feat: add support for Sentinel passwords in registry
What does this MR do?
The sentinelpassword config option was added in v4.4.0-gitlab in
gitlab-org/container-registry!1642 (merged).
This commit populates that field in the config file to support it
using the global global.redis.sentinelAuth config. In addition, local registry.redis.sentinelpassword fields can be specified as well.
This commit converts the configuration files into Gomplate-rendered
files to avoid having to to run sed to replace placeholders for the
Sentinel password. Existing sed calls have not been touched; that
should be refactored later.
Related issues
Testing
I created a separate Redis and Redis Sentinel deployment:
redis-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis
spec:
replicas: 1
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
containers:
- name: redis
image: redis:latest
ports:
- containerPort: 6379
env:
- name: REDIS_PASSWORD
value: "<password from gitlab-redis-secret secret>"
command:
- sh
- -c
- |
echo "user default on >${REDIS_PASSWORD} ~* +@all allchannels" > /tmp/redis.conf
redis-server /tmp/redis.conf
---
apiVersion: v1
kind: Service
metadata:
name: redis
spec:
ports:
- port: 6379
targetPort: 6379
selector:
app: redis
sentinel-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis-sentinel
spec:
replicas: 1
selector:
matchLabels:
app: redis-sentinel
template:
metadata:
labels:
app: redis-sentinel
spec:
containers:
- name: redis-sentinel
image: bitnami/redis-sentinel:latest
ports:
- containerPort: 26379
env:
- name: REDIS_PASSWORD
value: "<password from gitlab-redis-secret secret>"
- name: SENTINEL_PASSWORD
value: "my-sentinel-password"
command:
- sh
- -c
- |
echo "Starting Redis Sentinel..."
cat <<EOF > /opt/bitnami/redis-sentinel/etc/sentinel.conf
sentinel monitor mymaster redis.default.svc.cluster.local 6379 2
sentinel auth-pass mymaster ${REDIS_PASSWORD}
sentinel resolve-hostnames yes
requirepass ${SENTINEL_PASSWORD}
EOF
redis-sentinel /opt/bitnami/redis-sentinel/etc/sentinel.conf
---
apiVersion: v1
kind: Service
metadata:
name: redis-sentinel
spec:
ports:
- port: 26379
targetPort: 26379
selector:
app: redis-sentinel
Then I ran:
kubectl apply -f redis-deployment.yaml
kubectl apply -f sentinel-deployment.yamlIn values.yaml, I updated this:
global:
redis:
auth:
enabled: true
# secret:
# key:
host: mymaster
# port: 6379
# user: webservice
sentinels:
- host: 'redis-sentinel.default.svc.cluster.local'
port: 26379
sentinelAuth:
enabled: true
secret: gitlab-redis-sentinel-secret
key: password
registry:
enabled: true
database:
enabled: true
name: registry
user: registry
password:
secret: gitlab-registry-database-password
key: password
sslmode: allow
migrations:
enabled: true
redis:
cache:
enabled: true
password:
enabled: true
secret: gitlab-redis-secretgitlab-registry-database-password needs to be set as per https://docs.gitlab.com/charts/charts/registry/metadata_database.html#create-the-database
Then I created a secret:
kubectl create secret generic gitlab-redis-sentinel-secret --from-literal=password=my-sentinel-passwordAuthor checklist
For general guidance, please follow our Contributing guide.
Required
For anything in this list which will not be completed, please provide a reason in the MR discussion.
-
Merge Request Title and Description are up to date, accurate, and descriptive. -
MR targeting the appropriate branch. -
MR has a green pipeline. -
Documentation created/updated. -
Tests added/updated, and test plan for scenarios not covered by automated tests. -
Equivalent MR/issue for omnibus-gitlab opened. This is blocked on gitlab-org/omnibus-gitlab#5640 (closed).
Reviewers checklist
-
MR has a green pipeline on https://gitlab.com/gitlab-org/charts/gitlab. -
Consider downstream impact to the Operator, as per evaluating impact from changes to GitLab Chart.