Skip to content

Support password authentication for Redis Sentinel

Stan Hu requested to merge sh-support-sentinel-pass into master

What does this MR do?

This commit adds a separate password parameter for each Sentinel group and enables GitLab Rails, Workhorse, and gitlab-kas to use a password specified in requirepass in the Sentinel configuration:

gitlab_rails['redis_sentinels_password']
gitlab_rails['redis_cache_sentinels_password']
gitlab_rails['redis_queues_sentinels_password']
gitlab_rails['redis_shared_state_sentinels_password']
gitlab_rails['redis_trace_chunks_sentinels_password']
gitlab_rails['redis_actioncable_sentinels_password']
gitlab_rails['redis_rate_limiting_sentinels_password']
gitlab_rails['redis_sessions_sentinels_password']
gitlab_rails['redis_cluster_rate_limiting_sentinels_password']
gitlab_rails['redis_repository_cache_sentinels_password']

We could avoid these extra configuration parameters by having the admin specify a password parameter for each host/port combination in redis_sentinels, redis_cache_sentinels, etc. However, this would add much duplication in the configuration and different passwords aren't actually supported by Redis Sentinel. gitlab-kas also expects a single Sentinel password stored in the sentinel_password_file configuration parameter.

Related issues

Relates to gitlab#235938 (closed)

Testing

  1. Set up a Redis Sentinel and Redis instance. This could be done easily with !6923 (merged), but let's assume an external Redis setup is being used.
  2. In some directory, create a redis.conf:
requirepass redis-pass
port 16379
  1. Create a sentinel.conf:
requirepass sentinel-pass
port 26379
dir '/tmp'
sentinel monitor mymaster 127.0.0.1 16379 2
sentinel down-after-milliseconds mymaster 5000

  1. Now run: /opt/gitlab/embedded/bin/redis-server redis.conf

  2. In another window, run /opt/gitlab/embedded/bin/redis-server sentinel.conf --sentinel

  3. In /etc/gitlab/gitlab.rb:

redis['enable'] = false
redis['master_name'] = 'mymaster'
redis['master_password'] = 'redis-pass'
gitlab_rails['redis_host'] = "127.0.0.1"
gitlab_rails['redis_port'] = 16379
gitlab_rails['redis_password'] = 'redis-pass'
gitlab_rails['redis_sentinels'] = [
   {'host' => '127.0.0.1', 'port' => 26379}
]
gitlab_rails['redis_sentinels_password'] = 'sentinel-pass'
  1. Run gitlab-ctl reconfigure.
  2. Without this merge request, you should see these errors in /var/log/gitlab/gitlab-rails/production.log:
Redis::CommandError (NOAUTH Authentication required.):

In /var/log/gitlab/gitlab-workhorse/current, you should also see:

{"error":"keywatcher: redigo: no sentinels available; last error: NOAUTH Authentication required.","level":"error","msg":"","time":"2023-05-26T19:05:40Z"}

Apply this merge request and run gitlab-ctl reconfigure, and GitLab should work again without any errors.

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion.

Required

  • MR title and description are up to date, accurate, and descriptive.
  • MR targeting the appropriate branch.
  • Latest Merge Result pipeline is green.
  • When ready for review, MR is labeled "~workflow::ready for review" per the Distribution MR workflow.

For GitLab team members

If you don't have access to this, the reviewer should trigger these jobs for you during the review process.

  • The manual Trigger:ee-package jobs have a green pipeline running against latest commit.
  • If config/software or config/patches directories are changed, make sure the build-package-on-all-os job within the Trigger:ee-package downstream pipeline succeeded.
  • If you are changing anything SSL related, then the Trigger:package:fips manual job within the Trigger:ee-package downstream pipeline must succeed.
  • If CI configuration is changed, the branch must be pushed to dev.gitlab.org to confirm regular branch builds aren't broken.

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes.
  • Documentation created/updated.
  • Tests added.
  • Integration tests added to GitLab QA.
  • Equivalent MR/issue for the GitLab Chart opened.
  • Validate potential values for new configuration settings. Formats such as integer 10, duration 10s, URI scheme://user:passwd@host:port may require quotation or other special handling when rendered in a template and written to a configuration file.
Edited by Hossein Pursultani

Merge request reports