Skip to content

Fix CI job token signing key not always generated

Stan Hurequested to merge
sh-fix-schema-cache-issue-jwt into master

What does this MR do and why?

Previously the migration added in !167938 (merged) to generate a CI job token signing key did not always work because the local ApplicationSetting record had already loaded a schema before the newly-added columns were added.

We need to fix this by flushing the schema table with ApplicationSetting.reset_column_information.

This merge request also adds a migration regenerate the signing key if it is not present.

References

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. First create this gitlab.rb inside /tmp/gitlab-test/config:
mkdir -p /tmp/gitlab-test/config
vi /tmp/gitlab-test/config/gitlab.rb
gitlab_rails['object_store']['proxy_download'] = false
gitlab_rails['object_store']['objects']['artifacts']['bucket'] = nil
gitlab_rails['object_store']['objects']['external_diffs']['bucket'] = nil
gitlab_rails['object_store']['objects']['lfs']['bucket'] = nil
gitlab_rails['object_store']['objects']['uploads']['bucket'] = nil
gitlab_rails['object_store']['objects']['packages']['bucket'] = nil
gitlab_rails['object_store']['objects']['dependency_proxy']['bucket'] = nil
gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = nil
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
  main: # 'main' is the GitLab 'provider ID' of this LDAP server
    label: 'MyDomain AD'
    hosts:
      - ['DC1.fqdn.tld', 636]
      - ['DC2.fqdn.tld', 636]
    uid: 'sAMAccountName'
    encryption: 'simple_tls'
    verify_certificates: true
    smartcard_auth: false
    active_directory: true
    allow_username_or_email_login: true
    lowercase_usernames: false
    block_auto_created_users: false
    base: 'DC=FQDN,DC=TLD'
    user_filter: '(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=Developers,CN=Users,DC=FQDN,DC=TLD))'
    attributes:
      username: 'sAMAccountName'
      email: ['mail', 'userPrincipalName']
      name: ['displayName', 'name', 'cn']
      first_name: 'givenName'
      last_name: 'sn'
EOS
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "Mail-Relay.fqdn.tld"
gitlab_rails['smtp_port'] = 25
gitlab_rails['smtp_domain'] = "fqdn.tld"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = false
nginx['redirect_http_to_https'] = true
nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab-instance.fullchain"
nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab-instance.key"
nginx['real_ip_trusted_addresses'] = ['10.0.1.100', '10.0.1.101', '10.0.1.102', '10.0.1.103']
nginx['real_ip_header'] = 'X-Forwarded-For'
nginx['real_ip_recursive'] = 'on'
gitaly['configuration'] = {
   git: {
     committer_name: 'gitlab-instance',
     committer_email: 'noreply@gitlab-instance.fqdn.tld',
     signing_key: '/etc/gitlab/gitaly/signing_key.gpg',
   },
}
letsencrypt['enable'] = false
letsencrypt['contact_emails'] = ['webmaster@fqdn.tld']
  1. Then launch a GitLab container with v17.5.4:
export GITLAB_HOME=/tmp/gitlab-test
 sudo docker run --detach \
   --hostname gitlab.example.com \
   --env GITLAB_OMNIBUS_CONFIG="external_url 'http://gitlab.example.com'" \
   --publish 8443:443 --publish 8880:80 --publish 8822:22 \
   --name gitlab \
   --restart always \
   --volume $GITLAB_HOME/config:/etc/gitlab \
   --volume $GITLAB_HOME/logs:/var/log/gitlab \
   --volume $GITLAB_HOME/data:/var/opt/gitlab \
   --shm-size 256m \
   gitlab/gitlab-ee:17.5.4-ee.0
  1. When it comes up, then build a Docker image off of 17.7.0. Copy the files in the diff in some working directory and create a Dockerfile.
cd /tmp
curl -O https://gitlab.com/gitlab-org/gitlab/-/raw/e914c8dc33888ace1ba9dcf4ff06101385f1993a/db/migrate/20241017160504_generate_ci_job_token_signing_key.rb
curl -O https://gitlab.com/gitlab-org/gitlab/-/raw/e914c8dc33888ace1ba9dcf4ff06101385f1993a/db/migrate/20241017160505_regenerate_ci_job_token_signing_key.rb
FROM gitlab/gitlab-ee:17.7.0-ee.0
COPY 20241017160504_generate_ci_job_token_signing_key.rb /opt/gitlab/embedded/service/gitlab-rails/db/migrate/20241017160504_generate_ci_job_token_signing_key.rb
COPY 20241017160505_regenerate_ci_job_token_signing_key.rb /opt/gitlab/embedded/service/gitlab-rails/db/migrate/20241017160505_regenerate_ci_job_token_signing_key.rb
  1. Then build an image:
docker build -t gitlab-test:latest .
  1. Then upgrade the existing instance:
docker stop gitlab
docker rm -f gitlab
export GITLAB_HOME=/tmp/gitlab-test
 sudo docker run --detach \
   --hostname gitlab.example.com \
   --env GITLAB_OMNIBUS_CONFIG="external_url 'http://gitlab.example.com'" \
   --publish 8443:443 --publish 8880:80 --publish 8822:22 \
   --name gitlab \
   --restart always \
   --volume $GITLAB_HOME/config:/etc/gitlab \
   --volume $GITLAB_HOME/logs:/var/log/gitlab \
   --volume $GITLAB_HOME/data:/var/opt/gitlab \
   --shm-size 256m \
   gitlab-test:latest
  1. Verify in gitlab-rails console that Gitlab::CurrentSettings.ci_job_token_signing_key.present? is true:
docker exec -it gitlab bash
gitlab-rails console
Edited by Stan Hu

Merge request reports