Draft: Add troubleshooting step to update db_key_size

What does this MR do?

Adds a troubleshooting documentation about a problem that can result from !43950 (merged) (discussion) combined with a too short db_key_base.

This aggregates the support team's snippets "Bad Secrets check 2" & "Bad Secret Cleaner".

Related issues

• ZD 148744 (internal) (long-term solution & snippets)
• ZD 183620 (internal)

Author's checklist (required)

• Follow the Documentation Guidelines and Style Guide.
• If you have Developer permissions or higher:
  • Ensure that the product tier badge is added to doc's h1.
  • Apply the documentation label, plus:
    • The corresponding DevOps stage and group labels, if applicable.
    • development guidelines when changing docs under doc/development/*, CONTRIBUTING.md, or README.md.
    • development guidelines and Documentation guidelines when changing docs under development/documentation/*.
    • development guidelines and Description templates (.gitlab/*) when creating/updating issue and MR description templates.
  • Assign the designated Technical Writer.

Do not add the feature, frontend, backend, ~"bug", or database labels if you are only updating documentation. These labels will cause the MR to be added to code verification QA issues.

When applicable:

• Update the permissions table.
• Link docs to and from the higher-level index page, plus other related docs where helpful.
• Add the product tier badge accordingly.
• Add GitLab's version history note(s).
• Add/update the feature flag section.

Review checklist

All reviewers can help ensure accuracy, clarity, completeness, and adherence to the Documentation Guidelines and Style Guide.

1. Primary Reviewer

• Review by a code reviewer or other selected colleague to confirm accuracy, clarity, and completeness. This can be skipped for minor fixes without substantive content changes.

2. Technical Writer

• Technical writer review. If not requested for this MR, must be scheduled post-merge. To request for this MR, assign the writer listed for the applicable DevOps stage.
  • Ensure docs metadata are present and up-to-date.
  • Ensure Technical Writing and documentation are added.
  • Add the corresponding docs:: scoped label.
  • If working on UI text, add the corresponding UI Text scoped label.
  • Add twdoing when starting work on the MR.
  • Add twfinished if Technical Writing team work on the MR is complete but it remains open.

For more information about labels, see Technical Writing workflows - Labels.

For suggestions that you are confident don't need to be reviewed, change them locally and push a commit directly to save others from unneeded reviews. For example:

• Clear typos, like this is a typpo.
• Minor issues, like single quotes instead of double quotes, Oxford commas, and periods.

For more information, see our documentation on Merging a merge request.

3. Maintainer

1. Review by assigned maintainer, who can always request/require the above reviews. Maintainer's review can occur before or after a technical writer review.
2. Ensure a release milestone is set.
3. If there has not been a technical writer review, create an issue for one using the Doc Review template.

added documentation label

Hi @wchandler, @aciciu, @atanayno & @krasio You all pioneered some aspect of this MR :-) Thank you!

For 183620 (internal) I think compiling your earlier advice into a single docu section would be beneficial for other customers.

I'm testing this just now, but could you please comment as well? In particular: Does anything additionally need to be done after running the 2 scripts/snippets? Are any kind of data or settings lost during such a key rotation?

I've tested the fact that a too short key blocks the upgrade to 13.6 and the fact that the instance can then be rescued by these steps. Afterwards, I noticed that the Runner token was different, so registering Runners is probably necessary, isn't it?

Hi @aqualls! I'm assigning this already, because I'll be OoO until early January. There is no hurry WRT your review, until the content has been confirmed by support or ~"group::configure".

@katrinleinweber Thanks! The workaround section (skipping migration 20201008013434) looks good. Not sure about the db_key_base rotation, I am surprised this will work - once we change the key how are we able to decrypt secrets in order to encrypt them again? Are those trailing 0s ignored (but if this is the case then why should we decrypt/encrypt at all)?

Also the list of secrets in table_column_combos is just some of the secrets encrypted using db_key_base, there are others and this script will leave them untouched.

@wchandler would be best to ask about this ;-) The "Bad Secret Cleaner" script mentioned above does the de- and encryption in one go, as far as I understood it.

@katrinleinweber in general we have to delete the secret. My vague recollection is that items that were just added may still have the original value available to re-encrypt, which is what the script checks for, but I could be wrong.

@wchandler: OK, thanks! I understand that the You can do so as follows I drafted would therefore not help for older encrypted items. Should we instead replace all those steps with advice to only increase the key size, check which items would be affected and re-create those?

Or, a way more drastic solution: Set up a fresh instance and import a backup from the one with a too short key?

@krasio customer would like to have the CI_JOB_JWT variable for the Hashicorp Vault therefore skipping migration is not a suitable solution for them, would there be any other solution in order to solve this problem?

@mrjkc Unfortunately I can't think of anything that will help them at the moment.

We may consider changing the migration and code to use attr_encrypted_db_key_base_32 instead of attr_encrypted_db_key_base_truncated for this attribute. This should work for both instances that have shorter db_key_base (< 32) and instances that have proper ones (and had the secret generated already). If you want to create an issue keep in mind Secrets Management was recently moved under ~"group::configure".

BTW there are many other encrypted attributes that rely on the truncated key, I imagine there will be a lot of broken functionality for such instances?

BTW there are many other encrypted attributes that rely on the truncated key, I imagine there will be a lot of broken functionality for such instances?

yup, we would have to re add the data that can not be decrypted with the new key. I am working at the moment to see if we can rotate the key somehow and re-encrypt existing data with the new key, without having to reset the data and add it again.

added customer label

mentioned in merge request !43950 (merged)

added 9 commits

• 0f965b06...19d08365 - 6 commits from branch master
• 1379bb39 - Add troubleshooting step to update db_key_size
• edb4ec0b - Use snippet URLs, instead of listing their code
• b98c5164 - Show both upgrade and reconfigure error

Compare with previous version

changed the description

added Category:Secrets Management groupconfigure [DEPRECATED] labels

added devopsconfigure [DEPRECATED] label

added Support Team Contributions label

assigned to @aqualls

1 Warning

This merge request includes more than 10 commits. Each commit should meet the following criteria: Have a well-written commit message. Has all tests passing when used on its own (e.g. when using git checkout SHA). Can be reverted on its own without also requiring the revert of commit that came before it. Is small enough that it can be reviewed in isolation in under 30 minutes or so. If this merge request contains commits that do not meet this criteria and/or contains intermediate work, please rebase these commits into a smaller number of commits or split this merge request into multiple smaller merge requests.

	1 Message
	This merge request adds or changes documentation files. A review from the Technical Writing team before you merge is recommended. Reviews can happen after you merge.

Documentation review

The following files require a review from a technical writer:

• doc/ci/secrets/index.md
• doc/update/README.md

The review does not need to block merging this merge request. See the:

• Technical Writers assignments for the appropriate technical writer for this review.
• Documentation workflows for information on when to assign a merge request for review.

If needed, you can retry the danger-review job that generated this comment.

Generated by Danger

added 3 commits

• 2559d727 - Repair codeblock formatting within list
• 49483119 - Finish troubleshooting with reconfigure & restart
• 8b95f7e0 - Address Vale errors

Compare with previous version

added Technical Writing docsimprovement twdoing labels

added 1 commit

• 4265c6c3 - Address Vale errors

Compare with previous version

added 1 commit

• b32f522f - Address Vale errors

Compare with previous version

added sectionops label

added 1 commit

• 91757d20 - Apply 1 suggestion(s) to 1 file(s)

Compare with previous version