Merge branch 'siemens/omnibus-gitlab-fix/update-doorkeeper-openid-connect'
This commit is contained in:
commit
24d56df29b
|
@ -13,7 +13,7 @@ omnibus-gitlab repository.
|
|||
- Added PostgreSQL support for max_worker_processes and max_parallel_workers_per_gather
|
||||
- Added PostgreSQL support for log_lock_waits and deadlock_timeout
|
||||
- Added PostgreSQL support for track_io_timing
|
||||
|
||||
- Rename Rails secret jws_private_key to openid_connect_signing_key
|
||||
|
||||
10.0.2
|
||||
|
||||
|
|
|
@ -57,12 +57,13 @@ module GitlabRails
|
|||
Gitlab['gitlab_rails']['db_key_base'] ||= Gitlab['gitlab_ci']['db_key_base'] # Changed in 8.11
|
||||
Gitlab['gitlab_rails']['secret_key_base'] ||= Gitlab['gitlab_ci']['db_key_base'] # Changed in 8.11
|
||||
Gitlab['gitlab_rails']['otp_key_base'] ||= Gitlab['gitlab_rails']['secret_token']
|
||||
Gitlab['gitlab_rails']['openid_connect_signing_key'] ||= Gitlab['gitlab_rails']['jws_private_key'] # Changed in 10.1
|
||||
|
||||
# Note: If you add another secret to generate here make sure it gets written to disk in SecretsHelper.write_to_gitlab_secrets
|
||||
Gitlab['gitlab_rails']['db_key_base'] ||= SecretsHelper.generate_hex(64)
|
||||
Gitlab['gitlab_rails']['secret_key_base'] ||= SecretsHelper.generate_hex(64)
|
||||
Gitlab['gitlab_rails']['otp_key_base'] ||= SecretsHelper.generate_hex(64)
|
||||
Gitlab['gitlab_rails']['jws_private_key'] ||= SecretsHelper.generate_rsa(4096).to_pem
|
||||
Gitlab['gitlab_rails']['openid_connect_signing_key'] ||= SecretsHelper.generate_rsa(4096).to_pem
|
||||
end
|
||||
|
||||
def parse_external_url
|
||||
|
|
|
@ -174,7 +174,7 @@ templatesymlink "Create a secrets.yml and create a symlink to Rails root" do
|
|||
'db_key_base' => node['gitlab']['gitlab-rails']['db_key_base'],
|
||||
'secret_key_base' => node['gitlab']['gitlab-rails']['secret_key_base'],
|
||||
'otp_key_base' => node['gitlab']['gitlab-rails']['otp_key_base'],
|
||||
'jws_private_key' => node['gitlab']['gitlab-rails']['jws_private_key']
|
||||
'openid_connect_signing_key' => node['gitlab']['gitlab-rails']['openid_connect_signing_key']
|
||||
}})
|
||||
restarts dependent_services
|
||||
end
|
||||
|
|
|
@ -40,7 +40,7 @@ class SecretsHelper
|
|||
'secret_key_base' => Gitlab['gitlab_rails']['secret_key_base'],
|
||||
'db_key_base' => Gitlab['gitlab_rails']['db_key_base'],
|
||||
'otp_key_base' => Gitlab['gitlab_rails']['otp_key_base'],
|
||||
'jws_private_key' => Gitlab['gitlab_rails']['jws_private_key']
|
||||
'openid_connect_signing_key' => Gitlab['gitlab_rails']['openid_connect_signing_key']
|
||||
},
|
||||
'registry' => {
|
||||
'http_secret' => Gitlab['registry']['http_secret'],
|
||||
|
|
|
@ -49,7 +49,7 @@ describe 'secrets' do
|
|||
it 'writes new secrets to the file, with different values for each' do
|
||||
rails_keys = new_secrets['gitlab_rails']
|
||||
hex_keys = rails_keys.values_at('db_key_base', 'otp_key_base', 'secret_key_base')
|
||||
rsa_keys = rails_keys.values_at('jws_private_key')
|
||||
rsa_keys = rails_keys.values_at('openid_connect_signing_key')
|
||||
|
||||
expect(rails_keys.to_a.uniq).to eq(rails_keys.to_a)
|
||||
expect(hex_keys).to all(match(HEX_KEY))
|
||||
|
@ -58,6 +58,7 @@ describe 'secrets' do
|
|||
|
||||
it 'does not write legacy keys' do
|
||||
expect(new_secrets).not_to have_key('gitlab_ci')
|
||||
expect(new_secrets['gitlab_rails']).not_to have_key('jws_private_key')
|
||||
end
|
||||
|
||||
it 'generates an appropriate secret for gitlab-workhorse' do
|
||||
|
@ -93,7 +94,10 @@ describe 'secrets' do
|
|||
before do
|
||||
stub_gitlab_secrets_json(
|
||||
gitlab_ci: { db_key_base: 'json_ci_db_key_base', secret_token: 'json_ci_secret_token' },
|
||||
gitlab_rails: { secret_token: 'json_rails_secret_token' }
|
||||
gitlab_rails: {
|
||||
secret_token: 'json_rails_secret_token',
|
||||
jws_private_key: 'json_rails_jws_private_key'
|
||||
}
|
||||
)
|
||||
|
||||
chef_run
|
||||
|
@ -111,6 +115,10 @@ describe 'secrets' do
|
|||
expect(new_secrets['gitlab_rails']['secret_key_base']).to eq('json_ci_db_key_base')
|
||||
end
|
||||
|
||||
it 'moves gitlab_rails.jws_private_key to gitlab_rails.openid_connect_signing_key' do
|
||||
expect(new_secrets['gitlab_rails']['openid_connect_signing_key']).to eq('json_rails_jws_private_key')
|
||||
end
|
||||
|
||||
it 'ignores other, unused, secrets' do
|
||||
expect(new_secrets.inspect).not_to include('json_ci_secret_token')
|
||||
end
|
||||
|
@ -127,7 +135,10 @@ describe 'secrets' do
|
|||
before do
|
||||
stub_gitlab_secrets_json(
|
||||
gitlab_ci: { db_key_base: 'json_ci_db_key_base' },
|
||||
gitlab_rails: { secret_token: 'json_rails_secret_token' }
|
||||
gitlab_rails: {
|
||||
secret_token: 'json_rails_secret_token',
|
||||
jws_private_key: 'json_rails_jws_private_key'
|
||||
}
|
||||
)
|
||||
|
||||
stub_gitlab_rb(gitlab_ci: { db_key_base: 'rb_ci_db_key_base' })
|
||||
|
@ -152,7 +163,13 @@ describe 'secrets' do
|
|||
stub_gitlab_rb(gitlab_ci: { db_key_base: 'rb_ci_db_key_base',
|
||||
secret_token: 'rb_ci_secret_token' })
|
||||
|
||||
stub_gitlab_secrets_json(gitlab_rails: { secret_token: 'json_rails_secret_token' })
|
||||
stub_gitlab_secrets_json(
|
||||
gitlab_rails: {
|
||||
secret_token: 'json_rails_secret_token',
|
||||
jws_private_key: 'json_rails_jws_private_key'
|
||||
}
|
||||
)
|
||||
|
||||
chef_run
|
||||
end
|
||||
|
||||
|
@ -168,6 +185,10 @@ describe 'secrets' do
|
|||
expect(new_secrets['gitlab_rails']['secret_key_base']).to eq('rb_ci_db_key_base')
|
||||
end
|
||||
|
||||
it 'moves gitlab_rails.jws_private_key to gitlab_rails.openid_connect_signing_key' do
|
||||
expect(new_secrets['gitlab_rails']['openid_connect_signing_key']).to eq('json_rails_jws_private_key')
|
||||
end
|
||||
|
||||
it 'ignores other, unused, secrets' do
|
||||
expect(new_secrets.inspect).not_to include('rb_ci_secret_token')
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue