Draft: Extend encrypted secrets support to db_password (!134317) · Merge requests · GitLab.org / GitLab

Dustin Collins requested to merge encrypt-db-password into master Oct 16, 2023

What does this MR do and why?

This enables the use of an encrypted file to store the database password gitlab_rails['db_password'] used for [external database configuration](https://docs.gitlab.com/ee/administration/postgresql/external.html), in lieu of storing the password within the gitlab.yml/gitlab.rb` configuration file in plaintext.

This makes use of the encrypted_settings feature added in %13.7 with !43220 (merged) and subsequently used for storing LDAP and SMTP credentials in an encrypted file.

New rake commands:

gitlab:db_password:secret:write : can be used to pipe plaintext content into the encrypted file
gitlab:db_password:secret:edit : allows editing/creating encrypted secrets with a specified editor
gitlab:db_password:secret:show : decrypts the encrypted file contents to stdout

Relates to omnibus-gitlab#6274 (closed).

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

todo

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Draft: Extend encrypted secrets support to db_password

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports