Fix reconfigure failing when Sentinel TLS is only enabled
What does this MR do?
If the unencrypted Sentinel port is disabled and only TLS enabled,
gitlab-ctl reconfigure
previously failed because it attempted to
talk to port 0, which is an invalid port.
This commit fixes this problem by switching to TLS if is the only
option. In addition, server and client certificates need to be
provided to redis-cli
if required.
NOTE: GitLab currently does not function if Sentinel TLS is only enabled; this only fixes the gitlab-ctl reconfigure
.
Related issues
Relates to #6627 (closed)
How to validate locally
- As described in https://redis.io/docs/management/security/encryption, create TLS certs:
cd /tmp
curl -L -O https://raw.githubusercontent.com/redis/redis/7.2/utils/gen-test-certs.sh
# This will generate certs in /tmp/tests/tls
bash ./gen-test-certs.sh
- Copy these certs into the right locations:
cd tests/tls
sudo chmod a+r *.crt
sudo chmod 0600 *.key
sudo cp ca.crt /etc/gitlab/trusted-certs
sudo cp redis.key redis.crt /etc/gitlab/ssl
sudo chown gitlab-redis /etc/gitlab/ssl/redis.key
- In
/etc/gitlab/gitlab.rb
add:
sentinel['enable'] = true
sentinel['bind'] = '0.0.0.0'
sentinel['port'] = 0
sentinel['tls_port'] = 26379
sentinel['tls_cert_file'] = '/etc/gitlab/ssl/redis.crt'
sentinel['tls_key_file'] = '/etc/gitlab/ssl/redis.key'
sentinel['tls_replication'] = 'yes'
sentinel['tls_auth_clients'] = 'yes'
sentinel['bind'] = '0.0.0.0'
- Run
gitlab-ctl reconfigure
.
Checklist
See Definition of done.
For anything in this list which will not be completed, please provide a reason in the MR discussion.
Required
-
MR title and description are up to date, accurate, and descriptive. -
MR targeting the appropriate branch. -
Latest Merge Result pipeline is green. -
When ready for review, MR is labeled "~workflow::ready for review" per the Distribution MR workflow.
For GitLab team members
If you don't have access to this, the reviewer should trigger these jobs for you during the review process.
-
The manual Trigger:ee-package
jobs have a green pipeline running against latest commit. -
If config/software
orconfig/patches
directories are changed, make sure thebuild-package-on-all-os
job within theTrigger:ee-package
downstream pipeline succeeded. -
If you are changing anything SSL related, then the Trigger:package:fips
manual job within theTrigger:ee-package
downstream pipeline must succeed. -
If CI configuration is changed, the branch must be pushed to dev.gitlab.org
to confirm regular branch builds aren't broken.
Expected (please provide an explanation if not completing)
-
Test plan indicating conditions for success has been posted and passes. -
Documentation created/updated. -
Tests added. -
Integration tests added to GitLab QA. -
Equivalent MR/issue for the GitLab Chart opened. -
Validate potential values for new configuration settings. Formats such as integer 10
, duration10s
, URIscheme://user:passwd@host:port
may require quotation or other special handling when rendered in a template and written to a configuration file.
Edited by Stan Hu