Enable Praefect and Gitaly tokens
Overview
We had a significant regression in production in gitlab#288860 (comment 458603339) that might have been caught had we enabled the authentication tokens in both Praefect and Gitaly:
Proposal
- In
gitlab/config/gitlab.yml
, addgitaly_token
in therepositories
section:
repositories:
# Paths where repositories can be stored. Give the canonicalized absolute pathname.
# IMPORTANT: None of the path components may be symlink, because
# gitlab-shell invokes Dir.pwd inside the repository path and that results
# real path not the symlink.
storages: # You must have at least a `default` storage path.
default:
path: /Users/stanhu/gitlab/gdk-ee/repositories
gitaly_address: unix:/Users/stanhu/gitlab/gdk-ee/praefect.socket
gitaly_token: "123456"
- In
gitaly/gitaly-0.praefect.toml
, I added:
# # Optional: authenticate Gitaly requests using a shared secret
[auth]
token = 'abc123secret'
- In
gitaly/praefect.toml
, I added:
[auth]
token = "123456"
[[virtual_storage.node]]
storage = "praefect-internal-0"
address = "unix:/Users/stanhu/gitlab/gdk-ee/gitaly-praefect-0.socket"
token = 'abc123secret'