Expose extra_config_command key to be used in database.yml in gitlab.rb
Overview
gitlab!141818 (merged) added support of config_command in database.yml to specify an external script which will output extra configuration to be merged to database.yml. This can be used to provide sensitive DB related config to GitLab Rails.
We should expose this in gitlab.rb as gitlab_rails['db_extra_config_command']
Old description
In gitlab#238483 (closed) we are providing the option to store the LDAP password in an encrypted password file instead of in plain text in the GitLab configuration files. While the LDAP password was the top priority for customers, many customers mentioned a preference or security requirement to remove all configuration passwords from plain text.
Proposal
The solution implemented in gitlab#238483 (closed) can be extended to include other passwords that are part of the Rails application with minimal effort. In the interest of making small, fast iterations, this next iteration of Secure Solution for Managing Omnibus Configuration Secrets provides the option to store all of the other Rails passwords in an encrypted file, which are as follows:
- gitlab_rails['db_password']
Requirements
- For increased protection of LDAP servers, these passwords are stored in a separate file to the LDAP password. This allows end users to further limit access to the LDAP password.
- All of the passwords listed above are stored in a single encrypted file. We can add further separation in future iterations if there is demand.
Acceptance criteria
-
Clear documentation has been created that explains how to store passwords in a separate file, where the encryption key is stored, how to generate a new password, how to change a password, any information relevant to users wanting to automate password changes due to a password rotation policy, and any limitations on rotating encryption keys.