Commit 7afd808a authored by Vic Iglesias's avatar Vic Iglesias Committed by DJ Mountney

Updates per feedback

Updates per MR feedback
- content of changelog
- move mailroom `configure` script to use template
parent 42153b34
---
title: Allow use of password-less Redis services (external)
merge_request: 665
author: Vic Iglesias
type: added
......@@ -9,10 +9,13 @@ metadata:
data:
configure: |
set -e
mkdir -p /init-secrets/redis /init-secrets/gitaly /init-secrets/shell
mkdir -p /init-secrets/gitaly /init-secrets/shell
cp /init-config/.gitlab_shell_secret /init-secrets/shell/.gitlab_shell_secret
cp /init-config/gitaly_token /init-secrets/gitaly/gitaly_token
{{- if .Values.global.redis.password.enabled }}
mkdir -p /init-secrets/redis
cp /init-config/redis_password /init-secrets/redis/redis_password
{{- end }}
config.toml.erb: |
# The directory where Gitaly's executables are stored
bin_dir = "/usr/local/bin"
......@@ -59,7 +62,9 @@ data:
redis:
host: {{ template "gitlab.redis.host" . }}
port: {{ template "gitlab.redis.port" . }}
{{- if .Values.global.redis.password.enabled }}
pass: "<%= File.read("/etc/gitlab-secrets/redis/redis_password") %>"
{{- end }}
database: nil
namespace: resque:gitlab
......
......@@ -148,11 +148,13 @@ spec:
items:
- key: {{ template "gitlab.gitlab-shell.authToken.key" . }}
path: ".gitlab_shell_secret"
{{- if .Values.global.redis.password.enabled }}
- secret:
name: {{ template "gitlab.redis.password.secret" . }}
items:
- key: {{ template "gitlab.redis.password.key" . }}
path: redis_password
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
......
......@@ -8,7 +8,7 @@ metadata:
{{ include "gitlab.standardLabels" . | indent 4 }}
data:
configure: |
{{- include "gitlab.scripts.configure.secrets" (dict "required" "redis shell" ) | nindent 4 -}}
{{- include "gitlab.scripts.configure.secrets" (dict "required" "shell" ) | nindent 4 -}}
mkdir -p /${secret_dir}/ssh
cp /${config_dir}/ssh_host_* /${secret_dir}/ssh/
chmod 0400 /${secret_dir}/ssh/ssh_host_*
......@@ -31,7 +31,9 @@ data:
redis:
host: {{ template "gitlab.redis.host" . }}
port: {{ template "gitlab.redis.port" . }}
{{- if .Values.global.redis.password.enabled }}
pass: "<%= File.read("/etc/gitlab-secrets/redis/password") %>"
{{- end }}
database: nil
namespace: resque:gitlab
......
......@@ -121,11 +121,13 @@ spec:
items:
- key: {{ template "gitlab.gitlab-shell.authToken.key" . }}
path: shell/.gitlab_shell_secret
{{- if .Values.global.redis.password.enabled }}
- secret:
name: {{ template "gitlab.redis.password.secret" . }}
items:
- key: {{ template "gitlab.redis.password.key" . }}
path: redis/password
{{- end }}
# Actual config dirs that will be used in the container
- name: shell-secrets
emptyDir:
......
......@@ -29,12 +29,9 @@ data:
:worker: EmailReceiverWorker
:arbitration_method: redis
:arbitration_options:
:redis_url: {{ template "gitlab.redis.scheme" . }}://:<%= File.read("/etc/gitlab/redis/password") %>@{{ template "gitlab.redis.host" . }}:{{ template "gitlab.redis.port" . }}
:redis_url: {{ template "gitlab.redis.url" . }}
:namespace: mail_room:gitlab
configure: |
set -e
mkdir -p /init-secrets/redis /init-secrets/mailroom
cp /init-config/redis/password /init-secrets/redis/password
cp /init-config/mailroom/password /init-secrets/mailroom/password
{{- include "gitlab.scripts.configure.secrets" (dict "required" "mailroom" "optional" "redis") | nindent 4 }}
# Leave this here - This line denotes end of block to the parser.
{{- end }}
......@@ -106,11 +106,13 @@ spec:
projected:
defaultMode: 0400
sources:
{{- if .Values.global.redis.password.enabled }}
- secret:
name: {{ template "gitlab.redis.password.secret" . }}
items:
- key: {{ template "gitlab.redis.password.key" . }}
path: redis/password
{{- end }}
- secret:
name: {{ .Values.global.appConfig.incomingEmail.password.secret | required "Missing required secret containing the IMAP password for incoming email. Make sure to set `global.appConfig.incomingEmail.password.secret`" }}
items:
......
......@@ -96,11 +96,13 @@ spec:
items:
- key: {{ template "gitlab.gitaly.authToken.key" . }}
path: gitaly/gitaly_token
{{- if .Values.global.redis.password.enabled }}
- secret:
name: {{ template "gitlab.redis.password.secret" . }}
items:
- key: {{ template "gitlab.redis.password.key" . }}
path: redis/password
{{- end }}
- secret:
name: {{ template "gitlab.psql.password.secret" . }}
items:
......
......@@ -25,7 +25,7 @@ data:
resque.yml.erb: |
production:
# Redis (single instance)
url: {{ template "gitlab.redis.scheme" . }}://:<%= File.read("/etc/gitlab/redis/password") %>@{{ template "gitlab.redis.host" . }}:{{ template "gitlab.redis.port" . }}
url: {{ template "gitlab.redis.url" . }}
id:
gitlab.yml.erb: |
production: &base
......@@ -33,7 +33,7 @@ data:
{{ include "gitlab.appConfig.gitaly" . | indent 6 }}
{{ include "gitlab.appConfig.repositories" . | indent 6 }}
configure: |
{{- include "gitlab.scripts.configure.secrets" (dict "required" "redis postgres rails-secrets migrations gitaly" "optional" "nil") | nindent 4 -}}
{{- include "gitlab.scripts.configure.secrets" (dict "required" "postgres rails-secrets migrations gitaly") | nindent 4 -}}
{{- include "gitlab.psql.ssl.initScript" . | nindent 4 }}
{{- if .Values.global.operator.enabled }}
---
......
......@@ -29,7 +29,7 @@ data:
resque.yml.erb: |
production:
# Redis (single instance)
url: {{ template "gitlab.redis.scheme" . }}://:<%= File.read("/etc/gitlab/redis/password") %>@{{ template "gitlab.redis.host" . }}:{{ template "gitlab.redis.port" . }}
url: {{ template "gitlab.redis.url" . }}
id:
gitlab.yml.erb: |
production: &base
......@@ -105,7 +105,7 @@ data:
port: {{ .Values.metrics.port }}
{{- end }}
configure: |
{{- include "gitlab.scripts.configure.secrets" (dict "required" "redis gitaly registry postgres rails-secrets" ) | nindent 4 -}}
{{- include "gitlab.scripts.configure.secrets" (dict "required" "gitaly registry postgres rails-secrets") | nindent 4 -}}
{{- include "gitlab.psql.ssl.initScript" . | nindent 4 }}
# Leave this here - This line denotes end of block to the parser.
{{- end }}
......@@ -239,11 +239,13 @@ spec:
items:
- key: {{ $gitalyKey }}
path: gitaly/gitaly_token
{{- if $.Values.global.redis.password.enabled }}
- secret:
name: {{ $redisSecret }}
items:
- key: {{ $redisKey }}
path: redis/password
{{- end }}
- secret:
name: {{ template "gitlab.psql.password.secret" $ }}
items:
......
......@@ -21,7 +21,7 @@ data:
resque.yml.erb: |
production:
# Redis (single instance)
url: {{ template "gitlab.redis.scheme" . }}://:<%= File.read("/etc/gitlab/redis/password") %>@{{ template "gitlab.redis.host" . }}:{{ template "gitlab.redis.port" . }}
url: {{ template "gitlab.redis.url" . }}
gitlab.yml.erb: |
production: &base
gitlab:
......@@ -73,7 +73,7 @@ data:
## Registry Integration
{{- include "gitlab.appConfig.registry.configuration" $ | nindent 6 }}
configure: |
{{- include "gitlab.scripts.configure.secrets" (dict "required" "redis shell gitaly registry postgres rails-secrets") | nindent 4 -}}
{{- include "gitlab.scripts.configure.secrets" (dict "required" "shell gitaly registry postgres rails-secrets") | nindent 4 -}}
{{- include "gitlab.psql.ssl.initScript" . | nindent 4 }}
if [ ! -f "/${secret_dir}/objectstorage/.s3cfg" ]; then
......
......@@ -122,11 +122,13 @@ spec:
items:
- key: {{ template "gitlab.gitaly.authToken.key" . }}
path: gitaly/gitaly_token
{{- if .Values.global.redis.password.enabled }}
- secret:
name: {{ template "gitlab.redis.password.secret" . }}
items:
- key: {{ template "gitlab.redis.password.key" . }}
path: redis/password
{{- end }}
- secret:
name: {{ template "gitlab.psql.password.secret" . }}
items:
......
......@@ -29,7 +29,7 @@ data:
resque.yml.erb: |
production:
# Redis (single instance)
url: {{ template "gitlab.redis.scheme" . }}://:<%= File.read("/etc/gitlab/redis/password") %>@{{ template "gitlab.redis.host" . }}:{{ template "gitlab.redis.port" . }}
url: {{ template "gitlab.redis.url" . }}
id:
unicorn.rb: |
worker_processes {{ .Values.workerProcesses }}
......@@ -148,12 +148,16 @@ data:
workhorse-config.toml.erb: |
[redis]
URL = "{{ template "gitlab.redis.scheme" . }}://{{ template "gitlab.redis.host" . }}:{{ template "gitlab.redis.port" . }}"
{{- if .Values.global.redis.password.enabled }}
Password = "<%= File.read("/etc/gitlab/redis/password") %>"
{{- end }}
configure: |
set -e
mkdir -p /init-secrets-workhorse/gitlab-workhorse
cp /init-config/gitlab-workhorse/secret /init-secrets-workhorse/gitlab-workhorse/secret
{{- if .Values.global.redis.password.enabled }}
mkdir -p /init-secrets-workhorse/redis
cp /init-config/redis/password /init-secrets-workhorse/redis/
{{- end }}
# Leave this here - This line denotes end of block to the parser.
{{- end }}
......@@ -249,11 +249,13 @@ spec:
items:
- key: {{ template "gitlab.gitaly.authToken.key" . }}
path: gitaly/gitaly_token
{{- if .Values.global.redis.password.enabled }}
- secret:
name: {{ template "gitlab.redis.password.secret" . }}
items:
- key: {{ template "gitlab.redis.password.key" . }}
path: redis/password
{{- end }}
- secret:
name: {{ template "gitlab.psql.password.secret" . }}
items:
......
......@@ -11,11 +11,11 @@ set -e
config_dir="/init-config"
secret_dir="/init-secrets"
for secret in {{ default "redis shell gitaly registry postgres rails-secrets gitlab-workhorse" $.required }} ; do
for secret in {{ default "shell gitaly registry postgres rails-secrets gitlab-workhorse" $.required }} ; do
mkdir -p "${secret_dir}/${secret}"
cp -v -r "${config_dir}/${secret}/." "${secret_dir}/${secret}/"
done
for secret in {{ default "minio objectstorage ldap omniauth smtp" $.optional }} ; do
for secret in {{ default "redis minio objectstorage ldap omniauth smtp" $.optional }} ; do
if [ -e "${config_dir}/${secret}" ]; then
mkdir -p "${secret_dir}/${secret}"
cp -v -r "${config_dir}/${secret}/." "${secret_dir}/${secret}/"
......
......@@ -35,3 +35,10 @@ Return the redis scheme, or redis. Allowing people to use rediss clusters
{{ cat "Invalid redis scheme" $name | fail }}
{{- end -}}
{{- end -}}
{{/*
Return the redis url.
*/}}
{{- define "gitlab.redis.url" -}}
{{ template "gitlab.redis.scheme" . }}://{{- if .Values.global.redis.password.enabled -}}:<%= File.read("/etc/gitlab/redis/password") %>@{{- end -}}{{ template "gitlab.redis.host" . }}:{{ template "gitlab.redis.port" . }}
{{- end -}}
......@@ -32,7 +32,9 @@ function generate_secret_if_needed(){
generate_secret_if_needed {{ template "gitlab.migrations.initialRootPassword.secret" . }} --from-literal={{ template "gitlab.migrations.initialRootPassword.key" . }}=$(gen_random 'a-zA-Z0-9' 64)
# Redis password
{{if .Values.global.redis.password.enabled -}}
generate_secret_if_needed {{ template "gitlab.redis.password.secret" . }} --from-literal={{ template "gitlab.redis.password.key" . }}=$(gen_random 'a-zA-Z0-9' 64)
{{ end }}
{{if not .Values.global.psql.host -}}
# Postgres password
......
......@@ -12,6 +12,7 @@ Disable the `redis` chart and the Redis service it provides, and point the other
You need to set the following parameters:
* `redis.enabled`: Set to `false` to disable the included Redis chart.
* `global.redis.host`: Set to the hostname of the external Redis, can be a domain or an IP address.
* `global.redis.password.enabled`: Set to `false` if the external Redis does not require a password.
* `global.redis.password.secret`: The name of the [secret which contains the token for authentication][redis-secret].
* `global.redis.password.key`: The key within the secret, which contains the token content.
......
......@@ -143,6 +143,7 @@ redis:
serviceName: redis
port: 6379
password:
enabled: true
secret: gitlab-redis
key: redis-password
```
......@@ -152,8 +153,9 @@ redis:
| `host` | String | | The hostname of the Redis server with the database to use. This can be omitted in lieu of `serviceName`. |
| `serviceName` | String | `redis` | The name of the `service` which is operating the Redis database. If this is present, and `host` is not, the chart will template the hostname of the service (and current `.Release.Name`) in place of the `host` value. This is convenient when using Redis as a part of the overall GitLab chart. |
| `port` | Integer | `6379` | The port on which to connect to the Redis server. |
| `password.key` | String | | The `password.key` attribute for PostgreSQL defines the name of the key in the secret (below) that contains the password. |
| `password.secret` | String | | The `password.secret` attribute for PostgreSQL defines the name of the kubernetes `Secret` to pull from. |
| `password.key` | String | | The `password.key` attribute for Redis defines the name of the key in the secret (below) that contains the password. |
| `password.secret` | String | | The `password.secret` attribute for Redis defines the name of the kubernetes `Secret` to pull from. |
| `password.enabled`| Bool | true | The `password.enabled` provides a toggle for using a password with the Redis instance. |
### PostgreSQL
......
......@@ -159,6 +159,7 @@ global:
host: redis.example.com
port: 6379
password:
enabled: true
secret: gitlab-redis
key: redis-password
```
......
......@@ -67,7 +67,8 @@ global:
## doc/charts/globals.md#configure-redis-settings
redis:
password: {}
password:
enabled: true
# secret:
# key:
# host: redis.hostedsomewhere.else
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment