Enable redisYmlOverride to dynamically mount secrets
What does this MR do?
This MR updates global.redis.redisYmlOverride
key to dynamically mount secrets. The secrets are mounted to the same path as other existing Redis secrets as highlighted in the spec.
Background: global.redis.redisYmlOverride
was introduced in !2907 (merged) but does not handle secrets since the contents are expected to be dumped into redis.yml.erb
wholesale. This MR tweaks that assumptions by modifying password
if it is a map and replaces it with an ERB statement.
See blocked k8s MR (gitlab-com/gl-infra/k8s-workloads/gitlab-com!2741 (comment 1397617741))
Example Usage:
global:
redis:
redisYmlOverride:
chat:
password:
enabled: true
secret: secretname
key: password
Which gives
--redis.yml.erb
production:
chat:
password: <%= ERB::Util::url_encode(File.read("/somemountpath/redis/chat-override-password").strip) %>
Related issues
Closes #4245 (closed)
Checklist
See Definition of done.
For anything in this list which will not be completed, please provide a reason in the MR discussion.
Required
-
Merge Request Title and Description are up to date, accurate, and descriptive -
MR targeting the appropriate branch -
MR has a green pipeline on GitLab.com -
When ready for review, MR is labeled "~workflow::ready for review" per the Distribution MR workflow
Expected (please provide an explanation if not completing)
-
Test plan indicating conditions for success has been posted and passes -
Documentation created/updated -
Tests added -
Integration tests added to GitLab QA -
Equivalent MR/issue for omnibus-gitlab opened -
Validate potential values for new configuration settings. Formats such as integer 10
, duration10s
, URIscheme://user:passwd@host:port
may require quotation or other special handling when rendered in a template and written to a configuration file.
Edited by Jason Plum