Skip to content

Registry: use secret from redis cache configuration

Jaime Martinez requested to merge registry-redis-use-correct-secret into master

What does this MR do?

We are currently testing the integration between the Container Registry and Redis in pre as part of [pre] Enable Redis metadata caching for Contain... (gitlab-com/gl-infra/scalability#1862 - closed).

It was recently discovered that the secret used for the password was the one used for the Redis instance GitLab Rails uses. While this might be ok for installations with one Redis host, it doesn't allow setting another password for a different Redis instance that is only used by the Registry, as it was found in gitlab-com/gl-infra/scalability#1862 (comment 1102257338).

This MR allows overriding the secret name and key if present in the registry.redis.cache configuration with whatever value is set. It still defaults to the gitlab.redis.secret if the password is enabled but no secret is defined.

Testing

  1. Using gitlab.redis.password.secret:

Contents of values.yaml

registry:
  database:
    enabled: true
  redis:
    cache:
      enabled: true
      password:
        enabled: true
  1. Wait for the deployment and shell into the registry.
  2. Cat the config file from the registry
cat /etc/docker/registry/config.yml

And ensure the redid.cache.password matches the expected secret, in this case `gitlab-redis-secret

k get secrets gitlab-redis-secret -o jsonpath="{.data.secret}" | base64 --decode

Using a custom secret:

  1. Create a new secret, for example:
 kubectl create secret generic my-custom-redis-pass \
  --from-literal=password='thisisacustompassword'
  1. Replace the secret and key with the custom secret name in your values.yaml file
registry:
  database:
    enabled: true
  redis:
    cache:
      enabled: true
      password:
        enabled: true
        secret: "my-custom-redis-pass"
        key: password
  1. Trigger deployment and check that passwords match inside the registry's config file in the container
tail -5 /etc/docker/registry/config.yml
redis:
  cache:
    enabled: true
    addr: "gitlab-redis-master.default.svc:6379"
    password: "thisisacustompassword"

And

k get secrets my-custom-redis-pass -o jsonpath="{.data.password}" | base64 --decode
thisisacustompassword%

Related issues

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion.

Required

  • Merge Request Title and Description are up to date, accurate, and descriptive
  • MR targeting the appropriate branch
  • MR has a green pipeline on GitLab.com

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes
  • Documentation created/updated
  • Tests added
  • Integration tests added to GitLab QA
  • Equivalent MR/issue for omnibus-gitlab opened
Edited by John Skarbek

Merge request reports