using [docker-compose](https://docs.docker.co
 wget https://raw.githubusercontent.com/sameersbn/docker-gitlab/master/docker-compose.yml
 ```
 
-Generate random strings that are at least `64` characters long for each of `GITLAB_SECRETS_OTP_KEY_BASE`, `GITLAB_SECRETS_DB_KEY_BASE`, and `GITLAB_SECRETS_SECRET_KEY_BASE`. These values are used for the following:
+Generate random strings that are at least `64` characters long for each of `GITLAB_SECRETS_OTP_KEY_BASE`, `GITLAB_SECRETS_DB_KEY_BASE`, `GITLAB_SECRETS_SECRET_KEY_BASE`, `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE`. These values are used for the following:
 
 - `GITLAB_SECRETS_OTP_KEY_BASE` is used to encrypt 2FA secrets in the database. If you lose or rotate this secret, none of your users will be able to log in using 2FA.
 - `GITLAB_SECRETS_DB_KEY_BASE` is used to encrypt CI secret variables, as well as import credentials, in the database. If you lose or rotate this secret, you will not be able to use existing CI secrets.
 - `GITLAB_SECRETS_SECRET_KEY_BASE` is used for password reset links, and other 'standard' auth features. If you lose or rotate this secret, password reset tokens in emails will reset.
+- `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE` is used for reading settings from encrypted files such as SMTP or LDAP credentials.
 
 > **Tip**: You can generate a random string using `pwgen -Bsv1 64` and assign it as the value of `GITLAB_SECRETS_DB_KEY_BASE`.
 
@@ -193,6 +194,7 @@ docker run --name gitlab -d \
     --env 'GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alpha-numeric-string' \
     --env 'GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alpha-numeric-string' \
     --env 'GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alpha-numeric-string' \
+    --env 'GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alpha-numeric-string' \
     --volume /srv/docker/gitlab/gitlab:/home/git/data \
     sameersbn/gitlab:15.3.2
 ```
@@ -814,6 +816,10 @@ Encryption key for session secrets. Ensure that your key is at least 64 characte
 
  Encryption key for OTP related stuff with  GitLab. Ensure that your key is at least 64 characters long and that you don't lose it. **If you lose or change this secret, 2FA will stop working for all users.** You can generate one using `pwgen -Bsv1 64`. No defaults.
 
+##### `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE`
+
+ Encryption key for encrypted settings related stuff with GitLab. Ensure that your key is at least 64 characters long and that you don't lose it. **If you lose or change this secret, encrypted settings will not work and might cause errors in merge requests and so on** You can generate one using `pwgen -Bsv1 64`. No defaults.
+
 ##### `GITLAB_TIMEZONE`
 
 Configure the timezone for the gitlab application. This configuration does not effect cron jobs. Defaults to `UTC`. See the list of [acceptable values](http://api.rubyonrails.org/classes/ActiveSupport/TimeZone.html). For settings the container timezone which will effect cron, see variable `TZ`
@@ -2603,6 +2609,7 @@ Replace `x.x.x` with the version you are upgrading from. For example, if you are
 
 > **Note**: Since GitLab `8.0.0` you need to provide the `GITLAB_SECRETS_DB_KEY_BASE` parameter while starting the image.
 > **Note**: Since GitLab `8.11.0` you need to provide the `GITLAB_SECRETS_SECRET_KEY_BASE` and `GITLAB_SECRETS_OTP_KEY_BASE` parameters while starting the image. These should initially both have the same value as the contents of the `/home/git/data/.secret` file. See [Available Configuration Parameters](#available-configuration-parameters) for more information on these parameters.
+> **Note**: Since Gitlab 13.7 you need to provide the `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE` parameter while starting the image
 
 ```bash
 docker run --name gitlab -d [OPTIONS] sameersbn/gitlab:15.3.2

diff --git a/assets/runtime/config/gitlabhq/secrets.yml b/assets/runtime/config/gitlabhq/secrets.yml
@@ -6,6 +6,7 @@ production:
   db_key_base: {{GITLAB_SECRETS_DB_KEY_BASE}}
   secret_key_base: {{GITLAB_SECRETS_SECRET_KEY_BASE}}
   otp_key_base: {{GITLAB_SECRETS_OTP_KEY_BASE}}
+  encrypted_settings_key_base: {{GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE}}
 
 development:
   db_key_base: development

diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults
@@ -254,6 +254,7 @@ GITLAB_MATTERMOST_URL=${GITLAB_MATTERMOST_URL:-https://mattermost.example.com}
 GITLAB_SECRETS_DB_KEY_BASE=${GITLAB_SECRETS_DB_KEY_BASE:-}
 GITLAB_SECRETS_SECRET_KEY_BASE=${GITLAB_SECRETS_SECRET_KEY_BASE:-}
 GITLAB_SECRETS_OTP_KEY_BASE=${GITLAB_SECRETS_OTP_KEY_BASE:-}
+GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=${GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE:-}
 GITLAB_NOTIFY_ON_BROKEN_BUILDS=${GITLAB_NOTIFY_ON_BROKEN_BUILDS:-true}
 GITLAB_NOTIFY_PUSHER=${GITLAB_NOTIFY_PUSHER:-false}
 

diff --git a/assets/runtime/functions b/assets/runtime/functions
@@ -748,10 +748,18 @@ gitlab_configure_secrets() {
     return 1
   fi
 
+  if [[ -z $GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE ]]; then
+    echo "ERROR: "
+    echo "  Please configure the GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE parameter."
+    echo "  Cannot continue. Aborting..."
+    return 1
+  fi
+
   update_template ${GITLAB_SECRETS_CONFIG} \
   GITLAB_SECRETS_DB_KEY_BASE \
   GITLAB_SECRETS_SECRET_KEY_BASE \
-  GITLAB_SECRETS_OTP_KEY_BASE
+  GITLAB_SECRETS_OTP_KEY_BASE \
+  GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE
 
   local shell_secret="${GITLAB_INSTALL_DIR}/.gitlab_shell_secret"
   if [[ ! -f "${shell_secret}" ]]; then

diff --git a/contrib/docker-swarm/docker-compose.yml b/contrib/docker-swarm/docker-compose.yml
@@ -61,6 +61,7 @@ services:
     - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string
     - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
     - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
+    - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string
 
     - GITLAB_ROOT_PASSWORD=
     - GITLAB_ROOT_EMAIL=

diff --git a/docker-compose.swarm.yml b/docker-compose.swarm.yml
@@ -123,6 +123,7 @@ services:
     - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string
     - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
     - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
+    - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string
 
     - GITLAB_ROOT_PASSWORD=
     - GITLAB_ROOT_EMAIL=

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -63,6 +63,7 @@ services:
     - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string
     - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
     - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
+    - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string
 
     - GITLAB_ROOT_PASSWORD=
     - GITLAB_ROOT_EMAIL=

diff --git a/docs/docker-compose-keycloak.yml b/docs/docker-compose-keycloak.yml
@@ -57,6 +57,7 @@ services:
     - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string
     - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
     - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
+    - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string
 
     - GITLAB_ROOT_PASSWORD=<root-password>
     - GITLAB_ROOT_EMAIL=

diff --git a/docs/docker-compose-registry.yml b/docs/docker-compose-registry.yml
@@ -58,6 +58,7 @@ services:
     - GITLAB_SECRETS_DB_KEY_BASE=secret
     - GITLAB_SECRETS_SECRET_KEY_BASE=secret
     - GITLAB_SECRETS_OTP_KEY_BASE=secret
+    - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=secret
 
     - GITLAB_REGISTRY_ENABLED=true
     - GITLAB_REGISTRY_HOST=registry.example.com

diff --git a/docs/docker-swarm-traefik-registry.md b/docs/docker-swarm-traefik-registry.md
@@ -151,6 +151,7 @@ You can copy it and set it in the file like:
 - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string
 - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
 - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
+- GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string
 ```
 
 There are several other settings that you might want to configure, like email accounts for notifications, SMTP credentials to send emails, etc.

diff --git a/docs/s3_compatible_storage.md b/docs/s3_compatible_storage.md
@@ -122,6 +122,7 @@ services:
     - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string
     - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
     - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
+    - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string
     - GITLAB_ROOT_PASSWORD=
     - GITLAB_ROOT_EMAIL=
     - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true

diff --git a/kubernetes/gitlab-rc.yml b/kubernetes/gitlab-rc.yml
@@ -27,6 +27,8 @@ spec:
           value: long-and-random-alpha-numeric-string
         - name: GITLAB_SECRETS_OTP_KEY_BASE
           value: long-and-random-alpha-numeric-string
+        - name: GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE
+          value: long-and-random-alpha-numeric-string
 
         - name: GITLAB_ROOT_PASSWORD
           value: