Explore adding blank password / token checker in Ansible
Follow up from discussion in !939 (comment 1257355562)
We don't currently check passwords are set in GET. There are good reasons for this, primarily we don't actually have a complete list of what all the password requirements are but it's also a complicated and nuanced area in code to do properly. That said we might be able to check if passwords are blank.
This isn't straightforward though, several passwords either inherit or don't need to be set in various conditions as follows:
-
gitlab_root_password- No conditions -
postgres_password- When Postgres nodes are present or Postgres is external -
pgbouncer_password- When PgBouncer nodes are present (Omnibus Postgres HA) -
consul_database_password- When PgBouncer and Consul nodes are present (Omnibus Postgres HA - A specific password for letting Consul access PgBouncer) -
redis_password- When Redis nodes are present but this gets a bit trickier:-
redis_cache_password/redis_persistent_password- When Redis Cache / Redis Persistent nodes are present andredis_passwordis not set. These passwords inherit fromredis_passwordby default.
-
-
praefect_postgres_password- When Praefect Postgres nodes are present or Praefect Postgres is external -
praefect_external_token- When Praefect nodes are present (Gitaly Cluster) -
praefect_internal_token- When Praefect nodes are present (Gitaly Cluster) -
gitaly_token- When Gitaly nodes are present but Paefect nodes are not (Gitaly Sharded) -
grafana_password- When Monitor node is present or Cloud Native Hybrid withcloud_native_hybrid_monitoring_setupenabled.
There are several other passwords technically that are optional or will always inherit from the required parent so can't be checked directly - patroni_password, postgres_admin_password, praefect_postgres_admin_password, geo_sql_replication_password and geo_tracking_postgres_password.
The challenge then is to tackle the above in Ansible in a efficient and maintainable way. Task is to do just that.