Skip to content

Support providing sensitive DB configuration through an external script

In gitlab-org/cluster-integration/gitlab-agent!1203 (merged), gitlab-org/ruby/gems/gitlab-exporter!199 (merged), !140898 (merged) we have introduced a solution to solve the problem of plaintext secrets being present in gitlab.rb and the configuration files of various components.

Another similar secret that we use in GitLab is the password used to connect to databases. Following a similar approach, we should support specifying path to a script in database.yml which will be executed by GitLab while starting up, and the resultant configuration from stdout will be merged on top of the parsed database.yml configuration.

  • The command can be specified as a top-level key in database.yml.
  • GitLab, while starting up will
    1. Parse database.yml
    2. Retrieves the command (and purge the key - which is unknown to Rails core - from the parsed configuration)
    3. Execute the command
    4. Merges the output of the command on top of the read database.yml configuration
    5. Pass the final configuration to Rails to resume normal operation.

PS: We are aware of the Rails encrypted secrets mechanism. But that is very Rails-specific while the method mentioned here works across different components that are owned by GitLab.