From 903fb8c942d94e01fe8740c7893de43cbad3d22f Mon Sep 17 00:00:00 2001 From: Gerard Hickey Date: Fri, 30 Sep 2022 22:05:15 -0700 Subject: [PATCH 01/17] Initial pass at Azure backup documentation Signed-off-by: Gerard Hickey --- doc/backup-restore/index.md | 52 +++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/doc/backup-restore/index.md b/doc/backup-restore/index.md index 54f6ad9353..74345f843f 100644 --- a/doc/backup-restore/index.md +++ b/doc/backup-restore/index.md @@ -81,6 +81,58 @@ when restoring a backup. --set global.appConfig.backups.tmpBucket=gitlab-tmp-storage ``` +### Backups to Azure blob storage + +Azure blob storage can be can be used to store backups by setting +`gitlab.toolbox.backups.objectStorage.backend` to `azure`. This will enable +Toolbox to use the included copy of `azcopy` to transmit and retrieve the +backup files to the Azure blob storage. + +To support using Azure blob storage, one will need to create a storage account +in an existing resource group. A shared access signature (SAS) token is then +generated from the storage account for GitLab to authenticate to Azure. The +settings for the SAS token should be set to: + +- Service: blob +- Resource types: container, object +- Permissions: read, write, list +- Versioning permissions: None +- Index permissions: None +- Allowed protocols: HTTPS only +- Preferred routing: Basic + +Once the SAS token is generated, it needs to be stored in a Kubernetes Secret +**without** the leading question mark. The name of this Secret needs to be +supplied to `gitlab.toolbox.backups.objectStorage.config.secret`. In addition, +the key used to store the SAS token needs to be supplied to +`gitlab.toolbox.backups.objectStorage.config.key`. + +The following `kubectl` command can be used to create the Kubernetes Secret +for the SAS token: + +```shell +kubectl create secret generic backup-sas-token --from-literal=token= +``` + +Once the SAS token Secret has been created, the GitLab Helm chart can be +configured by adding the backup settings to your deployed values or by supplying +the settings on the Helm command line. For example: + +```shell +helm install gitlab gitlab/gitlab \ + --set gitlab.toolbox.backups.objectStorage.config.secret=backup-sas-token \ + --set gitlab.toolbox.backups.objectStorage.config.key=token \ + --set gitlab.toolbox.backups.objectStorage.backend=azure +``` + +In addition, two bucket locations need to be configured, one for storing the +backups, and one temporary bucket that is used when restoring a backup. + +```shell +--set global.appConfig.backups.bucket=gitlab-backup-storage +--set global.appConfig.backups.tmpBucket=gitlab-tmp-storage +``` + ## Troubleshooting ### Pod eviction issues -- GitLab From 7555ea24b9fc7b8102918f44c3c358a9b4ac7764 Mon Sep 17 00:00:00 2001 From: Gerard Hickey Date: Fri, 4 Nov 2022 16:59:59 -0700 Subject: [PATCH 02/17] Added Azure SAS token support to Deployment Signed-off-by: Gerard Hickey --- charts/gitlab/charts/toolbox/templates/deployment.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/charts/gitlab/charts/toolbox/templates/deployment.yaml b/charts/gitlab/charts/toolbox/templates/deployment.yaml index 6773499559..b792c6daa2 100644 --- a/charts/gitlab/charts/toolbox/templates/deployment.yaml +++ b/charts/gitlab/charts/toolbox/templates/deployment.yaml @@ -240,6 +240,13 @@ spec: - key: {{ default "config" .Values.backups.objectStorage.config.key }} path: objectstorage/{{ default "config" .Values.backups.objectStorage.config.key }} {{- end }} + {{- if eq .Values.backups.objectStorage.backend "azure" }} + - secret: + name: {{ .Values.backups.objectStorage.config.secret }} + items: + - key: {{ default "config" .Values.backups.objectStorage.config.key }} + path: objectstorage/azure_token + {{- end }} {{- include "gitlab.pages.mountSecrets" $ | nindent 10 }} {{- include "gitlab.kas.mountSecrets" $ | nindent 10 }} {{- include "gitlab.suggestedReviewers.mountSecrets" $ | nindent 10 }} -- GitLab From 20f03794a3054d2b1563352db778ba924b8584c6 Mon Sep 17 00:00:00 2001 From: Gerard Hickey Date: Fri, 4 Nov 2022 17:00:59 -0700 Subject: [PATCH 03/17] Set container command when using Azure backend Signed-off-by: Gerard Hickey --- charts/gitlab/charts/toolbox/templates/deployment.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/gitlab/charts/toolbox/templates/deployment.yaml b/charts/gitlab/charts/toolbox/templates/deployment.yaml index b792c6daa2..087c1effa2 100644 --- a/charts/gitlab/charts/toolbox/templates/deployment.yaml +++ b/charts/gitlab/charts/toolbox/templates/deployment.yaml @@ -102,6 +102,8 @@ spec: - cp -v -r -L /etc/gitlab/.s3cfg $HOME/.s3cfg && while sleep 3600; do :; done # alpine sleep has no infinity {{- else if eq .Values.backups.objectStorage.backend "gcs" }} - sh /var/opt/gitlab/templates/configure-gsutil && while sleep 3600; do :; done + {{- else if eq .Values.backups.objectStorage.backend "azure" }} + - while sleep 3600; do :; done {{- end }} image: "{{ coalesce .Values.image.repository (include "image.repository" .) }}:{{ coalesce .Values.image.tag (include "gitlab.versionTag" . ) }}{{ include "gitlab.image.tagSuffix" . }}" {{- include "gitlab.image.pullPolicy" $imageCfg | indent 10 }} -- GitLab From bf53b9603e4b2b29d15483f2c354305cf583e579 Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Tue, 14 Feb 2023 20:38:29 +0100 Subject: [PATCH 04/17] Add base URL support for Azure backups --- .../gitlab/charts/toolbox/templates/backup-job.yaml | 11 ++++++++++- charts/gitlab/charts/toolbox/values.yaml | 1 + doc/backup-restore/index.md | 13 +++++++++---- doc/charts/gitlab/toolbox/index.md | 2 +- doc/installation/command-line-options.md | 3 ++- 5 files changed, 23 insertions(+), 7 deletions(-) diff --git a/charts/gitlab/charts/toolbox/templates/backup-job.yaml b/charts/gitlab/charts/toolbox/templates/backup-job.yaml index 26db5aefbd..83dba46a5d 100644 --- a/charts/gitlab/charts/toolbox/templates/backup-job.yaml +++ b/charts/gitlab/charts/toolbox/templates/backup-job.yaml @@ -89,7 +89,9 @@ spec: - cp /etc/gitlab/.s3cfg $HOME/.s3cfg && backup-utility {{ .Values.backups.cron.extraArgs }} # alpine sleep has no infinity {{- else if eq .Values.backups.objectStorage.backend "gcs" }} - sh /var/opt/gitlab/templates/configure-gsutil && backup-utility {{ .Values.backups.cron.extraArgs }} - {{- end }} + {{- else if eq .Values.backups.objectStorage.backend "azure" }} + - backup-utility {{ .Values.backups.cron.extraArgs }} --azure-endpoint-url {{ .Values.backups.objectStorage.config.azureUrl }} + {{- end }} image: "{{ coalesce .Values.image.repository (include "image.repository" .) }}:{{ coalesce .Values.image.tag (include "gitlab.versionTag" . ) }}{{ include "gitlab.image.tagSuffix" . }}" {{- include "gitlab.image.pullPolicy" $imageCfg | indent 14 }} env: @@ -208,6 +210,13 @@ spec: - key: {{ default "config" .Values.backups.objectStorage.config.key }} path: objectstorage/{{ default "config" .Values.backups.objectStorage.config.key }} {{- end }} + {{- if eq .Values.backups.objectStorage.backend "azure" }} + - secret: + name: {{ .Values.backups.objectStorage.config.secret }} + items: + - key: {{ default "config" .Values.backups.objectStorage.config.key }} + path: objectstorage/azure_token + {{- end }} {{- include "gitlab.kas.mountSecrets" $ | nindent 16 }} {{- include "gitlab.pages.mountSecrets" $ | nindent 16 }} {{- include "gitlab.minio.mountSecrets" $ | nindent 16 }} diff --git a/charts/gitlab/charts/toolbox/values.yaml b/charts/gitlab/charts/toolbox/values.yaml index 0212f8a342..1f20cd872b 100644 --- a/charts/gitlab/charts/toolbox/values.yaml +++ b/charts/gitlab/charts/toolbox/values.yaml @@ -182,6 +182,7 @@ backups: # secret: my-backup-secret # key: config # gcpProject: my-gcp-project-id + # azureUrl: https://.blob.core.windows.net extra: {} rack_attack: diff --git a/doc/backup-restore/index.md b/doc/backup-restore/index.md index 74345f843f..40c9522065 100644 --- a/doc/backup-restore/index.md +++ b/doc/backup-restore/index.md @@ -89,7 +89,10 @@ Toolbox to use the included copy of `azcopy` to transmit and retrieve the backup files to the Azure blob storage. To support using Azure blob storage, one will need to create a storage account -in an existing resource group. A shared access signature (SAS) token is then +in an existing resource group. The storage account base URL needs to be +set to `gitlab.toolbox.backups.objectStorage.config.azureUrl`. + +A shared access signature (SAS) token is then generated from the storage account for GitLab to authenticate to Azure. The settings for the SAS token should be set to: @@ -122,11 +125,13 @@ the settings on the Helm command line. For example: helm install gitlab gitlab/gitlab \ --set gitlab.toolbox.backups.objectStorage.config.secret=backup-sas-token \ --set gitlab.toolbox.backups.objectStorage.config.key=token \ - --set gitlab.toolbox.backups.objectStorage.backend=azure + --set gitlab.toolbox.backups.objectStorage.backend=azure \ + --set gitlab.toolbox.backups.objectStorage.config.azureUrl=https://.blob.core.windows.net ``` -In addition, two bucket locations need to be configured, one for storing the -backups, and one temporary bucket that is used when restoring a backup. +In addition, two buckets/containers need to be created beforehand, one for storing the +backups, and one temporary bucket that is used when restoring a backup. Add the +bucket names to your values or settings. For example: ```shell --set global.appConfig.backups.bucket=gitlab-backup-storage diff --git a/doc/charts/gitlab/toolbox/index.md b/doc/charts/gitlab/toolbox/index.md index 9c4afb1f8d..32eb8cac2b 100644 --- a/doc/charts/gitlab/toolbox/index.md +++ b/doc/charts/gitlab/toolbox/index.md @@ -84,7 +84,7 @@ gitlab: | `backups.cron.startingDeadlineSeconds` | Backup cron job starting deadline, in seconds (if null, no starting deadline is applied) | `null` | | `backups.cron.successfulJobsHistoryLimit` | Number of successful backup jobs list in history | `3` | | `backups.cron.suspend` | Backup cron job is suspended | `false` | -| `backups.objectStorage.backend` | Object storage provider to use (`s3` or `gcs`) | `s3` | +| `backups.objectStorage.backend` | Object storage provider to use (`s3`, `gcs` or `azure`) | `s3` | | `backups.objectStorage.config.gcpProject` | GCP Project to use when backend is `gcs` | "" | | `backups.objectStorage.config.key` | Key containing credentials in secret | "" | | `backups.objectStorage.config.secret` | Object storage credentials secret | "" | diff --git a/doc/installation/command-line-options.md b/doc/installation/command-line-options.md index 518835992f..a040d38244 100644 --- a/doc/installation/command-line-options.md +++ b/doc/installation/command-line-options.md @@ -385,8 +385,9 @@ settings from the [Redis chart](https://github.com/bitnami/charts/tree/master/bi | `gitlab.toolbox.backups.cron.resources.requests.cpu` | Backup cron minimum needed CPU | `50m` | | `gitlab.toolbox.backups.cron.resources.requests.memory` | Backup cron minimum needed memory | `350M` | | `gitlab.toolbox.backups.cron.schedule` | Cron style schedule string | `0 1 * * *` | -| `gitlab.toolbox.backups.objectStorage.backend` | Object storage provider to use (`s3` or `gcs`) | `s3` | +| `gitlab.toolbox.backups.objectStorage.backend` | Object storage provider to use (`s3`, `gcs`, or `azure`) | `s3` | | `gitlab.toolbox.backups.objectStorage.config.gcpProject` | GCP Project to use when backend is `gcs` | "" | +| `gitlab.toolbox.backups.objectStorage.config.azureUrl` | Base URL of the Azure Storage Account when backend is `azure` | "" | | `gitlab.toolbox.backups.objectStorage.config.key` | key containing credentials in secret | "" | | `gitlab.toolbox.backups.objectStorage.config.secret` | Object storage credentials secret | "" | | `gitlab.toolbox.backups.objectStorage.config` | Authentication information for object storage | {} | -- GitLab From 618d412ff54f62ae8f0ab47203f291dcbaabcc2d Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Wed, 15 Feb 2023 00:06:09 +0100 Subject: [PATCH 05/17] Rename azureUrl to azureBaseUrl and pass it as env --- charts/gitlab/charts/toolbox/templates/backup-job.yaml | 6 +++++- charts/gitlab/charts/toolbox/templates/deployment.yaml | 4 ++++ charts/gitlab/charts/toolbox/values.yaml | 2 +- doc/backup-restore/index.md | 4 ++-- doc/charts/gitlab/toolbox/index.md | 1 + doc/installation/command-line-options.md | 2 +- 6 files changed, 14 insertions(+), 5 deletions(-) diff --git a/charts/gitlab/charts/toolbox/templates/backup-job.yaml b/charts/gitlab/charts/toolbox/templates/backup-job.yaml index 83dba46a5d..98080bb6b9 100644 --- a/charts/gitlab/charts/toolbox/templates/backup-job.yaml +++ b/charts/gitlab/charts/toolbox/templates/backup-job.yaml @@ -90,7 +90,7 @@ spec: {{- else if eq .Values.backups.objectStorage.backend "gcs" }} - sh /var/opt/gitlab/templates/configure-gsutil && backup-utility {{ .Values.backups.cron.extraArgs }} {{- else if eq .Values.backups.objectStorage.backend "azure" }} - - backup-utility {{ .Values.backups.cron.extraArgs }} --azure-endpoint-url {{ .Values.backups.objectStorage.config.azureUrl }} + - backup-utility {{ .Values.backups.cron.extraArgs }} {{- end }} image: "{{ coalesce .Values.image.repository (include "image.repository" .) }}:{{ coalesce .Values.image.tag (include "gitlab.versionTag" . ) }}{{ include "gitlab.image.tagSuffix" . }}" {{- include "gitlab.image.pullPolicy" $imageCfg | indent 14 }} @@ -131,6 +131,10 @@ spec: - name: GOOGLE_APPLICATION_CREDENTIALS value: '/etc/gitlab/objectstorage/{{ default "config" .Values.backups.objectStorage.config.key }}' {{- end }} + {{- if eq .Values.backups.objectStorage.backend "azure" }} + - name: AZURE_BASE_URL + value: {{ .Values.backups.objectStorage.config.azureBaseUrl }} + {{- end }} volumeMounts: {{- include "gitlab.extraVolumeMounts" . | nindent 16 }} - name: toolbox-config diff --git a/charts/gitlab/charts/toolbox/templates/deployment.yaml b/charts/gitlab/charts/toolbox/templates/deployment.yaml index 087c1effa2..e0097c2eab 100644 --- a/charts/gitlab/charts/toolbox/templates/deployment.yaml +++ b/charts/gitlab/charts/toolbox/templates/deployment.yaml @@ -146,6 +146,10 @@ spec: - name: GOOGLE_APPLICATION_CREDENTIALS value: '/etc/gitlab/objectstorage/{{ default "config" .Values.backups.objectStorage.config.key }}' {{- end }} + {{- if eq .Values.backups.objectStorage.backend "azure" }} + - name: AZURE_BASE_URL + value: {{ .Values.backups.objectStorage.config.azureBaseUrl }} + {{- end }} {{- include "gitlab.extraEnv" . | nindent 12 }} {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 12 }} volumeMounts: diff --git a/charts/gitlab/charts/toolbox/values.yaml b/charts/gitlab/charts/toolbox/values.yaml index 1f20cd872b..f0077bce0b 100644 --- a/charts/gitlab/charts/toolbox/values.yaml +++ b/charts/gitlab/charts/toolbox/values.yaml @@ -182,7 +182,7 @@ backups: # secret: my-backup-secret # key: config # gcpProject: my-gcp-project-id - # azureUrl: https://.blob.core.windows.net + # azureBaseUrl: https://.blob.core.windows.net extra: {} rack_attack: diff --git a/doc/backup-restore/index.md b/doc/backup-restore/index.md index 40c9522065..6e39c1755c 100644 --- a/doc/backup-restore/index.md +++ b/doc/backup-restore/index.md @@ -90,7 +90,7 @@ backup files to the Azure blob storage. To support using Azure blob storage, one will need to create a storage account in an existing resource group. The storage account base URL needs to be -set to `gitlab.toolbox.backups.objectStorage.config.azureUrl`. +set to `gitlab.toolbox.backups.objectStorage.config.azureBaseUrl`. A shared access signature (SAS) token is then generated from the storage account for GitLab to authenticate to Azure. The @@ -126,7 +126,7 @@ helm install gitlab gitlab/gitlab \ --set gitlab.toolbox.backups.objectStorage.config.secret=backup-sas-token \ --set gitlab.toolbox.backups.objectStorage.config.key=token \ --set gitlab.toolbox.backups.objectStorage.backend=azure \ - --set gitlab.toolbox.backups.objectStorage.config.azureUrl=https://.blob.core.windows.net + --set gitlab.toolbox.backups.objectStorage.config.azureBaseUrl=https://.blob.core.windows.net ``` In addition, two buckets/containers need to be created beforehand, one for storing the diff --git a/doc/charts/gitlab/toolbox/index.md b/doc/charts/gitlab/toolbox/index.md index 32eb8cac2b..c25de4166e 100644 --- a/doc/charts/gitlab/toolbox/index.md +++ b/doc/charts/gitlab/toolbox/index.md @@ -86,6 +86,7 @@ gitlab: | `backups.cron.suspend` | Backup cron job is suspended | `false` | | `backups.objectStorage.backend` | Object storage provider to use (`s3`, `gcs` or `azure`) | `s3` | | `backups.objectStorage.config.gcpProject` | GCP Project to use when backend is `gcs` | "" | +| `backups.objectStorage.config.azureBaseUrl` | Base URL of the Azure Storage Account when backend is `azure` | "" | | `backups.objectStorage.config.key` | Key containing credentials in secret | "" | | `backups.objectStorage.config.secret` | Object storage credentials secret | "" | | `common.labels` | Supplemental labels that are applied to all objects created by this chart. | `{}` | diff --git a/doc/installation/command-line-options.md b/doc/installation/command-line-options.md index a040d38244..737d98c6f6 100644 --- a/doc/installation/command-line-options.md +++ b/doc/installation/command-line-options.md @@ -387,7 +387,7 @@ settings from the [Redis chart](https://github.com/bitnami/charts/tree/master/bi | `gitlab.toolbox.backups.cron.schedule` | Cron style schedule string | `0 1 * * *` | | `gitlab.toolbox.backups.objectStorage.backend` | Object storage provider to use (`s3`, `gcs`, or `azure`) | `s3` | | `gitlab.toolbox.backups.objectStorage.config.gcpProject` | GCP Project to use when backend is `gcs` | "" | -| `gitlab.toolbox.backups.objectStorage.config.azureUrl` | Base URL of the Azure Storage Account when backend is `azure` | "" | +| `gitlab.toolbox.backups.objectStorage.config.azureBaseUrl` | Base URL of the Azure Storage Account when backend is `azure` | "" | | `gitlab.toolbox.backups.objectStorage.config.key` | key containing credentials in secret | "" | | `gitlab.toolbox.backups.objectStorage.config.secret` | Object storage credentials secret | "" | | `gitlab.toolbox.backups.objectStorage.config` | Authentication information for object storage | {} | -- GitLab From 6f9c18d2e4ce93ec2dc53799ca32995accf46183 Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Wed, 15 Feb 2023 11:50:39 +0100 Subject: [PATCH 06/17] Fix double rendering of objectStorage secret --- .../charts/toolbox/templates/backup-job.yaml | 14 ++++++++------ .../charts/toolbox/templates/deployment.yaml | 12 +++++++----- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/charts/gitlab/charts/toolbox/templates/backup-job.yaml b/charts/gitlab/charts/toolbox/templates/backup-job.yaml index 98080bb6b9..1972279d56 100644 --- a/charts/gitlab/charts/toolbox/templates/backup-job.yaml +++ b/charts/gitlab/charts/toolbox/templates/backup-job.yaml @@ -133,7 +133,7 @@ spec: {{- end }} {{- if eq .Values.backups.objectStorage.backend "azure" }} - name: AZURE_BASE_URL - value: {{ .Values.backups.objectStorage.config.azureBaseUrl }} + value: {{ required "A valid backups.objectStorage.config.azureBaseUrl is needed!" .Values.backups.objectStorage.config.azureBaseUrl }} {{- end }} volumeMounts: {{- include "gitlab.extraVolumeMounts" . | nindent 16 }} @@ -201,25 +201,27 @@ spec: path: registry/gitlab-registry.key {{- include "gitlab.registry.notificationSecret.mount" $ | nindent 16 -}} {{- if or .Values.backups.objectStorage.config (not .Values.global.minio.enabled) }} + {{- if eq .Values.backups.objectStorage.backend "s3" }} - secret: name: {{ required "A valid backups.objectStorage.config.secret is needed!" .Values.backups.objectStorage.config.secret }} items: - key: {{ default "config" .Values.backups.objectStorage.config.key }} path: objectstorage/.s3cfg - {{- end }} - {{- if eq .Values.backups.objectStorage.backend "gcs" }} + {{- end }} + {{- if eq .Values.backups.objectStorage.backend "gcs" }} - secret: name: {{ required "A valid backups.objectStorage.config.secret is needed!" .Values.backups.objectStorage.config.secret }} items: - key: {{ default "config" .Values.backups.objectStorage.config.key }} path: objectstorage/{{ default "config" .Values.backups.objectStorage.config.key }} - {{- end }} - {{- if eq .Values.backups.objectStorage.backend "azure" }} + {{- end }} + {{- if eq .Values.backups.objectStorage.backend "azure" }} - secret: - name: {{ .Values.backups.objectStorage.config.secret }} + name: {{ required "A valid backups.objectStorage.config.secret is needed!" .Values.backups.objectStorage.config.secret }} items: - key: {{ default "config" .Values.backups.objectStorage.config.key }} path: objectstorage/azure_token + {{- end }} {{- end }} {{- include "gitlab.kas.mountSecrets" $ | nindent 16 }} {{- include "gitlab.pages.mountSecrets" $ | nindent 16 }} diff --git a/charts/gitlab/charts/toolbox/templates/deployment.yaml b/charts/gitlab/charts/toolbox/templates/deployment.yaml index e0097c2eab..17165d90e6 100644 --- a/charts/gitlab/charts/toolbox/templates/deployment.yaml +++ b/charts/gitlab/charts/toolbox/templates/deployment.yaml @@ -148,7 +148,7 @@ spec: {{- end }} {{- if eq .Values.backups.objectStorage.backend "azure" }} - name: AZURE_BASE_URL - value: {{ .Values.backups.objectStorage.config.azureBaseUrl }} + value: {{ required "A valid backups.objectStorage.config.azureBaseUrl is needed!" .Values.backups.objectStorage.config.azureBaseUrl }} {{- end }} {{- include "gitlab.extraEnv" . | nindent 12 }} {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 12 }} @@ -233,25 +233,27 @@ spec: path: registry/gitlab-registry.key {{- include "gitlab.registry.notificationSecret.mount" $ | nindent 10 -}} {{- if or .Values.backups.objectStorage.config (not (or .Values.global.minio.enabled .Values.global.appConfig.object_store.enabled)) }} + {{- if eq .Values.backups.objectStorage.backend "s3" }} - secret: name: {{ .Values.backups.objectStorage.config.secret }} items: - key: {{ default "config" .Values.backups.objectStorage.config.key }} path: objectstorage/.s3cfg - {{- end }} - {{- if eq .Values.backups.objectStorage.backend "gcs" }} + {{- end }} + {{- if eq .Values.backups.objectStorage.backend "gcs" }} - secret: name: {{ .Values.backups.objectStorage.config.secret }} items: - key: {{ default "config" .Values.backups.objectStorage.config.key }} path: objectstorage/{{ default "config" .Values.backups.objectStorage.config.key }} - {{- end }} - {{- if eq .Values.backups.objectStorage.backend "azure" }} + {{- end }} + {{- if eq .Values.backups.objectStorage.backend "azure" }} - secret: name: {{ .Values.backups.objectStorage.config.secret }} items: - key: {{ default "config" .Values.backups.objectStorage.config.key }} path: objectstorage/azure_token + {{- end }} {{- end }} {{- include "gitlab.pages.mountSecrets" $ | nindent 10 }} {{- include "gitlab.kas.mountSecrets" $ | nindent 10 }} -- GitLab From 38008517cfcce66e8a5822511477446993794802 Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Wed, 15 Feb 2023 11:51:00 +0100 Subject: [PATCH 07/17] Add specs for azure backups --- spec/configuration/toolbox_spec.rb | 50 ++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/spec/configuration/toolbox_spec.rb b/spec/configuration/toolbox_spec.rb index 5959ac1e20..fa1c58afc5 100644 --- a/spec/configuration/toolbox_spec.rb +++ b/spec/configuration/toolbox_spec.rb @@ -4,6 +4,10 @@ require 'yaml' require 'hash_deep_merge' describe 'toolbox configuration' do + def env_value(name, value) + { 'name' => name, 'value' => value.to_s } + end + let(:default_values) do HelmTemplate.with_defaults(%( gitlab: @@ -204,4 +208,50 @@ describe 'toolbox configuration' do end end end + + context 'backup configuration' do + context 'using azure backend' do + let(:values) do + YAML.safe_load(%( + gitlab: + toolbox: + backups: + objectStorage: + config: + secret: token-secret + key: token + azureBaseUrl: "https://mystorage.blob.core.windows.net" + backend: azure + )).deep_merge(default_values) + end + + let(:template) do + HelmTemplate.new(values) + end + + it 'renders the template' do + expect(template.exit_code).to eq(0), "Unexpected error code #{template.exit_code} -- #{template.stderr}" + end + + it 'configures the deployment to use the azure backend' do + deployment_spec = template.dig("Deployment/test-toolbox", 'spec', 'template', 'spec') + container_env = deployment_spec.dig('containers', 0, 'env') + expect(container_env).to include(env_value('AZURE_BASE_URL', 'https://mystorage.blob.core.windows.net')) + expect(container_env).to include(env_value('BACKUP_BACKEND', 'azure')) + init_secret = deployment_spec['volumes'].find { |s| s['name'] == 'init-toolbox-secrets' } + token_secret = init_secret["projected"]["sources"].find { |sc| sc['secret']['name'] == 'token-secret' }["secret"] + expect(token_secret).to eq({ "name" => 'token-secret', "items" => [{ "key" => 'token', "path" => 'objectstorage/azure_token' }] }) + end + + it 'configures the cronjob to use the azure backend' do + cronjob_spec = template.dig('CronJob/test-toolbox-backup', 'spec', 'jobTemplate', 'spec', 'template', 'spec') + container_env = cronjob_spec.dig('containers', 0, 'env') + expect(container_env).to include(env_value('AZURE_BASE_URL', 'https://mystorage.blob.core.windows.net')) + expect(container_env).to include(env_value('BACKUP_BACKEND', 'azure')) + init_secret = cronjob_spec['volumes'].find { |s| s['name'] == 'init-toolbox-secrets' } + token_secret = init_secret["projected"]["sources"].find { |sc| sc['secret']['name'] == 'token-secret' }["secret"] + expect(token_secret).to eq({ "name" => 'token-secret', "items" => [{ "key" => 'token', "path" => 'objectstorage/azure_token' }] }) + end + end + end end -- GitLab From c7993b72193bb43c7c0b785a2b27f540c93c12da Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Wed, 15 Feb 2023 14:28:32 +0100 Subject: [PATCH 08/17] Document optional delete permission to Azure backup --- doc/backup-restore/index.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/backup-restore/index.md b/doc/backup-restore/index.md index 6e39c1755c..737e7bae95 100644 --- a/doc/backup-restore/index.md +++ b/doc/backup-restore/index.md @@ -98,7 +98,8 @@ settings for the SAS token should be set to: - Service: blob - Resource types: container, object -- Permissions: read, write, list +- Permissions: read, write, list and delete (only + when old backups are configured to be removed automatically) - Versioning permissions: None - Index permissions: None - Allowed protocols: HTTPS only -- GitLab From 47bea8c4f4ac15eca6da285b94571ccc2cfeb19c Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Thu, 16 Feb 2023 12:38:42 +0100 Subject: [PATCH 09/17] Move toolbox object storage secret to template --- .../charts/toolbox/templates/_helpers.tpl | 31 +++++++++++++++++++ .../charts/toolbox/templates/backup-job.yaml | 22 +------------ .../charts/toolbox/templates/deployment.yaml | 22 +------------ 3 files changed, 33 insertions(+), 42 deletions(-) diff --git a/charts/gitlab/charts/toolbox/templates/_helpers.tpl b/charts/gitlab/charts/toolbox/templates/_helpers.tpl index 12f610b03f..4d3d8edf00 100644 --- a/charts/gitlab/charts/toolbox/templates/_helpers.tpl +++ b/charts/gitlab/charts/toolbox/templates/_helpers.tpl @@ -1,3 +1,5 @@ +{{/* vim: set filetype=mustache: */}} + {{- define "toolbox.backups.cron.persistence.persistentVolumeClaim" -}} metadata: {{- if not .Values.backups.cron.persistence.useGenericEphemeralVolume }} @@ -32,4 +34,33 @@ spec: matchExpressions: {{- toYaml .Values.backups.cron.persistence.matchExpressions | nindent 6 }} {{- end -}} +{{- end -}} + +{{/* +Returns the secret configuring access to the object storage for backups. + +Usage: + {{ include "toolbox.backups.objectStorage.config.secret" .Values.backups.objectStorage }} + +*/}} +{{- define "toolbox.backups.objectStorage.config.secret" -}} +{{- if eq .backend "gcs" -}} +- secret: + name: {{ .config.secret }} + items: + - key: {{ default "config" .config.key }} + path: objectstorage/{{ default "config" .config.key }} +{{- else if eq .backend "azure" -}} +- secret: + name: {{ .config.secret }} + items: + - key: {{ default "config" .config.key }} + path: objectstorage/azure_token +{{- else -}} +- secret: + name: {{ .config.secret }} + items: + - key: {{ default "config" .config.key }} + path: objectstorage/.s3cfg +{{- end -}} {{- end -}} \ No newline at end of file diff --git a/charts/gitlab/charts/toolbox/templates/backup-job.yaml b/charts/gitlab/charts/toolbox/templates/backup-job.yaml index 1972279d56..a4de9140ce 100644 --- a/charts/gitlab/charts/toolbox/templates/backup-job.yaml +++ b/charts/gitlab/charts/toolbox/templates/backup-job.yaml @@ -201,27 +201,7 @@ spec: path: registry/gitlab-registry.key {{- include "gitlab.registry.notificationSecret.mount" $ | nindent 16 -}} {{- if or .Values.backups.objectStorage.config (not .Values.global.minio.enabled) }} - {{- if eq .Values.backups.objectStorage.backend "s3" }} - - secret: - name: {{ required "A valid backups.objectStorage.config.secret is needed!" .Values.backups.objectStorage.config.secret }} - items: - - key: {{ default "config" .Values.backups.objectStorage.config.key }} - path: objectstorage/.s3cfg - {{- end }} - {{- if eq .Values.backups.objectStorage.backend "gcs" }} - - secret: - name: {{ required "A valid backups.objectStorage.config.secret is needed!" .Values.backups.objectStorage.config.secret }} - items: - - key: {{ default "config" .Values.backups.objectStorage.config.key }} - path: objectstorage/{{ default "config" .Values.backups.objectStorage.config.key }} - {{- end }} - {{- if eq .Values.backups.objectStorage.backend "azure" }} - - secret: - name: {{ required "A valid backups.objectStorage.config.secret is needed!" .Values.backups.objectStorage.config.secret }} - items: - - key: {{ default "config" .Values.backups.objectStorage.config.key }} - path: objectstorage/azure_token - {{- end }} + {{- include "toolbox.backups.objectStorage.config.secret" .Values.backups.objectStorage | nindent 16 }} {{- end }} {{- include "gitlab.kas.mountSecrets" $ | nindent 16 }} {{- include "gitlab.pages.mountSecrets" $ | nindent 16 }} diff --git a/charts/gitlab/charts/toolbox/templates/deployment.yaml b/charts/gitlab/charts/toolbox/templates/deployment.yaml index 17165d90e6..79cef9308f 100644 --- a/charts/gitlab/charts/toolbox/templates/deployment.yaml +++ b/charts/gitlab/charts/toolbox/templates/deployment.yaml @@ -233,27 +233,7 @@ spec: path: registry/gitlab-registry.key {{- include "gitlab.registry.notificationSecret.mount" $ | nindent 10 -}} {{- if or .Values.backups.objectStorage.config (not (or .Values.global.minio.enabled .Values.global.appConfig.object_store.enabled)) }} - {{- if eq .Values.backups.objectStorage.backend "s3" }} - - secret: - name: {{ .Values.backups.objectStorage.config.secret }} - items: - - key: {{ default "config" .Values.backups.objectStorage.config.key }} - path: objectstorage/.s3cfg - {{- end }} - {{- if eq .Values.backups.objectStorage.backend "gcs" }} - - secret: - name: {{ .Values.backups.objectStorage.config.secret }} - items: - - key: {{ default "config" .Values.backups.objectStorage.config.key }} - path: objectstorage/{{ default "config" .Values.backups.objectStorage.config.key }} - {{- end }} - {{- if eq .Values.backups.objectStorage.backend "azure" }} - - secret: - name: {{ .Values.backups.objectStorage.config.secret }} - items: - - key: {{ default "config" .Values.backups.objectStorage.config.key }} - path: objectstorage/azure_token - {{- end }} + {{- include "toolbox.backups.objectStorage.config.secret" .Values.backups.objectStorage | nindent 10 }} {{- end }} {{- include "gitlab.pages.mountSecrets" $ | nindent 10 }} {{- include "gitlab.kas.mountSecrets" $ | nindent 10 }} -- GitLab From ae8dcea2f8384f3f42bb5d59781618f320369b8c Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Thu, 16 Feb 2023 12:40:13 +0100 Subject: [PATCH 10/17] Verify Azure base url config --- .../charts/toolbox/templates/backup-job.yaml | 2 +- .../charts/toolbox/templates/deployment.yaml | 2 +- spec/integration/check_config/toolbox_spec.rb | 37 +++++++++++++++++++ templates/_checkConfig_toolbox.tpl | 9 ++++- 4 files changed, 46 insertions(+), 4 deletions(-) diff --git a/charts/gitlab/charts/toolbox/templates/backup-job.yaml b/charts/gitlab/charts/toolbox/templates/backup-job.yaml index a4de9140ce..9c80acbe46 100644 --- a/charts/gitlab/charts/toolbox/templates/backup-job.yaml +++ b/charts/gitlab/charts/toolbox/templates/backup-job.yaml @@ -133,7 +133,7 @@ spec: {{- end }} {{- if eq .Values.backups.objectStorage.backend "azure" }} - name: AZURE_BASE_URL - value: {{ required "A valid backups.objectStorage.config.azureBaseUrl is needed!" .Values.backups.objectStorage.config.azureBaseUrl }} + value: {{ .Values.backups.objectStorage.config.azureBaseUrl }} {{- end }} volumeMounts: {{- include "gitlab.extraVolumeMounts" . | nindent 16 }} diff --git a/charts/gitlab/charts/toolbox/templates/deployment.yaml b/charts/gitlab/charts/toolbox/templates/deployment.yaml index 79cef9308f..71aaf17414 100644 --- a/charts/gitlab/charts/toolbox/templates/deployment.yaml +++ b/charts/gitlab/charts/toolbox/templates/deployment.yaml @@ -148,7 +148,7 @@ spec: {{- end }} {{- if eq .Values.backups.objectStorage.backend "azure" }} - name: AZURE_BASE_URL - value: {{ required "A valid backups.objectStorage.config.azureBaseUrl is needed!" .Values.backups.objectStorage.config.azureBaseUrl }} + value: {{ .Values.backups.objectStorage.config.azureBaseUrl }} {{- end }} {{- include "gitlab.extraEnv" . | nindent 12 }} {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 12 }} diff --git a/spec/integration/check_config/toolbox_spec.rb b/spec/integration/check_config/toolbox_spec.rb index ba9b6cc536..e810a657b6 100644 --- a/spec/integration/check_config/toolbox_spec.rb +++ b/spec/integration/check_config/toolbox_spec.rb @@ -83,5 +83,42 @@ describe 'checkConfig toolbox' do include_examples 'config validation', success_description: 'when toolbox is disabled and does not have a valid object storage backup secret configured' end + + describe 'is using Azure as backup backend' do + let(:success_values) do + YAML.safe_load(%( + gitlab: + toolbox: + enabled: true + backups: + objectStorage: + config: + secret: s3cmd-config + key: config + azureBaseUrl: "https://mystorage.blob.core.windows.net" + )).merge(default_required_values) + end + + let(:error_values) do + YAML.safe_load(%( + gitlab: + toolbox: + enabled: true + backups: + objectStorage: + config: + secret: s3cmd-config + key: config + backend: azure + # azureBaseUrl: "https://mystorage.blob.core.windows.net" + )).merge(default_required_values) + + let(:error_output) { 'A valid Azure base URL is needed for backing up to Azure.' } + + include_examples 'config validation', + success_description: 'when toolbox is using Azure backend with base URL configured', + error_description: 'when toolbox is using Azure backend without base URL confiured' + end + end end end diff --git a/templates/_checkConfig_toolbox.tpl b/templates/_checkConfig_toolbox.tpl index e8969bb574..488c24c9f8 100644 --- a/templates/_checkConfig_toolbox.tpl +++ b/templates/_checkConfig_toolbox.tpl @@ -2,12 +2,17 @@ Ensure that a valid object storage config secret is provided. */}} {{- define "gitlab.toolbox.backups.objectStorage.config.secret" -}} +{{- $objectStorage := .Values.gitlab.toolbox.backups.objectStorage -}} {{- if .Values.gitlab.toolbox.enabled -}} -{{- if or .Values.gitlab.toolbox.backups.objectStorage.config (not (or .Values.global.minio.enabled .Values.global.appConfig.object_store.enabled)) (eq .Values.gitlab.toolbox.backups.objectStorage.backend "gcs") }} -{{- if not .Values.gitlab.toolbox.backups.objectStorage.config.secret -}} +{{- if or $objectStorage.config (not (or .Values.global.minio.enabled .Values.global.appConfig.object_store.enabled)) (has $objectStorage.backend (list "gcs" "azure")) }} +{{- if not $objectStorage.config.secret -}} toolbox: A valid object storage config secret is needed for backups. Please configure it via `gitlab.toolbox.backups.objectStorage.config.secret`. +{{- else if and (eq $objectStorage.backend "azure") (not $objectStorage.config.azureBaseUrl) -}} +toolbox: + A valid Azure base URL is needed for backing up to Azure. + Please configure it via `gitlab.toolbox.backups.objectStorage.config.azureBaseUrl`. {{- end -}} {{- end -}} {{- end -}} -- GitLab From c0d2c592d6239ba0feafce2742f8487f6e9443f5 Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Mon, 20 Feb 2023 23:14:20 +0100 Subject: [PATCH 11/17] Configure Azure endpoint and storage account --- .../charts/toolbox/templates/_helpers.tpl | 19 +++++++++++++++++-- .../charts/toolbox/templates/backup-job.yaml | 3 +-- .../charts/toolbox/templates/deployment.yaml | 3 +-- charts/gitlab/charts/toolbox/values.yaml | 9 +++++---- doc/charts/gitlab/toolbox/index.md | 3 ++- doc/installation/command-line-options.md | 3 ++- spec/configuration/toolbox_spec.rb | 10 +++++----- spec/integration/check_config/toolbox_spec.rb | 7 ++++--- templates/_checkConfig_toolbox.tpl | 6 +++--- 9 files changed, 40 insertions(+), 23 deletions(-) diff --git a/charts/gitlab/charts/toolbox/templates/_helpers.tpl b/charts/gitlab/charts/toolbox/templates/_helpers.tpl index 4d3d8edf00..56428a9afa 100644 --- a/charts/gitlab/charts/toolbox/templates/_helpers.tpl +++ b/charts/gitlab/charts/toolbox/templates/_helpers.tpl @@ -55,7 +55,7 @@ Usage: name: {{ .config.secret }} items: - key: {{ default "config" .config.key }} - path: objectstorage/azure_token + path: objectstorage/azure_access_key {{- else -}} - secret: name: {{ .config.secret }} @@ -63,4 +63,19 @@ Usage: - key: {{ default "config" .config.key }} path: objectstorage/.s3cfg {{- end -}} -{{- end -}} \ No newline at end of file +{{- end -}} + + +{{/* +Returns the Azure backup specific environment variables. + +Usage: + {{ include "toolbox.backups.objectStorage.config.env" .Values.backups.objectStorage }} + +*/}} +{{- define "toolbox.backups.objectStorage.config.env" -}} +- name: AZURE_BLOB_HOST + value: {{ default .config.azureBlobHost "blob.core.windows.net" }} +- name: AZURE_STORAGE_ACCOUNT + value: {{ .config.azureStorageAccount }} +{{- end -}} diff --git a/charts/gitlab/charts/toolbox/templates/backup-job.yaml b/charts/gitlab/charts/toolbox/templates/backup-job.yaml index 9c80acbe46..302b8016db 100644 --- a/charts/gitlab/charts/toolbox/templates/backup-job.yaml +++ b/charts/gitlab/charts/toolbox/templates/backup-job.yaml @@ -132,8 +132,7 @@ spec: value: '/etc/gitlab/objectstorage/{{ default "config" .Values.backups.objectStorage.config.key }}' {{- end }} {{- if eq .Values.backups.objectStorage.backend "azure" }} - - name: AZURE_BASE_URL - value: {{ .Values.backups.objectStorage.config.azureBaseUrl }} + {{- include "toolbox.backups.objectStorage.config.env" .Values.backups.objectStorage | nindent 16 }} {{- end }} volumeMounts: {{- include "gitlab.extraVolumeMounts" . | nindent 16 }} diff --git a/charts/gitlab/charts/toolbox/templates/deployment.yaml b/charts/gitlab/charts/toolbox/templates/deployment.yaml index 71aaf17414..19084e6956 100644 --- a/charts/gitlab/charts/toolbox/templates/deployment.yaml +++ b/charts/gitlab/charts/toolbox/templates/deployment.yaml @@ -147,8 +147,7 @@ spec: value: '/etc/gitlab/objectstorage/{{ default "config" .Values.backups.objectStorage.config.key }}' {{- end }} {{- if eq .Values.backups.objectStorage.backend "azure" }} - - name: AZURE_BASE_URL - value: {{ .Values.backups.objectStorage.config.azureBaseUrl }} + {{- include "toolbox.backups.objectStorage.config.env" .Values.backups.objectStorage | nindent 12 }} {{- end }} {{- include "gitlab.extraEnv" . | nindent 12 }} {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 12 }} diff --git a/charts/gitlab/charts/toolbox/values.yaml b/charts/gitlab/charts/toolbox/values.yaml index f0077bce0b..9d89263535 100644 --- a/charts/gitlab/charts/toolbox/values.yaml +++ b/charts/gitlab/charts/toolbox/values.yaml @@ -179,10 +179,11 @@ backups: objectStorage: backend: s3 config: {} - # secret: my-backup-secret - # key: config - # gcpProject: my-gcp-project-id - # azureBaseUrl: https://.blob.core.windows.net + # secret: my-backup-secret + # key: config + # gcpProject: my-gcp-project-id + # azureBlobHost: blob.core.windows.net + # azureStorageAccount: my-azure-storage-account extra: {} rack_attack: diff --git a/doc/charts/gitlab/toolbox/index.md b/doc/charts/gitlab/toolbox/index.md index c25de4166e..c74359cde9 100644 --- a/doc/charts/gitlab/toolbox/index.md +++ b/doc/charts/gitlab/toolbox/index.md @@ -86,7 +86,8 @@ gitlab: | `backups.cron.suspend` | Backup cron job is suspended | `false` | | `backups.objectStorage.backend` | Object storage provider to use (`s3`, `gcs` or `azure`) | `s3` | | `backups.objectStorage.config.gcpProject` | GCP Project to use when backend is `gcs` | "" | -| `backups.objectStorage.config.azureBaseUrl` | Base URL of the Azure Storage Account when backend is `azure` | "" | +| `backups.objectStorage.config.azureStorageAccount` | Name of Azure Storage Account when backend is `azure` | "" | +| `backups.objectStorage.config.azureBlobHost`| Host of Blob storage when backend is `azure` | "blob.core.windows.net" | | `backups.objectStorage.config.key` | Key containing credentials in secret | "" | | `backups.objectStorage.config.secret` | Object storage credentials secret | "" | | `common.labels` | Supplemental labels that are applied to all objects created by this chart. | `{}` | diff --git a/doc/installation/command-line-options.md b/doc/installation/command-line-options.md index 737d98c6f6..cc78a673ac 100644 --- a/doc/installation/command-line-options.md +++ b/doc/installation/command-line-options.md @@ -387,7 +387,8 @@ settings from the [Redis chart](https://github.com/bitnami/charts/tree/master/bi | `gitlab.toolbox.backups.cron.schedule` | Cron style schedule string | `0 1 * * *` | | `gitlab.toolbox.backups.objectStorage.backend` | Object storage provider to use (`s3`, `gcs`, or `azure`) | `s3` | | `gitlab.toolbox.backups.objectStorage.config.gcpProject` | GCP Project to use when backend is `gcs` | "" | -| `gitlab.toolbox.backups.objectStorage.config.azureBaseUrl` | Base URL of the Azure Storage Account when backend is `azure` | "" | +| `backups.objectStorage.config.azureStorageAccount` | Name of Azure Storage Account when backend is `azure` | "" | +| `backups.objectStorage.config.azureBlobHost`| Host of Blob storage when backend is `azure` | "blob.core.windows.net" | | `gitlab.toolbox.backups.objectStorage.config.key` | key containing credentials in secret | "" | | `gitlab.toolbox.backups.objectStorage.config.secret` | Object storage credentials secret | "" | | `gitlab.toolbox.backups.objectStorage.config` | Authentication information for object storage | {} | diff --git a/spec/configuration/toolbox_spec.rb b/spec/configuration/toolbox_spec.rb index fa1c58afc5..444032d965 100644 --- a/spec/configuration/toolbox_spec.rb +++ b/spec/configuration/toolbox_spec.rb @@ -220,7 +220,7 @@ describe 'toolbox configuration' do config: secret: token-secret key: token - azureBaseUrl: "https://mystorage.blob.core.windows.net" + azureStorageAccount: mystorage backend: azure )).deep_merge(default_values) end @@ -236,21 +236,21 @@ describe 'toolbox configuration' do it 'configures the deployment to use the azure backend' do deployment_spec = template.dig("Deployment/test-toolbox", 'spec', 'template', 'spec') container_env = deployment_spec.dig('containers', 0, 'env') - expect(container_env).to include(env_value('AZURE_BASE_URL', 'https://mystorage.blob.core.windows.net')) + expect(container_env).to include(env_value('AZURE_STORAGE_ACCOUNT', 'mystorage')) expect(container_env).to include(env_value('BACKUP_BACKEND', 'azure')) init_secret = deployment_spec['volumes'].find { |s| s['name'] == 'init-toolbox-secrets' } token_secret = init_secret["projected"]["sources"].find { |sc| sc['secret']['name'] == 'token-secret' }["secret"] - expect(token_secret).to eq({ "name" => 'token-secret', "items" => [{ "key" => 'token', "path" => 'objectstorage/azure_token' }] }) + expect(token_secret).to eq({ "name" => 'token-secret', "items" => [{ "key" => 'token', "path" => 'objectstorage/azure_access_key' }] }) end it 'configures the cronjob to use the azure backend' do cronjob_spec = template.dig('CronJob/test-toolbox-backup', 'spec', 'jobTemplate', 'spec', 'template', 'spec') container_env = cronjob_spec.dig('containers', 0, 'env') - expect(container_env).to include(env_value('AZURE_BASE_URL', 'https://mystorage.blob.core.windows.net')) + expect(container_env).to include(env_value('AZURE_STORAGE_ACCOUNT', 'mystorage')) expect(container_env).to include(env_value('BACKUP_BACKEND', 'azure')) init_secret = cronjob_spec['volumes'].find { |s| s['name'] == 'init-toolbox-secrets' } token_secret = init_secret["projected"]["sources"].find { |sc| sc['secret']['name'] == 'token-secret' }["secret"] - expect(token_secret).to eq({ "name" => 'token-secret', "items" => [{ "key" => 'token', "path" => 'objectstorage/azure_token' }] }) + expect(token_secret).to eq({ "name" => 'token-secret', "items" => [{ "key" => 'token', "path" => 'objectstorage/azure_access_key' }] }) end end end diff --git a/spec/integration/check_config/toolbox_spec.rb b/spec/integration/check_config/toolbox_spec.rb index e810a657b6..137b78c03b 100644 --- a/spec/integration/check_config/toolbox_spec.rb +++ b/spec/integration/check_config/toolbox_spec.rb @@ -95,7 +95,8 @@ describe 'checkConfig toolbox' do config: secret: s3cmd-config key: config - azureBaseUrl: "https://mystorage.blob.core.windows.net" + azureStorageAccount: mystorage + backend: azure )).merge(default_required_values) end @@ -109,11 +110,11 @@ describe 'checkConfig toolbox' do config: secret: s3cmd-config key: config + azureStorageAccount: mystorage backend: azure - # azureBaseUrl: "https://mystorage.blob.core.windows.net" )).merge(default_required_values) - let(:error_output) { 'A valid Azure base URL is needed for backing up to Azure.' } + let(:error_output) { 'A valid Azure storage account is needed for backing up to Azure.' } include_examples 'config validation', success_description: 'when toolbox is using Azure backend with base URL configured', diff --git a/templates/_checkConfig_toolbox.tpl b/templates/_checkConfig_toolbox.tpl index 488c24c9f8..bd930c1115 100644 --- a/templates/_checkConfig_toolbox.tpl +++ b/templates/_checkConfig_toolbox.tpl @@ -9,10 +9,10 @@ Ensure that a valid object storage config secret is provided. toolbox: A valid object storage config secret is needed for backups. Please configure it via `gitlab.toolbox.backups.objectStorage.config.secret`. -{{- else if and (eq $objectStorage.backend "azure") (not $objectStorage.config.azureBaseUrl) -}} +{{- else if and (eq $objectStorage.backend "azure") (not $objectStorage.config.azureStorageAccount) -}} toolbox: - A valid Azure base URL is needed for backing up to Azure. - Please configure it via `gitlab.toolbox.backups.objectStorage.config.azureBaseUrl`. + A valid Azure storage account is needed for backing up to Azure. + Please configure it via `gitlab.toolbox.backups.objectStorage.config.azureStorageAccount`. {{- end -}} {{- end -}} {{- end -}} -- GitLab From d98107e500309bbc512e75c5fb865764323bf45d Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Tue, 21 Feb 2023 09:48:35 +0100 Subject: [PATCH 12/17] Update Azure backup docs --- doc/backup-restore/index.md | 42 ++++++++++++++----------------------- 1 file changed, 16 insertions(+), 26 deletions(-) diff --git a/doc/backup-restore/index.md b/doc/backup-restore/index.md index 737e7bae95..c22cfae226 100644 --- a/doc/backup-restore/index.md +++ b/doc/backup-restore/index.md @@ -83,42 +83,28 @@ when restoring a backup. ### Backups to Azure blob storage -Azure blob storage can be can be used to store backups by setting +Azure blob storage can be used to store backups by setting `gitlab.toolbox.backups.objectStorage.backend` to `azure`. This will enable Toolbox to use the included copy of `azcopy` to transmit and retrieve the backup files to the Azure blob storage. -To support using Azure blob storage, one will need to create a storage account -in an existing resource group. The storage account base URL needs to be -set to `gitlab.toolbox.backups.objectStorage.config.azureBaseUrl`. - -A shared access signature (SAS) token is then -generated from the storage account for GitLab to authenticate to Azure. The -settings for the SAS token should be set to: - -- Service: blob -- Resource types: container, object -- Permissions: read, write, list and delete (only - when old backups are configured to be removed automatically) -- Versioning permissions: None -- Index permissions: None -- Allowed protocols: HTTPS only -- Preferred routing: Basic - -Once the SAS token is generated, it needs to be stored in a Kubernetes Secret -**without** the leading question mark. The name of this Secret needs to be -supplied to `gitlab.toolbox.backups.objectStorage.config.secret`. In addition, -the key used to store the SAS token needs to be supplied to +To use Azure blob storage, one will need to create a storage account +in an existing resource group. The storage account name needs to be +set to `gitlab.toolbox.backups.objectStorage.config.azureStorageAccount`. + +The access key needs to be stored in a Kubernetes Secret. The name of this +Secret needs to be supplied to `gitlab.toolbox.backups.objectStorage.config.secret`. +In addition, the key used to store the access key needs to be supplied to `gitlab.toolbox.backups.objectStorage.config.key`. The following `kubectl` command can be used to create the Kubernetes Secret -for the SAS token: +for the access key: ```shell -kubectl create secret generic backup-sas-token --from-literal=token= +kubectl create secret generic backup-access-key --from-literal=token= ``` -Once the SAS token Secret has been created, the GitLab Helm chart can be +Once the access key Secret has been created, the GitLab Helm chart can be configured by adding the backup settings to your deployed values or by supplying the settings on the Helm command line. For example: @@ -127,9 +113,13 @@ helm install gitlab gitlab/gitlab \ --set gitlab.toolbox.backups.objectStorage.config.secret=backup-sas-token \ --set gitlab.toolbox.backups.objectStorage.config.key=token \ --set gitlab.toolbox.backups.objectStorage.backend=azure \ - --set gitlab.toolbox.backups.objectStorage.config.azureBaseUrl=https://.blob.core.windows.net + --set gitlab.toolbox.backups.objectStorage.config.azureStorageAccount=YOUR_STORAGE_ACCOUNT \ + --set gitlab.toolbox.backups.objectStorage.config.azureBlobHost=blob.core.windows.net ``` +The access key from the Secret is used to generate and refresh shorter-lived shared +access signature (SAS) tokens to access the storage account. + In addition, two buckets/containers need to be created beforehand, one for storing the backups, and one temporary bucket that is used when restoring a backup. Add the bucket names to your values or settings. For example: -- GitLab From 8f97e51f728a5313c28c6ca2a3dfd4fac8189020 Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Tue, 21 Feb 2023 15:44:31 +0100 Subject: [PATCH 13/17] Improved access key Secret generation for Azure --- doc/backup-restore/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/backup-restore/index.md b/doc/backup-restore/index.md index c22cfae226..e71598804a 100644 --- a/doc/backup-restore/index.md +++ b/doc/backup-restore/index.md @@ -101,7 +101,7 @@ The following `kubectl` command can be used to create the Kubernetes Secret for the access key: ```shell -kubectl create secret generic backup-access-key --from-literal=token= +kubectl create secret generic backup-access-key --from-literal=accesskey= ``` Once the access key Secret has been created, the GitLab Helm chart can be -- GitLab From 3c62fee9e487163a42e94e7b7ddc3ecb60d9627e Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Wed, 22 Feb 2023 14:57:17 +0100 Subject: [PATCH 14/17] Configure Azure backups via config file --- .../charts/toolbox/templates/_helpers.tpl | 16 +------- .../charts/toolbox/templates/backup-job.yaml | 3 +- .../charts/toolbox/templates/deployment.yaml | 3 +- charts/gitlab/charts/toolbox/values.yaml | 8 ++-- doc/charts/gitlab/toolbox/index.md | 2 - doc/installation/command-line-options.md | 2 - spec/configuration/toolbox_spec.rb | 17 ++++----- spec/integration/check_config/toolbox_spec.rb | 38 ------------------- templates/_checkConfig_toolbox.tpl | 9 +---- 9 files changed, 18 insertions(+), 80 deletions(-) diff --git a/charts/gitlab/charts/toolbox/templates/_helpers.tpl b/charts/gitlab/charts/toolbox/templates/_helpers.tpl index 56428a9afa..62a85a4cd6 100644 --- a/charts/gitlab/charts/toolbox/templates/_helpers.tpl +++ b/charts/gitlab/charts/toolbox/templates/_helpers.tpl @@ -55,7 +55,7 @@ Usage: name: {{ .config.secret }} items: - key: {{ default "config" .config.key }} - path: objectstorage/azure_access_key + path: objectstorage/azure_config {{- else -}} - secret: name: {{ .config.secret }} @@ -65,17 +65,3 @@ Usage: {{- end -}} {{- end -}} - -{{/* -Returns the Azure backup specific environment variables. - -Usage: - {{ include "toolbox.backups.objectStorage.config.env" .Values.backups.objectStorage }} - -*/}} -{{- define "toolbox.backups.objectStorage.config.env" -}} -- name: AZURE_BLOB_HOST - value: {{ default .config.azureBlobHost "blob.core.windows.net" }} -- name: AZURE_STORAGE_ACCOUNT - value: {{ .config.azureStorageAccount }} -{{- end -}} diff --git a/charts/gitlab/charts/toolbox/templates/backup-job.yaml b/charts/gitlab/charts/toolbox/templates/backup-job.yaml index 302b8016db..6c22362007 100644 --- a/charts/gitlab/charts/toolbox/templates/backup-job.yaml +++ b/charts/gitlab/charts/toolbox/templates/backup-job.yaml @@ -132,7 +132,8 @@ spec: value: '/etc/gitlab/objectstorage/{{ default "config" .Values.backups.objectStorage.config.key }}' {{- end }} {{- if eq .Values.backups.objectStorage.backend "azure" }} - {{- include "toolbox.backups.objectStorage.config.env" .Values.backups.objectStorage | nindent 16 }} + - name: AZURE_CONFIG_FILE + value: '/etc/gitlab/objectstorage/azure_config' {{- end }} volumeMounts: {{- include "gitlab.extraVolumeMounts" . | nindent 16 }} diff --git a/charts/gitlab/charts/toolbox/templates/deployment.yaml b/charts/gitlab/charts/toolbox/templates/deployment.yaml index 19084e6956..b692cf2371 100644 --- a/charts/gitlab/charts/toolbox/templates/deployment.yaml +++ b/charts/gitlab/charts/toolbox/templates/deployment.yaml @@ -147,7 +147,8 @@ spec: value: '/etc/gitlab/objectstorage/{{ default "config" .Values.backups.objectStorage.config.key }}' {{- end }} {{- if eq .Values.backups.objectStorage.backend "azure" }} - {{- include "toolbox.backups.objectStorage.config.env" .Values.backups.objectStorage | nindent 12 }} + - name: AZURE_CONFIG_FILE + value: '/etc/gitlab/objectstorage/azure_config' {{- end }} {{- include "gitlab.extraEnv" . | nindent 12 }} {{- include "gitlab.extraEnvFrom" (dict "root" $ "local" (dict)) | nindent 12 }} diff --git a/charts/gitlab/charts/toolbox/values.yaml b/charts/gitlab/charts/toolbox/values.yaml index 9d89263535..0212f8a342 100644 --- a/charts/gitlab/charts/toolbox/values.yaml +++ b/charts/gitlab/charts/toolbox/values.yaml @@ -179,11 +179,9 @@ backups: objectStorage: backend: s3 config: {} - # secret: my-backup-secret - # key: config - # gcpProject: my-gcp-project-id - # azureBlobHost: blob.core.windows.net - # azureStorageAccount: my-azure-storage-account + # secret: my-backup-secret + # key: config + # gcpProject: my-gcp-project-id extra: {} rack_attack: diff --git a/doc/charts/gitlab/toolbox/index.md b/doc/charts/gitlab/toolbox/index.md index c74359cde9..32eb8cac2b 100644 --- a/doc/charts/gitlab/toolbox/index.md +++ b/doc/charts/gitlab/toolbox/index.md @@ -86,8 +86,6 @@ gitlab: | `backups.cron.suspend` | Backup cron job is suspended | `false` | | `backups.objectStorage.backend` | Object storage provider to use (`s3`, `gcs` or `azure`) | `s3` | | `backups.objectStorage.config.gcpProject` | GCP Project to use when backend is `gcs` | "" | -| `backups.objectStorage.config.azureStorageAccount` | Name of Azure Storage Account when backend is `azure` | "" | -| `backups.objectStorage.config.azureBlobHost`| Host of Blob storage when backend is `azure` | "blob.core.windows.net" | | `backups.objectStorage.config.key` | Key containing credentials in secret | "" | | `backups.objectStorage.config.secret` | Object storage credentials secret | "" | | `common.labels` | Supplemental labels that are applied to all objects created by this chart. | `{}` | diff --git a/doc/installation/command-line-options.md b/doc/installation/command-line-options.md index cc78a673ac..4aaa4a21fe 100644 --- a/doc/installation/command-line-options.md +++ b/doc/installation/command-line-options.md @@ -387,8 +387,6 @@ settings from the [Redis chart](https://github.com/bitnami/charts/tree/master/bi | `gitlab.toolbox.backups.cron.schedule` | Cron style schedule string | `0 1 * * *` | | `gitlab.toolbox.backups.objectStorage.backend` | Object storage provider to use (`s3`, `gcs`, or `azure`) | `s3` | | `gitlab.toolbox.backups.objectStorage.config.gcpProject` | GCP Project to use when backend is `gcs` | "" | -| `backups.objectStorage.config.azureStorageAccount` | Name of Azure Storage Account when backend is `azure` | "" | -| `backups.objectStorage.config.azureBlobHost`| Host of Blob storage when backend is `azure` | "blob.core.windows.net" | | `gitlab.toolbox.backups.objectStorage.config.key` | key containing credentials in secret | "" | | `gitlab.toolbox.backups.objectStorage.config.secret` | Object storage credentials secret | "" | | `gitlab.toolbox.backups.objectStorage.config` | Authentication information for object storage | {} | diff --git a/spec/configuration/toolbox_spec.rb b/spec/configuration/toolbox_spec.rb index 444032d965..02c4120a74 100644 --- a/spec/configuration/toolbox_spec.rb +++ b/spec/configuration/toolbox_spec.rb @@ -218,9 +218,8 @@ describe 'toolbox configuration' do backups: objectStorage: config: - secret: token-secret - key: token - azureStorageAccount: mystorage + secret: azure-backup-conf + key: azconf backend: azure )).deep_merge(default_values) end @@ -236,21 +235,21 @@ describe 'toolbox configuration' do it 'configures the deployment to use the azure backend' do deployment_spec = template.dig("Deployment/test-toolbox", 'spec', 'template', 'spec') container_env = deployment_spec.dig('containers', 0, 'env') - expect(container_env).to include(env_value('AZURE_STORAGE_ACCOUNT', 'mystorage')) + expect(container_env).to include(env_value('AZURE_CONFIG_FILE', '/etc/gitlab/objectstorage/azure_config')) expect(container_env).to include(env_value('BACKUP_BACKEND', 'azure')) init_secret = deployment_spec['volumes'].find { |s| s['name'] == 'init-toolbox-secrets' } - token_secret = init_secret["projected"]["sources"].find { |sc| sc['secret']['name'] == 'token-secret' }["secret"] - expect(token_secret).to eq({ "name" => 'token-secret', "items" => [{ "key" => 'token', "path" => 'objectstorage/azure_access_key' }] }) + token_secret = init_secret["projected"]["sources"].find { |sc| sc['secret']['name'] == 'azure-backup-conf' }["secret"] + expect(token_secret["items"]).to eq([{ "key" => 'azconf', "path" => 'objectstorage/azure_config' }]) end it 'configures the cronjob to use the azure backend' do cronjob_spec = template.dig('CronJob/test-toolbox-backup', 'spec', 'jobTemplate', 'spec', 'template', 'spec') container_env = cronjob_spec.dig('containers', 0, 'env') - expect(container_env).to include(env_value('AZURE_STORAGE_ACCOUNT', 'mystorage')) + expect(container_env).to include(env_value('AZURE_CONFIG_FILE', '/etc/gitlab/objectstorage/azure_config')) expect(container_env).to include(env_value('BACKUP_BACKEND', 'azure')) init_secret = cronjob_spec['volumes'].find { |s| s['name'] == 'init-toolbox-secrets' } - token_secret = init_secret["projected"]["sources"].find { |sc| sc['secret']['name'] == 'token-secret' }["secret"] - expect(token_secret).to eq({ "name" => 'token-secret', "items" => [{ "key" => 'token', "path" => 'objectstorage/azure_access_key' }] }) + token_secret = init_secret["projected"]["sources"].find { |sc| sc['secret']['name'] == 'azure-backup-conf' }["secret"] + expect(token_secret["items"]).to eq([{ "key" => 'azconf', "path" => 'objectstorage/azure_config' }]) end end end diff --git a/spec/integration/check_config/toolbox_spec.rb b/spec/integration/check_config/toolbox_spec.rb index 137b78c03b..ba9b6cc536 100644 --- a/spec/integration/check_config/toolbox_spec.rb +++ b/spec/integration/check_config/toolbox_spec.rb @@ -83,43 +83,5 @@ describe 'checkConfig toolbox' do include_examples 'config validation', success_description: 'when toolbox is disabled and does not have a valid object storage backup secret configured' end - - describe 'is using Azure as backup backend' do - let(:success_values) do - YAML.safe_load(%( - gitlab: - toolbox: - enabled: true - backups: - objectStorage: - config: - secret: s3cmd-config - key: config - azureStorageAccount: mystorage - backend: azure - )).merge(default_required_values) - end - - let(:error_values) do - YAML.safe_load(%( - gitlab: - toolbox: - enabled: true - backups: - objectStorage: - config: - secret: s3cmd-config - key: config - azureStorageAccount: mystorage - backend: azure - )).merge(default_required_values) - - let(:error_output) { 'A valid Azure storage account is needed for backing up to Azure.' } - - include_examples 'config validation', - success_description: 'when toolbox is using Azure backend with base URL configured', - error_description: 'when toolbox is using Azure backend without base URL confiured' - end - end end end diff --git a/templates/_checkConfig_toolbox.tpl b/templates/_checkConfig_toolbox.tpl index bd930c1115..e8969bb574 100644 --- a/templates/_checkConfig_toolbox.tpl +++ b/templates/_checkConfig_toolbox.tpl @@ -2,17 +2,12 @@ Ensure that a valid object storage config secret is provided. */}} {{- define "gitlab.toolbox.backups.objectStorage.config.secret" -}} -{{- $objectStorage := .Values.gitlab.toolbox.backups.objectStorage -}} {{- if .Values.gitlab.toolbox.enabled -}} -{{- if or $objectStorage.config (not (or .Values.global.minio.enabled .Values.global.appConfig.object_store.enabled)) (has $objectStorage.backend (list "gcs" "azure")) }} -{{- if not $objectStorage.config.secret -}} +{{- if or .Values.gitlab.toolbox.backups.objectStorage.config (not (or .Values.global.minio.enabled .Values.global.appConfig.object_store.enabled)) (eq .Values.gitlab.toolbox.backups.objectStorage.backend "gcs") }} +{{- if not .Values.gitlab.toolbox.backups.objectStorage.config.secret -}} toolbox: A valid object storage config secret is needed for backups. Please configure it via `gitlab.toolbox.backups.objectStorage.config.secret`. -{{- else if and (eq $objectStorage.backend "azure") (not $objectStorage.config.azureStorageAccount) -}} -toolbox: - A valid Azure storage account is needed for backing up to Azure. - Please configure it via `gitlab.toolbox.backups.objectStorage.config.azureStorageAccount`. {{- end -}} {{- end -}} {{- end -}} -- GitLab From 50edb38401ee3e156b8d72fbff0cbec112b64ace Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Wed, 22 Feb 2023 14:57:30 +0100 Subject: [PATCH 15/17] Update Azure backup docs --- doc/advanced/external-object-storage/index.md | 19 +++++++---- doc/backup-restore/index.md | 33 ++++++++++--------- 2 files changed, 31 insertions(+), 21 deletions(-) diff --git a/doc/advanced/external-object-storage/index.md b/doc/advanced/external-object-storage/index.md index b25e1ccf98..e32dd86ff7 100644 --- a/doc/advanced/external-object-storage/index.md +++ b/doc/advanced/external-object-storage/index.md @@ -46,9 +46,6 @@ for more details. Direct support for Azure Blob storage is available for [uploaded attachments, CI job artifacts, LFS, and other object types supported via the consolidated settings](https://docs.gitlab.com/ee/administration/object_storage.html#storage-specific-configuration). In previous GitLab versions, an [Azure MinIO gateway](azure-minio-gateway.md) was needed. -The Azure MinIO gateway is still needed for backups. Follow [this issue](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2298) -for more details. - NOTE: GitLab [does not support](https://github.com/minio/minio/issues/9978) the Azure MinIO gateway as the storage for the Docker Registry. Please refer to the [corresponding Azure example](https://gitlab.com/gitlab-org/charts/gitlab/tree/master/examples/objectstorage/registry.azure.yaml) when [setting up the Docker Registry](#docker-registry-images). @@ -199,9 +196,9 @@ externally rather than the included MinIO service. The backup/restore procedure - A bucket for storing backups (`global.appConfig.backups.bucket`) - A temporary bucket for preserving existing data during the restore process (`global.appConfig.backups.tmpBucket`) -AWS S3-compatible object storage systems and Google Cloud Storage are supported backends. -You can configure the backend type by setting `global.appConfig.backups.objectStorage.backend` -to `s3` for AWS S3 or `gcs` for Google Cloud Storage. +AWS S3-compatible object storage systems, Google Cloud Storage and Azure Blob Storage +are supported backends. You can configure the backend type by setting `global.appConfig.backups.objectStorage.backend` +to `s3` for AWS S3, `gcs` for Google Cloud Storage or `azure` for Azure Blob Storage. You must also provide a connection configuration through the `gitlab.toolbox.backups.objectStorage.config` key. When using Google Cloud Storage, the GCP project must be set with the `global.appConfig.backups.objectStorage.config.gcpProject` value. @@ -226,6 +223,16 @@ For Google Cloud Storage (GCS): --set gitlab.toolbox.backups.objectStorage.config.key=config ``` +For Azure Blob Storage: + +```shell +--set global.appConfig.backups.bucket=gitlab-backup-storage +--set global.appConfig.backups.tmpBucket=gitlab-tmp-storage +--set gitlab.toolbox.backups.objectStorage.backend=azure +--set gitlab.toolbox.backups.objectStorage.config.secret=storage-config +--set gitlab.toolbox.backups.objectStorage.config.key=config +``` + See the [backup/restore object storage documentation](../../backup-restore/index.md#object-storage) for full details. NOTE: diff --git a/doc/backup-restore/index.md b/doc/backup-restore/index.md index e71598804a..3e46cd4f40 100644 --- a/doc/backup-restore/index.md +++ b/doc/backup-restore/index.md @@ -89,32 +89,35 @@ Toolbox to use the included copy of `azcopy` to transmit and retrieve the backup files to the Azure blob storage. To use Azure blob storage, one will need to create a storage account -in an existing resource group. The storage account name needs to be -set to `gitlab.toolbox.backups.objectStorage.config.azureStorageAccount`. +in an existing resource group. Create a config secret with your storage +account's name, access key and blob host. -The access key needs to be stored in a Kubernetes Secret. The name of this -Secret needs to be supplied to `gitlab.toolbox.backups.objectStorage.config.secret`. -In addition, the key used to store the access key needs to be supplied to -`gitlab.toolbox.backups.objectStorage.config.key`. +Create a config file containing the paramters: -The following `kubectl` command can be used to create the Kubernetes Secret -for the access key: +```yaml +# azure-backup-conf.yaml +azure_storage_account_name: +azure_storage_access_key: +azure_storage_domain: blob.core.windows.net # optional +``` + +The following `kubectl` command can be used to create the Kubernetes Secret: ```shell -kubectl create secret generic backup-access-key --from-literal=accesskey= +kubectl create secret generic backup-azure-creds \ + --from-file=config=azure-backup-conf.yaml \ + --from-literal=azure_storage_account_name= ``` -Once the access key Secret has been created, the GitLab Helm chart can be +Once the Secret has been created, the GitLab Helm chart can be configured by adding the backup settings to your deployed values or by supplying the settings on the Helm command line. For example: ```shell helm install gitlab gitlab/gitlab \ - --set gitlab.toolbox.backups.objectStorage.config.secret=backup-sas-token \ - --set gitlab.toolbox.backups.objectStorage.config.key=token \ - --set gitlab.toolbox.backups.objectStorage.backend=azure \ - --set gitlab.toolbox.backups.objectStorage.config.azureStorageAccount=YOUR_STORAGE_ACCOUNT \ - --set gitlab.toolbox.backups.objectStorage.config.azureBlobHost=blob.core.windows.net + --set gitlab.toolbox.backups.objectStorage.config.secret=backup-azure-creds \ + --set gitlab.toolbox.backups.objectStorage.config.key=config \ + --set gitlab.toolbox.backups.objectStorage.backend=azure ``` The access key from the Secret is used to generate and refresh shorter-lived shared -- GitLab From f06bfda1d59bdb7e63fbc169de14cf8bd64da4ba Mon Sep 17 00:00:00 2001 From: Stan Hu Date: Mon, 13 Mar 2023 08:07:21 +0000 Subject: [PATCH 16/17] Add Oxford commas to Azure backup docs --- doc/advanced/external-object-storage/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/advanced/external-object-storage/index.md b/doc/advanced/external-object-storage/index.md index e32dd86ff7..91bfb4338e 100644 --- a/doc/advanced/external-object-storage/index.md +++ b/doc/advanced/external-object-storage/index.md @@ -196,9 +196,9 @@ externally rather than the included MinIO service. The backup/restore procedure - A bucket for storing backups (`global.appConfig.backups.bucket`) - A temporary bucket for preserving existing data during the restore process (`global.appConfig.backups.tmpBucket`) -AWS S3-compatible object storage systems, Google Cloud Storage and Azure Blob Storage +AWS S3-compatible object storage systems, Google Cloud Storage, and Azure Blob Storage are supported backends. You can configure the backend type by setting `global.appConfig.backups.objectStorage.backend` -to `s3` for AWS S3, `gcs` for Google Cloud Storage or `azure` for Azure Blob Storage. +to `s3` for AWS S3, `gcs` for Google Cloud Storage, or `azure` for Azure Blob Storage. You must also provide a connection configuration through the `gitlab.toolbox.backups.objectStorage.config` key. When using Google Cloud Storage, the GCP project must be set with the `global.appConfig.backups.objectStorage.config.gcpProject` value. -- GitLab From b9648a93098acd31039cb5afe60bb89956b11ba5 Mon Sep 17 00:00:00 2001 From: Clemens Beck Date: Mon, 13 Mar 2023 09:10:52 +0100 Subject: [PATCH 17/17] Remove outdated config flag from Azure backup docs --- doc/backup-restore/index.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/doc/backup-restore/index.md b/doc/backup-restore/index.md index 3e46cd4f40..38addccebe 100644 --- a/doc/backup-restore/index.md +++ b/doc/backup-restore/index.md @@ -105,8 +105,7 @@ The following `kubectl` command can be used to create the Kubernetes Secret: ```shell kubectl create secret generic backup-azure-creds \ - --from-file=config=azure-backup-conf.yaml \ - --from-literal=azure_storage_account_name= + --from-file=config=azure-backup-conf.yaml ``` Once the Secret has been created, the GitLab Helm chart can be -- GitLab