Pass Container Registry database credentials to backup tool

Summary

Enable the gitlab-backup tool to access Container Registry database credentials for both single-node and multi-node installations. This requires securely storing and passing credentials while maintaining backward compatibility.

Implementation Proposal

1. Credential Storage

Create /opt/gitlab/gitlab-backup/env file with appropriate permissions:

• Store registry database connection credentials
• Set restrictive file permissions (0600, owned by git user)
• Security requirement: Get AppSec review on credential storage approach

Configuration approach:

• Recommended: Use existing registry['database'] settings from gitlab.rb
  • Benefit: Single-node installations work by default
  • Trade-off: Multi-node requires explicit configuration
• Alternative: Create separate backup['registry_database'] variables
  • Benefit: More explicit separation
  • Trade-off: More configuration complexity, doesn't work by default

2. Update Backup Wrapper

Update config/templates/gitlab-rails/rake_backup_wrapper.erb to:

• Read /opt/gitlab/gitlab-backup/env file
• Set environment variables expected by gitlab-backup tool:
  • REGISTRY_DATABASE_HOST
  • REGISTRY_DATABASE_PORT
  • REGISTRY_DATABASE_NAME
  • REGISTRY_DATABASE_USER
  • REGISTRY_DATABASE_PASSWORD
  • REGISTRY_DATABASE_SSLMODE

3. Separate Backup Role (Optional Enhancement)

Consider implementing a separate database backup role to limit credential spread:

• Benefit: Credentials only stored on backup node in multi-node setups
• Trade-off: Doesn't work by default on single-node (requires explicit setup)
• Decision needed: Balance security vs. ease of use

Reference: gitlab#532507 (comment 2643719114)

4. Monitoring & Operations

• Add logging for registry database backup operations
• Include registry DB status in backup health checks
• Document troubleshooting steps for connection failures

Configuration Example

# gitlab.rb
registry['database']['enabled'] = true
registry['database']['host'] = '/var/opt/gitlab/postgresql'  # or hostname for multi-node
registry['database']['port'] = 5432
registry['database']['user'] = 'registry'
registry['database']['dbname'] = 'registry'
registry['database']['sslmode'] = 'prefer'

Exit Criteria

• Credentials securely stored in /opt/gitlab/gitlab-backup/env
• AppSec review completed and approved
• Backup wrapper passes credentials via environment variables
• Single-node installations work without additional configuration
• Multi-node installations work with explicit configuration
• Monitoring and logging implemented
• Documentation for configuration options

Related

• Parent epic: gitlab-com/gl-infra/data-access/durability#45
• GitLab backup tool changes: gitlab-org/gitlab (to be linked)