Skip to content

Commit

Permalink
sameersbn#2912 Handle openid_connect_signing_key variable to enable b…
Browse files Browse the repository at this point in the history 
…ackup/restore & restarts without errors
  • Loading branch information
@ebarped
ebarped committed Mar 6, 2024
1 parent 562d8d5 commit e08c7b5
Show file tree
Hide file tree
Showing 12 changed files with 104 additions and 110 deletions.
9 changes: 9 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,10 @@ Generate random strings that are at least `64` characters long for each of `GITL

> **Tip**: You can generate a random string using `pwgen -Bsv1 64` and assign it as the value of `GITLAB_SECRETS_DB_KEY_BASE`.
Also, you have to generate a RSA private key for `GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY`. This value is used for the signing key for OpenID Connect.

> **Tip**: You can generate one using `openssl genrsa -out - 2048` and assign it as the value of `GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY`.
Start GitLab using:

```bash
Expand Down Expand Up @@ -839,6 +843,10 @@ Encryption key for session secrets. Ensure that your key is at least 64 characte

Encryption key for OTP related stuff with GitLab. Ensure that your key is at least 64 characters long and that you don't lose it. **If you lose or change this secret, 2FA will stop working for all users.** You can generate one using `pwgen -Bsv1 64`. No defaults.

##### `GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY`

The signing key for OpenID Connect. **If you lose or change this secret, things like 2FA, settings and internal stuff will stop working for all users.** You can generate one using `openssl genrsa -out - 2048`. No defaults.

##### `GITLAB_TIMEZONE`

Configure the timezone for the gitlab application. This configuration does not effect cron jobs. Defaults to `UTC`. See the list of [acceptable values](http://api.rubyonrails.org/classes/ActiveSupport/TimeZone.html). For settings the container timezone which will effect cron, see variable `TZ`
Expand Down Expand Up @@ -2668,6 +2676,7 @@ Replace `x.x.x` with the version you are upgrading from. For example, if you are

> **Note**: Since GitLab `8.0.0` you need to provide the `GITLAB_SECRETS_DB_KEY_BASE` parameter while starting the image.
> **Note**: Since GitLab `8.11.0` you need to provide the `GITLAB_SECRETS_SECRET_KEY_BASE` and `GITLAB_SECRETS_OTP_KEY_BASE` parameters while starting the image. These should initially both have the same value as the contents of the `/home/git/data/.secret` file. See [Available Configuration Parameters](#available-configuration-parameters) for more information on these parameters.
> **Note**: Since GitLab `16.0.0` you need to provide the `GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY` parameter while starting the image. See [Available Configuration Parameters](#available-configuration-parameters) for more information on these parameters.

```bash
docker run --name gitlab -d [OPTIONS] sameersbn/gitlab:16.9.1
Expand Down
1 change: 1 addition & 0 deletions assets/runtime/config/gitlabhq/secrets.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ production:
db_key_base: {{GITLAB_SECRETS_DB_KEY_BASE}}
secret_key_base: {{GITLAB_SECRETS_SECRET_KEY_BASE}}
otp_key_base: {{GITLAB_SECRETS_OTP_KEY_BASE}}
openid_connect_signing_key: {{GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY}}

development:
db_key_base: development
Expand Down
1 change: 1 addition & 0 deletions assets/runtime/env-defaults
View file
Original file line number Diff line number Diff line change
Expand Up @@ -254,6 +254,7 @@ GITLAB_MATTERMOST_URL=${GITLAB_MATTERMOST_URL:-https://mattermost.example.com}
GITLAB_SECRETS_DB_KEY_BASE=${GITLAB_SECRETS_DB_KEY_BASE:-}
GITLAB_SECRETS_SECRET_KEY_BASE=${GITLAB_SECRETS_SECRET_KEY_BASE:-}
GITLAB_SECRETS_OTP_KEY_BASE=${GITLAB_SECRETS_OTP_KEY_BASE:-}
GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY=${GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY:-}
GITLAB_NOTIFY_ON_BROKEN_BUILDS=${GITLAB_NOTIFY_ON_BROKEN_BUILDS:-true}
GITLAB_NOTIFY_PUSHER=${GITLAB_NOTIFY_PUSHER:-false}

Expand Down
3 changes: 2 additions & 1 deletion assets/runtime/functions
View file
Original file line number Diff line number Diff line change
Expand Up @@ -858,7 +858,8 @@ gitlab_configure_secrets() {
update_template ${GITLAB_SECRETS_CONFIG} \
GITLAB_SECRETS_DB_KEY_BASE \
GITLAB_SECRETS_SECRET_KEY_BASE \
GITLAB_SECRETS_OTP_KEY_BASE
GITLAB_SECRETS_OTP_KEY_BASE \
GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY

local shell_secret="${GITLAB_INSTALL_DIR}/.gitlab_shell_secret"
if [[ ! -f "${shell_secret}" ]]; then
Expand Down
11 changes: 11 additions & 0 deletions contrib/docker-swarm/docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,17 @@ services:
- GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string
- GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
- GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
- |-
GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY=
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu
KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm
o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k
TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7
9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy
v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs
/5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00
-----END RSA PRIVATE KEY-----
- GITLAB_ROOT_PASSWORD=
- GITLAB_ROOT_EMAIL=
Expand Down
11 changes: 11 additions & 0 deletions docker-compose.swarm.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,17 @@ services:
- GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string
- GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
- GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
- |-
GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY=
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu
KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm
o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k
TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7
9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy
v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs
/5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00
-----END RSA PRIVATE KEY-----
- GITLAB_ROOT_PASSWORD=
- GITLAB_ROOT_EMAIL=
Expand Down
14 changes: 12 additions & 2 deletions docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ services:

gitlab:
restart: always
image: sameersbn/gitlab:16.9.1
build: .
depends_on:
- redis
- postgresql
Expand Down Expand Up @@ -63,7 +63,17 @@ services:
- GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string
- GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
- GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string

- |-
GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY=
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu
KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm
o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k
TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7
9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy
v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs
/5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00
-----END RSA PRIVATE KEY-----
- GITLAB_ROOT_PASSWORD=
- GITLAB_ROOT_EMAIL=

Expand Down
11 changes: 11 additions & 0 deletions docs/docker-compose-keycloak.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,17 @@ services:
- GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string
- GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
- GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
- |-
GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY=
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu
KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm
o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k
TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7
9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy
v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs
/5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00
-----END RSA PRIVATE KEY-----
- GITLAB_ROOT_PASSWORD=<root-password>
- GITLAB_ROOT_EMAIL=
Expand Down
11 changes: 11 additions & 0 deletions docs/docker-compose-registry.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,17 @@ services:
- GITLAB_SECRETS_DB_KEY_BASE=secret
- GITLAB_SECRETS_SECRET_KEY_BASE=secret
- GITLAB_SECRETS_OTP_KEY_BASE=secret
- |-
GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY=
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu
KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm
o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k
TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7
9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy
v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs
/5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00
-----END RSA PRIVATE KEY-----
- GITLAB_REGISTRY_ENABLED=true
- GITLAB_REGISTRY_HOST=registry.example.com
Expand Down
11 changes: 11 additions & 0 deletions docs/docker-swarm-traefik-registry.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,17 @@ You can copy it and set it in the file like:
- GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string
- GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
- GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
- |-
GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY=
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu
KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm
o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k
TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7
9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy
v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs
/5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00
-----END RSA PRIVATE KEY-----
```
There are several other settings that you might want to configure, like email accounts for notifications, SMTP credentials to send emails, etc.
Expand Down
11 changes: 11 additions & 0 deletions docs/s3_compatible_storage.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,17 @@ services:
- GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string
- GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
- GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
- |-
GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY=
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu
KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm
o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k
TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7
9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy
v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs
/5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00
-----END RSA PRIVATE KEY-----
- GITLAB_ROOT_PASSWORD=
- GITLAB_ROOT_EMAIL=
- GITLAB_NOTIFY_ON_BROKEN_BUILDS=true
Expand Down
120 changes: 13 additions & 107 deletions kubernetes/gitlab-rc.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,111 +14,17 @@ spec:
spec:
containers:
- name: gitlab
image: sameersbn/gitlab:16.9.1
image: bash
command: ["sleep", "10000"]
env:
- name: TZ
value: Asia/Kolkata
- name: GITLAB_TIMEZONE
value: Kolkata

- name: GITLAB_SECRETS_DB_KEY_BASE
value: long-and-random-alpha-numeric-string
- name: GITLAB_SECRETS_SECRET_KEY_BASE
value: long-and-random-alpha-numeric-string
- name: GITLAB_SECRETS_OTP_KEY_BASE
value: long-and-random-alpha-numeric-string

- name: GITLAB_ROOT_PASSWORD
value:
- name: GITLAB_ROOT_EMAIL
value:

- name: GITLAB_HOST
value: git.default.cluster.local
- name: GITLAB_PORT
value: "80"
- name: GITLAB_SSH_PORT
value: "22"

- name: GITLAB_NOTIFY_ON_BROKEN_BUILDS
value: "true"
- name: GITLAB_NOTIFY_PUSHER
value: "false"

- name: GITLAB_BACKUP_SCHEDULE
value: daily
- name: GITLAB_BACKUP_TIME
value: 01:00

- name: DB_TYPE
value: postgres
- name: DB_HOST
value: postgresql
- name: DB_PORT
value: "5432"
- name: DB_USER
value: gitlab
- name: DB_PASS
value: passw0rd
- name: DB_NAME
value: gitlab_production

- name: REDIS_HOST
value: redis
- name: REDIS_PORT
value: "6379"

- name: SMTP_ENABLED
value: "false"
- name: SMTP_DOMAIN
value: www.example.com
- name: SMTP_HOST
value: smtp.gmail.com
- name: SMTP_PORT
value: "587"
- name: SMTP_USER
value: [email protected]
- name: SMTP_PASS
value: password
- name: SMTP_STARTTLS
value: "true"
- name: SMTP_AUTHENTICATION
value: login

- name: IMAP_ENABLED
value: "false"
- name: IMAP_HOST
value: imap.gmail.com
- name: IMAP_PORT
value: "993"
- name: IMAP_USER
value: [email protected]
- name: IMAP_PASS
value: password
- name: IMAP_SSL
value: "true"
- name: IMAP_STARTTLS
value: "false"
ports:
- name: http
containerPort: 80
- name: ssh
containerPort: 22
volumeMounts:
- mountPath: /home/git/data
name: data
livenessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 180
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 5
timeoutSeconds: 1
volumes:
- name: data
emptyDir: {}
- name: GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY
value: |-
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu
KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm
o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k
TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7
9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy
v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs
/5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00
-----END RSA PRIVATE KEY-----

0 comments on commit e08c7b5

Please sign in to comment.