Skip to content

Draft: Extend encrypted secrets support to db_password

Dustin Collins requested to merge encrypt-db-password into master

What does this MR do and why?

This enables the use of an encrypted file to store the database password gitlab_rails['db_password'] used for [external database configuration](https://docs.gitlab.com/ee/administration/postgresql/external.html), in lieu of storing the password within the gitlab.yml/gitlab.rb` configuration file in plaintext.

This makes use of the encrypted_settings feature added in %13.7 with !43220 (merged) and subsequently used for storing LDAP and SMTP credentials in an encrypted file.

New rake commands:

  • gitlab:db_password:secret:write : can be used to pipe plaintext content into the encrypted file
  • gitlab:db_password:secret:edit : allows editing/creating encrypted secrets with a specified editor
  • gitlab:db_password:secret:show : decrypts the encrypted file contents to stdout

Relates to omnibus-gitlab#6274 (closed).

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

todo

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports

Loading