Skip to content

Commit

Permalink
'#2912 Handle openid_connect_signing_key variable to enable backup/re…
Browse files Browse the repository at this point in the history 
…store & restarts without errors'
  • Loading branch information
@ebarped
ebarped committed Mar 7, 2024
1 parent 562d8d5 commit de0c72b
Show file tree
Hide file tree
Showing 12 changed files with 105 additions and 3 deletions.
9 changes: 9 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,10 @@ Generate random strings that are at least `64` characters long for each of `GITL

> **Tip**: You can generate a random string using `pwgen -Bsv1 64` and assign it as the value of `GITLAB_SECRETS_DB_KEY_BASE`.
Also, you have to generate a RSA private key for `GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY`. This value is used for the signing key for OpenID Connect.

> **Tip**: You can generate one using `openssl genrsa -out - 2048` and assign it as the value of `GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY`.
Start GitLab using:

```bash
Expand Down Expand Up @@ -839,6 +843,10 @@ Encryption key for session secrets. Ensure that your key is at least 64 characte

Encryption key for OTP related stuff with GitLab. Ensure that your key is at least 64 characters long and that you don't lose it. **If you lose or change this secret, 2FA will stop working for all users.** You can generate one using `pwgen -Bsv1 64`. No defaults.

##### `GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY`

The signing key for OpenID Connect. **If you lose or change this secret, things like 2FA, settings and internal stuff will stop working for all users.** You can generate one using `openssl genrsa -out - 2048`. No defaults.

##### `GITLAB_TIMEZONE`

Configure the timezone for the gitlab application. This configuration does not effect cron jobs. Defaults to `UTC`. See the list of [acceptable values](http://api.rubyonrails.org/classes/ActiveSupport/TimeZone.html). For settings the container timezone which will effect cron, see variable `TZ`
Expand Down Expand Up @@ -2668,6 +2676,7 @@ Replace `x.x.x` with the version you are upgrading from. For example, if you are

> **Note**: Since GitLab `8.0.0` you need to provide the `GITLAB_SECRETS_DB_KEY_BASE` parameter while starting the image.
> **Note**: Since GitLab `8.11.0` you need to provide the `GITLAB_SECRETS_SECRET_KEY_BASE` and `GITLAB_SECRETS_OTP_KEY_BASE` parameters while starting the image. These should initially both have the same value as the contents of the `/home/git/data/.secret` file. See [Available Configuration Parameters](#available-configuration-parameters) for more information on these parameters.
> **Note**: Since GitLab `16.0.0` you need to provide the `GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY` parameter while starting the image. See [Available Configuration Parameters](#available-configuration-parameters) for more information on these parameters.

```bash
docker run --name gitlab -d [OPTIONS] sameersbn/gitlab:16.9.1
Expand Down
1 change: 1 addition & 0 deletions assets/runtime/config/gitlabhq/secrets.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ production:
db_key_base: {{GITLAB_SECRETS_DB_KEY_BASE}}
secret_key_base: {{GITLAB_SECRETS_SECRET_KEY_BASE}}
otp_key_base: {{GITLAB_SECRETS_OTP_KEY_BASE}}
openid_connect_signing_key: {{GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY}}

development:
db_key_base: development
Expand Down
1 change: 1 addition & 0 deletions assets/runtime/env-defaults
View file
Original file line number Diff line number Diff line change
Expand Up @@ -254,6 +254,7 @@ GITLAB_MATTERMOST_URL=${GITLAB_MATTERMOST_URL:-https://mattermost.example.com}
GITLAB_SECRETS_DB_KEY_BASE=${GITLAB_SECRETS_DB_KEY_BASE:-}
GITLAB_SECRETS_SECRET_KEY_BASE=${GITLAB_SECRETS_SECRET_KEY_BASE:-}
GITLAB_SECRETS_OTP_KEY_BASE=${GITLAB_SECRETS_OTP_KEY_BASE:-}
GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY=${GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY:-}
GITLAB_NOTIFY_ON_BROKEN_BUILDS=${GITLAB_NOTIFY_ON_BROKEN_BUILDS:-true}
GITLAB_NOTIFY_PUSHER=${GITLAB_NOTIFY_PUSHER:-false}

Expand Down
3 changes: 2 additions & 1 deletion assets/runtime/functions
View file
Original file line number Diff line number Diff line change
Expand Up @@ -858,7 +858,8 @@ gitlab_configure_secrets() {
update_template ${GITLAB_SECRETS_CONFIG} \
GITLAB_SECRETS_DB_KEY_BASE \
GITLAB_SECRETS_SECRET_KEY_BASE \
GITLAB_SECRETS_OTP_KEY_BASE
GITLAB_SECRETS_OTP_KEY_BASE \
GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY

local shell_secret="${GITLAB_INSTALL_DIR}/.gitlab_shell_secret"
if [[ ! -f "${shell_secret}" ]]; then
Expand Down
11 changes: 11 additions & 0 deletions contrib/docker-swarm/docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,17 @@ services:
- GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string
- GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
- GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
- |-
GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY=|
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu
KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm
o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k
TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7
9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy
v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs
/5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00
-----END RSA PRIVATE KEY-----
- GITLAB_ROOT_PASSWORD=
- GITLAB_ROOT_EMAIL=
Expand Down
11 changes: 11 additions & 0 deletions docker-compose.swarm.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,17 @@ services:
- GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string
- GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
- GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
- |-
GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY=|
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu
KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm
o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k
TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7
9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy
v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs
/5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00
-----END RSA PRIVATE KEY-----
- GITLAB_ROOT_PASSWORD=
- GITLAB_ROOT_EMAIL=
Expand Down
12 changes: 11 additions & 1 deletion docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,17 @@ services:
- GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string
- GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
- GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string

- |-
GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY=|
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu
KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm
o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k
TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7
9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy
v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs
/5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00
-----END RSA PRIVATE KEY-----
- GITLAB_ROOT_PASSWORD=
- GITLAB_ROOT_EMAIL=

Expand Down
11 changes: 11 additions & 0 deletions docs/docker-compose-keycloak.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,17 @@ services:
- GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string
- GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
- GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
- |-
GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY=|
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu
KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm
o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k
TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7
9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy
v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs
/5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00
-----END RSA PRIVATE KEY-----
- GITLAB_ROOT_PASSWORD=<root-password>
- GITLAB_ROOT_EMAIL=
Expand Down
11 changes: 11 additions & 0 deletions docs/docker-compose-registry.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,17 @@ services:
- GITLAB_SECRETS_DB_KEY_BASE=secret
- GITLAB_SECRETS_SECRET_KEY_BASE=secret
- GITLAB_SECRETS_OTP_KEY_BASE=secret
- |-
GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY=|
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu
KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm
o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k
TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7
9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy
v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs
/5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00
-----END RSA PRIVATE KEY-----
- GITLAB_REGISTRY_ENABLED=true
- GITLAB_REGISTRY_HOST=registry.example.com
Expand Down
11 changes: 11 additions & 0 deletions docs/docker-swarm-traefik-registry.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,17 @@ You can copy it and set it in the file like:
- GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string
- GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
- GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
- |-
GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY=|
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu
KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm
o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k
TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7
9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy
v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs
/5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00
-----END RSA PRIVATE KEY-----
```
There are several other settings that you might want to configure, like email accounts for notifications, SMTP credentials to send emails, etc.
Expand Down
11 changes: 11 additions & 0 deletions docs/s3_compatible_storage.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,17 @@ services:
- GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string
- GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
- GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
- |-
GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY=|
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu
KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm
o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k
TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7
9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy
v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs
/5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00
-----END RSA PRIVATE KEY-----
- GITLAB_ROOT_PASSWORD=
- GITLAB_ROOT_EMAIL=
- GITLAB_NOTIFY_ON_BROKEN_BUILDS=true
Expand Down
16 changes: 15 additions & 1 deletion kubernetes/gitlab-rc.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,8 @@ spec:
spec:
containers:
- name: gitlab
image: sameersbn/gitlab:16.9.1
image: docker-gitlab-gitlab:latest
imagePullPolicy: Never
env:
- name: TZ
value: Asia/Kolkata
Expand All @@ -27,6 +28,18 @@ spec:
value: long-and-random-alpha-numeric-string
- name: GITLAB_SECRETS_OTP_KEY_BASE
value: long-and-random-alpha-numeric-string
- name: GITLAB_SECRETS_OPENID_CONNECT_SIGNING_KEY
value: |-2
|
-----BEGIN RSA PRIVATE KEY-----
MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu
KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm
o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k
TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7
9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy
v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs
/5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00
-----END RSA PRIVATE KEY-----
- name: GITLAB_ROOT_PASSWORD
value:
Expand Down Expand Up @@ -122,3 +135,4 @@ spec:
volumes:
- name: data
emptyDir: {}

0 comments on commit de0c72b

Please sign in to comment.