From 2427016ee7c264d2b6e472616be1f0b7c38b0c80 Mon Sep 17 00:00:00 2001 From: DJ Mountney Date: Fri, 19 Jan 2018 15:35:11 -0800 Subject: [PATCH 1/5] Initial commit of token creation script [ci skip] --- scripts/create-secret-tokens | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100755 scripts/create-secret-tokens diff --git a/scripts/create-secret-tokens b/scripts/create-secret-tokens new file mode 100755 index 0000000000..64a41e3f78 --- /dev/null +++ b/scripts/create-secret-tokens @@ -0,0 +1,36 @@ +#!/bin/bash + +set -e + +KUBE_COMMAND=$(which kubectl) + +OPTS=`getopt -o n: --long namespace:,shell-name:,shell-key:,gitaly-name:,gitaly-key: -n 'create-secret-tokens' -- "$@"` +eval set -- "$OPTS" + +NAMESPACE="default" +SHELL_SECRET_NAME="gitlab-shell-secret" +SHELL_SECRET_KEY="secret" +GITALY_SECRET_NAME="gitaly-secret" +GITALY_SECRET_KEY="token" + +while [ ! $# -eq 0 ] +do + case "$1" in + --namespace | -n ) NAMESPACE="$2"; shift ;; + --shell-name ) SHELL_SECRET_NAME="$2"; shift ;; + --shell-key ) SHELL_SECRET_KEY="$2"; shift ;; + --gitaly-name ) GITALY_SECRET_NAME="$2"; shift ;; + --gitaly-key ) GITALY_SECRET_KEY="$2"; shift ;; + esac + shift +done + +# Create shell secret token if it doesn't exist +if ! $KUBE_COMMAND -n ${NAMESPACE} get secret ${SHELL_SECRET_NAME} > /dev/null 2>&1; then + $KUBE_COMMAND -n ${NAMESPACE} create secret generic ${SHELL_SECRET_NAME} --from-literal=${SHELL_SECRET_KEY}=$(head -c 512 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 64) +fi + +# Create gitaly secret token if it doesn't exist +if ! $KUBE_COMMAND -n ${NAMESPACE} get secret ${GITALY_SECRET_NAME} > /dev/null 2>&1; then + $KUBE_COMMAND -n ${NAMESPACE} create secret generic ${GITALY_SECRET_NAME} --from-literal=${GITALY_SECRET_KEY}=$(head -c 512 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 64) +fi -- GitLab From 577c6abea4caf8f3e55c93b0d89a34899cd6ea54 Mon Sep 17 00:00:00 2001 From: DJ Mountney Date: Mon, 22 Jan 2018 12:03:28 -0800 Subject: [PATCH 2/5] Clean up namespace command Add usage message --- scripts/create-secret-tokens | 36 +++++++++++++++++++++++++++++------- 1 file changed, 29 insertions(+), 7 deletions(-) diff --git a/scripts/create-secret-tokens b/scripts/create-secret-tokens index 64a41e3f78..e4e2002b57 100755 --- a/scripts/create-secret-tokens +++ b/scripts/create-secret-tokens @@ -4,33 +4,55 @@ set -e KUBE_COMMAND=$(which kubectl) -OPTS=`getopt -o n: --long namespace:,shell-name:,shell-key:,gitaly-name:,gitaly-key: -n 'create-secret-tokens' -- "$@"` +OPTS=`getopt -o n:h --long namespace:,shell-name:,shell-key:,gitaly-name:,gitaly-key:,help -n 'create-secret-tokens' -- "$@"` eval set -- "$OPTS" -NAMESPACE="default" +NAMESPACE_CMD="" SHELL_SECRET_NAME="gitlab-shell-secret" SHELL_SECRET_KEY="secret" GITALY_SECRET_NAME="gitaly-secret" GITALY_SECRET_KEY="token" +display_usage() { +cat <<-EOF +Generates random token values for GitLab Shell and Gitaly. + +Uses kubectl to create these as Kubernetes Secrets in the cluster. + +USAGE: create-secret-tokens [OPTIONS] + +OPTIONS + + -n, --namespace='': If present, the kubernetes namespace where the secrets will be created. + --shell-name='gitlab-shell-secret': The name for the Kubernetes Secret Object created for GitLab Shell. + --shell-key='secret': The key name used to contain the token data within the GitLab Shell Kubernetes Secret. + --gitaly-name='gitaly-secret': The name for the Kubernetes Secret Object created for Gitaly. + --gitaly-key='token': The key name used to contain the token data within the Gitaly Kubernetes Secret. + -h, --help: Displays this usage message. + +EOF +return; +} + while [ ! $# -eq 0 ] do case "$1" in - --namespace | -n ) NAMESPACE="$2"; shift ;; + --namespace | -n ) NAMESPACE="$2"; NAMESPACE_CMD="-n ${NAMESPACE}"; shift ;; --shell-name ) SHELL_SECRET_NAME="$2"; shift ;; --shell-key ) SHELL_SECRET_KEY="$2"; shift ;; --gitaly-name ) GITALY_SECRET_NAME="$2"; shift ;; --gitaly-key ) GITALY_SECRET_KEY="$2"; shift ;; + --help | -h ) display_usage; exit 0 ;; esac shift done # Create shell secret token if it doesn't exist -if ! $KUBE_COMMAND -n ${NAMESPACE} get secret ${SHELL_SECRET_NAME} > /dev/null 2>&1; then - $KUBE_COMMAND -n ${NAMESPACE} create secret generic ${SHELL_SECRET_NAME} --from-literal=${SHELL_SECRET_KEY}=$(head -c 512 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 64) +if ! $KUBE_COMMAND ${NAMESPACE_CMD} get secret ${SHELL_SECRET_NAME} > /dev/null 2>&1; then + $KUBE_COMMAND ${NAMESPACE_CMD} create secret generic ${SHELL_SECRET_NAME} --from-literal=${SHELL_SECRET_KEY}=$(head -c 512 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 64) fi # Create gitaly secret token if it doesn't exist -if ! $KUBE_COMMAND -n ${NAMESPACE} get secret ${GITALY_SECRET_NAME} > /dev/null 2>&1; then - $KUBE_COMMAND -n ${NAMESPACE} create secret generic ${GITALY_SECRET_NAME} --from-literal=${GITALY_SECRET_KEY}=$(head -c 512 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 64) +if ! $KUBE_COMMAND ${NAMESPACE_CMD} get secret ${GITALY_SECRET_NAME} > /dev/null 2>&1; then + $KUBE_COMMAND ${NAMESPACE_CMD} create secret generic ${GITALY_SECRET_NAME} --from-literal=${GITALY_SECRET_KEY}=$(head -c 512 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 64) fi -- GitLab From 0bc81bc3dc15c58d3a60c6c62620aaa48c05b2cd Mon Sep 17 00:00:00 2001 From: DJ Mountney Date: Mon, 22 Jan 2018 12:28:56 -0800 Subject: [PATCH 3/5] Trim token secrets out of the CI Rely instead on the secret creation script (which will be a no-op for our CI, because the secrets aready exist, but will make it easier to add new secrets) --- .gitlab-ci.yml | 12 ++---------- doc/example-config.yaml | 12 ------------ 2 files changed, 2 insertions(+), 22 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index ad220338b5..ab00006812 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -290,18 +290,12 @@ qa: --set gitlab.sidekiq.redis.password.key=redis-password \ --set gitlab.sidekiq.psql.serviceName=omnibus \ --set gitlab.sidekiq.psql.password="$ROOT_PASSWORD" \ - --set gitlab.sidekiq.gitaly.authToken.secret=gitaly-secret \ - --set gitlab.sidekiq.gitaly.authToken.key=token \ --set gitlab.unicorn.enabled=true \ --set gitlab.unicorn.redis.serviceName=redis \ --set gitlab.unicorn.redis.password.secret=gitlab-redis \ --set gitlab.unicorn.redis.password.key=redis-password \ --set gitlab.unicorn.psql.serviceName=omnibus \ --set gitlab.unicorn.psql.password="$ROOT_PASSWORD" \ - --set gitlab.unicorn.shell.authToken.secret=gitlab-shell-secret \ - --set gitlab.unicorn.shell.authToken.key=secret \ - --set gitlab.unicorn.gitaly.authToken.secret=gitaly-secret \ - --set gitlab.unicorn.gitaly.authToken.key=token \ --set gitlab.unicorn.registry.api.serviceName=registry \ --set gitlab.unicorn.registry.tokenIssuer="gitlab-issuer" \ --set gitlab.unicorn.registry.certificate.secret=gitlab-registry \ @@ -314,11 +308,7 @@ qa: --set gitlab.migrations.psql.password="$ROOT_PASSWORD" \ --set gitlab.migrations.initialRootPassword="$ROOT_PASSWORD" \ --set gitlab.gitlab-shell.enabled=true \ - --set gitlab.gitlab-shell.authToken.secret=gitlab-shell-secret \ - --set gitlab.gitlab-shell.authToken.key=secret \ --set gitlab.gitaly.enabled=true \ - --set gitlab.gitaly.authToken.secret=gitaly-secret \ - --set gitlab.gitaly.authToken.key=token \ --set gitlab.omnibus.enabled=true \ --set gitlab.omnibus.service.type=NodePort \ --set gitlab.omnibus.psql.password="$ROOT_PASSWORD" \ @@ -406,6 +396,8 @@ qa: --docker-password="$CI_REGISTRY_PASSWORD" \ --docker-email="$GITLAB_USER_EMAIL" \ -o yaml --dry-run | kubectl replace -n "$KUBE_NAMESPACE" --force -f - + + ./scripts/create-secret-tokens -n "$KUBE_NAMESPACE" } function delete() { diff --git a/doc/example-config.yaml b/doc/example-config.yaml index 76555d37a0..85df66a38d 100644 --- a/doc/example-config.yaml +++ b/doc/example-config.yaml @@ -58,14 +58,8 @@ gitlab: certificate: secret: gitlab-registry key: registry-auth.key - shell: - authToken: - secret: gitlab-shell-secret gitaly: serviceName: gitaly - authToken: - secret: gitaly-secret - key: token redis: serviceName: redis password: @@ -81,9 +75,6 @@ gitlab: timeout: 5 gitaly: serviceName: gitaly - authToken: - secret: gitaly-secret - key: token redis: serviceName: redis password: @@ -105,9 +96,6 @@ gitlab: # Gitaly provides storage & API access to Git repository data gitaly: enabled: true - authToken: - name: gitaly-secret - key: token # Handle database init and upgrade migrations, via gitlab-rails codebase migrations: enabled: true -- GitLab From 85775496be4812cfa1e15fc652bb05d0d7c1a78f Mon Sep 17 00:00:00 2001 From: DJ Mountney Date: Mon, 22 Jan 2018 12:34:09 -0800 Subject: [PATCH 4/5] Update docs regarding GitLab secrets for shell and gitaly --- doc/installation/secrets.md | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/doc/installation/secrets.md b/doc/installation/secrets.md index 87955f4cae..9eb9f469ad 100644 --- a/doc/installation/secrets.md +++ b/doc/installation/secrets.md @@ -81,20 +81,14 @@ $ kubectl create secret generic gitlab-redis --from-literal=redis-password= Note: GitLab Inc. employees have this password generated and stored in `1Password Cloud Native` vault for development in this project. -### GitLab Shell -Generate a random secret for GitLab Shell, and use it to create the secret +### Secret tokens for services -``` -$ head -c 512 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 64 > ./shell_secret -$ kubectl create secret generic gitlab-shell-secret --from-file=secret=shell_secret -``` - -### Gitaly Secret +Generate secret tokens for authenticating communication with GitLab Shell and Gitaly. Run the following command from +the root of this repo: ``` -$ head -c 512 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 64 > ./gitaly_secret -$ kubectl create secret generic gitaly-secret --from-file=token=gitaly_secret +$ ./scripts/create-secret-tokens ``` Once all secrets have been generated and stored, you can proceed to generating -- GitLab From fe5422841488021b21ccbc27a42e68598e0f99fc Mon Sep 17 00:00:00 2001 From: DJ Mountney Date: Mon, 22 Jan 2018 13:47:17 -0800 Subject: [PATCH 5/5] Switch the secret generations script to be more generic --- .gitlab-ci.yml | 3 +- doc/installation/secrets.md | 12 +++++--- scripts/create-secret-token | 49 ++++++++++++++++++++++++++++++ scripts/create-secret-tokens | 58 ------------------------------------ 4 files changed, 59 insertions(+), 63 deletions(-) create mode 100755 scripts/create-secret-token delete mode 100755 scripts/create-secret-tokens diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index ab00006812..2d62a9a774 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -397,7 +397,8 @@ qa: --docker-email="$GITLAB_USER_EMAIL" \ -o yaml --dry-run | kubectl replace -n "$KUBE_NAMESPACE" --force -f - - ./scripts/create-secret-tokens -n "$KUBE_NAMESPACE" + ./scripts/create-secret-token -n "$KUBE_NAMESPACE" --name="gitlab-shell-secret" --key="secret" + ./scripts/create-secret-token -n "$KUBE_NAMESPACE" --name="gitaly-secret" --key="token" } function delete() { diff --git a/doc/installation/secrets.md b/doc/installation/secrets.md index 9eb9f469ad..d6b6396f26 100644 --- a/doc/installation/secrets.md +++ b/doc/installation/secrets.md @@ -81,14 +81,18 @@ $ kubectl create secret generic gitlab-redis --from-literal=redis-password= Note: GitLab Inc. employees have this password generated and stored in `1Password Cloud Native` vault for development in this project. +### GitLab Shell -### Secret tokens for services +Generate a random secret for GitLab Shell. -Generate secret tokens for authenticating communication with GitLab Shell and Gitaly. Run the following command from -the root of this repo: +``` +$ ./scripts/create-secret-token --name="gitlab-shell-secret" --key="secret" +``` + +### Gitaly Secret ``` -$ ./scripts/create-secret-tokens +$ ./scripts/create-secret-token --name="gitaly-secret" --key="token" ``` Once all secrets have been generated and stored, you can proceed to generating diff --git a/scripts/create-secret-token b/scripts/create-secret-token new file mode 100755 index 0000000000..b61511f1fd --- /dev/null +++ b/scripts/create-secret-token @@ -0,0 +1,49 @@ +#!/bin/bash + +set -e + +KUBE_COMMAND=$(which kubectl) + +OPTS=`getopt -o n:s:k:h --long namespace:,name:,key:,help -n 'create-secret-token' -- "$@"` +eval set -- "$OPTS" + +NAMESPACE_CMD="" + +display_usage() { +cat <<-EOF +Generates random token values. And uses kubectl to create the Kubernetes Secret in the cluster. + +USAGE: create-secret-token [OPTIONS] + +OPTIONS + + -n, --namespace='': If present, the kubernetes namespace where the secret will be created. + -s, --name='': The name for the Kubernetes Secret Object created. + -k, --key='': The key name used to contain the token data within the Kubernetes Secret. + -h, --help: Displays this usage message. + +EOF +return; +} + +while [ ! $# -eq 0 ] +do + case "$1" in + --namespace | -n ) NAMESPACE="$2"; NAMESPACE_CMD="-n ${NAMESPACE}"; shift ;; + --name | -s ) SECRET_NAME="$2"; shift ;; + --key | -k ) SECRET_KEY="$2"; shift ;; + --help | -h ) display_usage; exit 0 ;; + esac + shift +done + +if [ -z $SECRET_NAME ] || [ -z $SECRET_KEY ]; then + echo "ERROR: Missing required options" + display_usage + exit 0 +fi + +# Create secret token if it doesn't exist +if ! $KUBE_COMMAND ${NAMESPACE_CMD} get secret ${SECRET_NAME} > /dev/null 2>&1; then + $KUBE_COMMAND ${NAMESPACE_CMD} create secret generic ${SECRET_NAME} --from-literal=${SECRET_KEY}=$(head -c 512 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 64) +fi diff --git a/scripts/create-secret-tokens b/scripts/create-secret-tokens deleted file mode 100755 index e4e2002b57..0000000000 --- a/scripts/create-secret-tokens +++ /dev/null @@ -1,58 +0,0 @@ -#!/bin/bash - -set -e - -KUBE_COMMAND=$(which kubectl) - -OPTS=`getopt -o n:h --long namespace:,shell-name:,shell-key:,gitaly-name:,gitaly-key:,help -n 'create-secret-tokens' -- "$@"` -eval set -- "$OPTS" - -NAMESPACE_CMD="" -SHELL_SECRET_NAME="gitlab-shell-secret" -SHELL_SECRET_KEY="secret" -GITALY_SECRET_NAME="gitaly-secret" -GITALY_SECRET_KEY="token" - -display_usage() { -cat <<-EOF -Generates random token values for GitLab Shell and Gitaly. - -Uses kubectl to create these as Kubernetes Secrets in the cluster. - -USAGE: create-secret-tokens [OPTIONS] - -OPTIONS - - -n, --namespace='': If present, the kubernetes namespace where the secrets will be created. - --shell-name='gitlab-shell-secret': The name for the Kubernetes Secret Object created for GitLab Shell. - --shell-key='secret': The key name used to contain the token data within the GitLab Shell Kubernetes Secret. - --gitaly-name='gitaly-secret': The name for the Kubernetes Secret Object created for Gitaly. - --gitaly-key='token': The key name used to contain the token data within the Gitaly Kubernetes Secret. - -h, --help: Displays this usage message. - -EOF -return; -} - -while [ ! $# -eq 0 ] -do - case "$1" in - --namespace | -n ) NAMESPACE="$2"; NAMESPACE_CMD="-n ${NAMESPACE}"; shift ;; - --shell-name ) SHELL_SECRET_NAME="$2"; shift ;; - --shell-key ) SHELL_SECRET_KEY="$2"; shift ;; - --gitaly-name ) GITALY_SECRET_NAME="$2"; shift ;; - --gitaly-key ) GITALY_SECRET_KEY="$2"; shift ;; - --help | -h ) display_usage; exit 0 ;; - esac - shift -done - -# Create shell secret token if it doesn't exist -if ! $KUBE_COMMAND ${NAMESPACE_CMD} get secret ${SHELL_SECRET_NAME} > /dev/null 2>&1; then - $KUBE_COMMAND ${NAMESPACE_CMD} create secret generic ${SHELL_SECRET_NAME} --from-literal=${SHELL_SECRET_KEY}=$(head -c 512 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 64) -fi - -# Create gitaly secret token if it doesn't exist -if ! $KUBE_COMMAND ${NAMESPACE_CMD} get secret ${GITALY_SECRET_NAME} > /dev/null 2>&1; then - $KUBE_COMMAND ${NAMESPACE_CMD} create secret generic ${GITALY_SECRET_NAME} --from-literal=${GITALY_SECRET_KEY}=$(head -c 512 /dev/urandom | tr -cd 'a-zA-Z0-9' | head -c 64) -fi -- GitLab