Need to remove cert/key from secrets file for auto-generated pairs
What does this MR do and why?
Describe in detail what your merge request does and why.
While working on testing external registry, we added the internal key to gitlab.rb. Trying to rollback to use GitLab container registry, we encountered this issue, ending up with unmatched crt/key.
Removing the crt and key files then reconfiguring didn't work, as they seem to be created with the same old non-matching values.
We could see that the values are saved in gitlab-secrets.json, and never updated. so removing the registry entry from the secrets file + removing the crt and key files then reconfiguring worked!
Reaching out to the experts, it turns out that this is intentional, to persist auto-generated secrets across reconfigures. When updating secrets that might be stored in gitlab-secrets.json , user has to manually delete them from gitlab-secrets.json for reconfigure to put the new value there.
How to set up and validate locally
- Manually change the JWT keypair.
- Run
gitlab-ctl reconfigure
. - Trying to run
docker login
, you will getfailed with status: 401 Unauthorized
, and the registry log will havetoken signed by untrusted key
. - Remove the crt and files and registry record from
gitlab-secrets.json
then reconfigure. - You should be able to run
docker login
successfully now.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.