diff --git a/README.md b/README.md index 066d33dcd5..496560ae57 100644 --- a/README.md +++ b/README.md @@ -156,6 +156,10 @@ Generate random strings that are at least `64` characters long for each of `GITL > **Tip**: You can generate a random string using `pwgen -Bsv1 64` and assign it as the value of `GITLAB_SECRETS_DB_KEY_BASE`. +Also, you have to generate a RSA private key for `GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY`. This value is used for the signing key for OpenID Connect. + +> **Tip**: You can generate one using `openssl genrsa -out - 2048` and assign it as the value of `GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY`. + Start GitLab using: ```bash @@ -839,6 +843,10 @@ Encryption key for session secrets. Ensure that your key is at least 64 characte Encryption key for OTP related stuff with GitLab. Ensure that your key is at least 64 characters long and that you don't lose it. **If you lose or change this secret, 2FA will stop working for all users.** You can generate one using `pwgen -Bsv1 64`. No defaults. +##### `GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY` + + The signing key for OpenID Connect. **If you lose or change this secret, things like 2FA, settings and internal stuff will stop working for all users.** You can generate one using `openssl genrsa -out - 2048`. No defaults. + ##### `GITLAB_TIMEZONE` Configure the timezone for the gitlab application. This configuration does not effect cron jobs. Defaults to `UTC`. See the list of [acceptable values](http://api.rubyonrails.org/classes/ActiveSupport/TimeZone.html). For settings the container timezone which will effect cron, see variable `TZ` @@ -2668,6 +2676,7 @@ Replace `x.x.x` with the version you are upgrading from. For example, if you are > **Note**: Since GitLab `8.0.0` you need to provide the `GITLAB_SECRETS_DB_KEY_BASE` parameter while starting the image. > **Note**: Since GitLab `8.11.0` you need to provide the `GITLAB_SECRETS_SECRET_KEY_BASE` and `GITLAB_SECRETS_OTP_KEY_BASE` parameters while starting the image. These should initially both have the same value as the contents of the `/home/git/data/.secret` file. See [Available Configuration Parameters](#available-configuration-parameters) for more information on these parameters. +> **Note**: Since GitLab `16.0.0` you need to provide the `GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY` parameter while starting the image. See [Available Configuration Parameters](#available-configuration-parameters) for more information on these parameters. ```bash docker run --name gitlab -d [OPTIONS] sameersbn/gitlab:16.9.1 diff --git a/assets/runtime/config/gitlabhq/secrets.yml b/assets/runtime/config/gitlabhq/secrets.yml index 769d956a29..be9f4750e6 100644 --- a/assets/runtime/config/gitlabhq/secrets.yml +++ b/assets/runtime/config/gitlabhq/secrets.yml @@ -6,6 +6,7 @@ production: db_key_base: {{GITLAB_SECRETS_DB_KEY_BASE}} secret_key_base: {{GITLAB_SECRETS_SECRET_KEY_BASE}} otp_key_base: {{GITLAB_SECRETS_OTP_KEY_BASE}} + openid_connect_signing_key: {{GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY}} development: db_key_base: development diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 4c0a529f2f..c5cc408e8c 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -254,6 +254,7 @@ GITLAB_MATTERMOST_URL=${GITLAB_MATTERMOST_URL:-https://mattermost.example.com} GITLAB_SECRETS_DB_KEY_BASE=${GITLAB_SECRETS_DB_KEY_BASE:-} GITLAB_SECRETS_SECRET_KEY_BASE=${GITLAB_SECRETS_SECRET_KEY_BASE:-} GITLAB_SECRETS_OTP_KEY_BASE=${GITLAB_SECRETS_OTP_KEY_BASE:-} +GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY=${GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY:-} GITLAB_NOTIFY_ON_BROKEN_BUILDS=${GITLAB_NOTIFY_ON_BROKEN_BUILDS:-true} GITLAB_NOTIFY_PUSHER=${GITLAB_NOTIFY_PUSHER:-false} diff --git a/assets/runtime/functions b/assets/runtime/functions index 42ce83b9be..bdd495991d 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -858,7 +858,8 @@ gitlab_configure_secrets() { update_template ${GITLAB_SECRETS_CONFIG} \ GITLAB_SECRETS_DB_KEY_BASE \ GITLAB_SECRETS_SECRET_KEY_BASE \ - GITLAB_SECRETS_OTP_KEY_BASE + GITLAB_SECRETS_OTP_KEY_BASE \ + GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY local shell_secret="${GITLAB_INSTALL_DIR}/.gitlab_shell_secret" if [[ ! -f "${shell_secret}" ]]; then diff --git a/contrib/docker-swarm/docker-compose.yml b/contrib/docker-swarm/docker-compose.yml index 23c6fcf4af..79e410c7a3 100644 --- a/contrib/docker-swarm/docker-compose.yml +++ b/contrib/docker-swarm/docker-compose.yml @@ -61,6 +61,17 @@ services: - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string + - |- + GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY= + -----BEGIN RSA PRIVATE KEY----- + MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu + KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm + o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k + TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7 + 9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy + v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs + /5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00 + -----END RSA PRIVATE KEY----- - GITLAB_ROOT_PASSWORD= - GITLAB_ROOT_EMAIL= diff --git a/docker-compose.swarm.yml b/docker-compose.swarm.yml index cf7824a678..9b8faff733 100644 --- a/docker-compose.swarm.yml +++ b/docker-compose.swarm.yml @@ -123,6 +123,17 @@ services: - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string + - |- + GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY= + -----BEGIN RSA PRIVATE KEY----- + MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu + KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm + o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k + TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7 + 9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy + v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs + /5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00 + -----END RSA PRIVATE KEY----- - GITLAB_ROOT_PASSWORD= - GITLAB_ROOT_EMAIL= diff --git a/docker-compose.yml b/docker-compose.yml index 303c830f01..24e700980c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -22,7 +22,7 @@ services: gitlab: restart: always - image: sameersbn/gitlab:16.9.1 + build: . depends_on: - redis - postgresql @@ -63,7 +63,17 @@ services: - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string - + - |- + GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY= + -----BEGIN RSA PRIVATE KEY----- + MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu + KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm + o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k + TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7 + 9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy + v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs + /5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00 + -----END RSA PRIVATE KEY----- - GITLAB_ROOT_PASSWORD= - GITLAB_ROOT_EMAIL= diff --git a/docs/docker-compose-keycloak.yml b/docs/docker-compose-keycloak.yml index 2f8cd4cded..f5417fad2a 100644 --- a/docs/docker-compose-keycloak.yml +++ b/docs/docker-compose-keycloak.yml @@ -57,6 +57,17 @@ services: - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string + - |- + GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY= + -----BEGIN RSA PRIVATE KEY----- + MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu + KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm + o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k + TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7 + 9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy + v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs + /5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00 + -----END RSA PRIVATE KEY----- - GITLAB_ROOT_PASSWORD= - GITLAB_ROOT_EMAIL= diff --git a/docs/docker-compose-registry.yml b/docs/docker-compose-registry.yml index 41dc8e75bf..eab708befb 100644 --- a/docs/docker-compose-registry.yml +++ b/docs/docker-compose-registry.yml @@ -58,6 +58,17 @@ services: - GITLAB_SECRETS_DB_KEY_BASE=secret - GITLAB_SECRETS_SECRET_KEY_BASE=secret - GITLAB_SECRETS_OTP_KEY_BASE=secret + - |- + GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY= + -----BEGIN RSA PRIVATE KEY----- + MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu + KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm + o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k + TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7 + 9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy + v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs + /5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00 + -----END RSA PRIVATE KEY----- - GITLAB_REGISTRY_ENABLED=true - GITLAB_REGISTRY_HOST=registry.example.com diff --git a/docs/docker-swarm-traefik-registry.md b/docs/docker-swarm-traefik-registry.md index 7f941efba0..690251e717 100644 --- a/docs/docker-swarm-traefik-registry.md +++ b/docs/docker-swarm-traefik-registry.md @@ -151,6 +151,17 @@ You can copy it and set it in the file like: - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string +- |- + GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY= + -----BEGIN RSA PRIVATE KEY----- + MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu + KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm + o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k + TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7 + 9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy + v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs + /5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00 + -----END RSA PRIVATE KEY----- ``` There are several other settings that you might want to configure, like email accounts for notifications, SMTP credentials to send emails, etc. diff --git a/docs/s3_compatible_storage.md b/docs/s3_compatible_storage.md index b6e9f3db8b..ef0986e437 100644 --- a/docs/s3_compatible_storage.md +++ b/docs/s3_compatible_storage.md @@ -122,6 +122,17 @@ services: - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string + - |- + GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY= + -----BEGIN RSA PRIVATE KEY----- + MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu + KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm + o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k + TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7 + 9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy + v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs + /5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00 + -----END RSA PRIVATE KEY----- - GITLAB_ROOT_PASSWORD= - GITLAB_ROOT_EMAIL= - GITLAB_NOTIFY_ON_BROKEN_BUILDS=true diff --git a/kubernetes/gitlab-rc.yml b/kubernetes/gitlab-rc.yml index 40ac42da98..4453aa0cae 100644 --- a/kubernetes/gitlab-rc.yml +++ b/kubernetes/gitlab-rc.yml @@ -14,111 +14,17 @@ spec: spec: containers: - name: gitlab - image: sameersbn/gitlab:16.9.1 + image: bash + command: ["sleep", "10000"] env: - - name: TZ - value: Asia/Kolkata - - name: GITLAB_TIMEZONE - value: Kolkata - - - name: GITLAB_SECRETS_DB_KEY_BASE - value: long-and-random-alpha-numeric-string - - name: GITLAB_SECRETS_SECRET_KEY_BASE - value: long-and-random-alpha-numeric-string - - name: GITLAB_SECRETS_OTP_KEY_BASE - value: long-and-random-alpha-numeric-string - - - name: GITLAB_ROOT_PASSWORD - value: - - name: GITLAB_ROOT_EMAIL - value: - - - name: GITLAB_HOST - value: git.default.cluster.local - - name: GITLAB_PORT - value: "80" - - name: GITLAB_SSH_PORT - value: "22" - - - name: GITLAB_NOTIFY_ON_BROKEN_BUILDS - value: "true" - - name: GITLAB_NOTIFY_PUSHER - value: "false" - - - name: GITLAB_BACKUP_SCHEDULE - value: daily - - name: GITLAB_BACKUP_TIME - value: 01:00 - - - name: DB_TYPE - value: postgres - - name: DB_HOST - value: postgresql - - name: DB_PORT - value: "5432" - - name: DB_USER - value: gitlab - - name: DB_PASS - value: passw0rd - - name: DB_NAME - value: gitlab_production - - - name: REDIS_HOST - value: redis - - name: REDIS_PORT - value: "6379" - - - name: SMTP_ENABLED - value: "false" - - name: SMTP_DOMAIN - value: www.example.com - - name: SMTP_HOST - value: smtp.gmail.com - - name: SMTP_PORT - value: "587" - - name: SMTP_USER - value: mailer@example.com - - name: SMTP_PASS - value: password - - name: SMTP_STARTTLS - value: "true" - - name: SMTP_AUTHENTICATION - value: login - - - name: IMAP_ENABLED - value: "false" - - name: IMAP_HOST - value: imap.gmail.com - - name: IMAP_PORT - value: "993" - - name: IMAP_USER - value: mailer@example.com - - name: IMAP_PASS - value: password - - name: IMAP_SSL - value: "true" - - name: IMAP_STARTTLS - value: "false" - ports: - - name: http - containerPort: 80 - - name: ssh - containerPort: 22 - volumeMounts: - - mountPath: /home/git/data - name: data - livenessProbe: - httpGet: - path: / - port: 80 - initialDelaySeconds: 180 - timeoutSeconds: 5 - readinessProbe: - httpGet: - path: / - port: 80 - initialDelaySeconds: 5 - timeoutSeconds: 1 - volumes: - - name: data - emptyDir: {} + - name: GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY + value: |- + -----BEGIN RSA PRIVATE KEY----- + MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu + KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm + o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k + TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7 + 9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy + v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs + /5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00 + -----END RSA PRIVATE KEY-----