Allow specifying extra Redis config from external command
What does this MR do and why?
Allow specifying extra Redis config from external command so that sensitive configuration need not be present in plaintext. Implementing the logic that was done in !140898 (merged), gitlab-org/ruby/gems/gitlab-exporter!199 (merged), gitaly!5525 (merged), gitlab-org/cluster-integration/gitlab-agent!1203 (merged), etc.
PS: The method we added in !136002 (merged) still exists. We should check if anyone is using it, and deprecate it if not.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
-
Spin up a Redis instance with a password.
$ redis-server --requirepass 'toomanysecrets' --bind 127.0.0.1 --port 6380
-
Modify
resque.yml
(orredis.cache.yml
if it is present) to specify just URL to this Redis instance and not passworddevelopment: url: 'redis://127.0.0.1:6380'
-
See that GitLab fails to connect to the Redis due to lack of auth in rails console
$ bin/rails runner "puts Redis.new(Gitlab::Redis::Cache.params).info['redis_version']"
returns the error
NOAUTH Authentication required. (Redis::CommandError)
-
Create
/tmp/redis-password.sh
with the following content (and make it executable withchmod +x /tmp/redis-password.sh
)#!/usr/bin/env bash cat << EOF password: 'toomanysecrets' EOF
-
Modify resque.yml to add
config_command: '/tmp/redis-password.sh
production: config_command: '/tmp/redis-password.sh' url: 'redis://127.0.0.1:6380'
-
Restart GitLab and see that it can now connect to Redis
$ bin/rails runner "puts Redis.new(Gitlab::Redis::Cache.params).info['redis_version']" 7.0.14