Skip to content

fix: Add geo-psql-password to init-toolbox-secrets in backup cronjob

What does this MR do?

This MR adds the secret to job pods, if users wish to backup their geo secondary clusters via gitlab.toolbox.backups.cron.enabled: true - it should be possible. In a DR use-case this may prove useful.

When running a geo secondary clusters, cronjob backups don't mount geo-psql-password, which is required for init secrets in configure. Backup pod fails with StartError and log:

Writing /srv/gitlab/config/cable.yml
Writing /srv/gitlab/config/database.yml
/var/opt/gitlab/templates/database.yml.erb:55:in `read': No such file or directory @ rb_sysopen - /etc/gitlab/postgres/geo-psql-password (Errno::ENOENT)
	from /var/opt/gitlab/templates/database.yml.erb:55:in `<main>'

Tested via enabling

global:
  geo:
    role: secondary
gitlab:
  toolbox:
    backups:
      cron:
        enabled: true

helm template . -f new-values results in

apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: release-name-toolbox-backup
spec:
  jobTemplate:
    spec:
      backoffLimit: 1
      template:
        spec:
          initContainers:
          volumes:
            - name: init-toolbox-secrets
              projected:
                defaultMode: 0400
                sources:
                ...
                - secret:
                    name: "gitlab.gitlab-db.credentials"
                    items:
                      - key: "password"
                        path: postgres/psql-password-main
                - secret:
                    name: "gitlab.gitlab-geo-tracking-db.credentials"
                    items:
                      - key: "password"
                        path: postgres/geo-psql-password
                ...

Related issues

N/A

Author checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion.

Required

  • Merge Request Title and Description are up to date, accurate, and descriptive
  • MR targeting the appropriate branch
  • MR has a green pipeline on GitLab.com
  • When ready for review, follow the instructions in the "Reviewer Roulette" section of the Danger Bot MR comment, as per the Distribution experimental MR workflow

Expected (please provide an explanation if not completing)

  • [tested locally] Test plan indicating conditions for success has been posted and passes
  • [n/a] Documentation created/updated
  • [n/a] Tests added/updated
  • [n/a] Integration tests added to GitLab QA
  • [n/a] Equivalent MR/issue for omnibus-gitlab opened
  • [n/a] Equivalent MR/issue for Gitlab Operator project opened (see Operator documentation on impact of Charts changes)
  • [n/a] Validate potential values for new configuration settings. Formats such as integer 10, duration 10s, URI scheme://user:passwd@host:port may require quotation or other special handling when rendered in a template and written to a configuration file.
Edited by Deniss Lapcenko

Merge request reports