Merge branch 'refactor-redis-helper' into 'master'

Add Redis settings specific to Workhorse

Closes #8300

See merge request https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7269

Merged-by: Robert Marshall <[email protected]>
Approved-by: Andrew Patterson <[email protected]>
Approved-by: Robert Marshall <[email protected]>
Reviewed-by: Balasankar 'Balu' C <[email protected]>
Co-authored-by: Balasankar "Balu" C <[email protected]>

Author: Robert Marshall

files/gitlab-config-template/gitlab.rb.template

@@ -1128,6 +1128,28 @@ external_url 'GENERATED_EXTERNAL_URL'
 ##! Semantic metadata used when registering GitLab Workhorse as a Consul service
 # gitlab_workhorse['consul_service_meta'] = {}
 
+##! Redis settings specific for GitLab Workhorse
+##! To be used when Workhorse is supposed to use a different Redis instance than
+##! other components. The settings specified here should match
+##! `gitlab_rails['redis_workhorse_*']` settings, if specified. If not specified,
+##! they are inferred from the below values. `gitlab_rails['redis_workhorse_*']`
+##! settings tell the Rails app which Redis has channels to publish messages to,
+##! and `gitlab_workhorse['redis_*']` tells Workhorse which Redis has channels to
+##! subscribe to. Hence, the requirement of the settings to match.
+# gitlab_workhorse['redis_socket'] = "/var/opt/gitlab/redis/redis.socket"
+# gitlab_workhorse['redis_host'] = "127.0.0.1"
+# gitlab_workhorse['redis_port'] = nil
+# gitlab_workhorse['redis_database'] = nil
+# gitlab_workhorse['redis_username'] = nil
+# gitlab_workhorse['redis_password'] = nil
+# gitlab_workhorse['redis_ssl'] = false
+# gitlab_workhorse['redis_cluster_nodes'] = []
+# gitlab_workhorse['redis_sentinels'] = []
+# gitlab_workhorse['redis_sentinels_password'] = nil
+# gitlab_workhorse['redis_sentinel_master'] = nil
+# gitlab_workhorse['redis_sentinel_master_ip'] = nil
+# gitlab_workhorse['redis_sentinel_master_port'] = nil
+
 ################################################################################
 ## GitLab User Settings
 ##! Modify default git user.

files/gitlab-cookbooks/gitlab/attributes/default.rb

@@ -817,6 +817,20 @@
 default['gitlab']['gitlab_workhorse']['consul_service_name'] = 'workhorse'
 default['gitlab']['gitlab_workhorse']['consul_service_meta'] = nil
 
+default['gitlab']['gitlab_workhorse']['redis_socket'] = "/var/opt/gitlab/redis/redis.socket"
+default['gitlab']['gitlab_workhorse']['redis_host'] = "127.0.0.1"
+default['gitlab']['gitlab_workhorse']['redis_port'] = nil
+default['gitlab']['gitlab_workhorse']['redis_database'] = nil
+default['gitlab']['gitlab_workhorse']['redis_username'] = nil
+default['gitlab']['gitlab_workhorse']['redis_password'] = nil
+default['gitlab']['gitlab_workhorse']['redis_ssl'] = false
+default['gitlab']['gitlab_workhorse']['redis_cluster_nodes'] = []
+default['gitlab']['gitlab_workhorse']['redis_sentinels'] = []
+default['gitlab']['gitlab_workhorse']['redis_sentinels_password'] = nil
+default['gitlab']['gitlab_workhorse']['redis_sentinel_master'] = nil
+default['gitlab']['gitlab_workhorse']['redis_sentinel_master_ip'] = nil
+default['gitlab']['gitlab_workhorse']['redis_sentinel_master_port'] = nil
+
 ####
 # mailroom
 ####

files/gitlab-cookbooks/gitlab/libraries/gitlab_workhorse.rb

@@ -15,6 +15,9 @@
 # limitations under the License.
 #
 
+require_relative './redis_uri'
+require_relative '../../package/libraries/helpers/new_redis_helper'
+
 module GitlabWorkhorse
   class << self
     def parse_variables
@@ -30,13 +33,123 @@ def parse_variables
       network = user_network || default_network
 
       Gitlab['gitlab_workhorse']['listen_addr'] ||= File.join(sockets_dir, 'socket') if network == "unix"
+
+      parse_redis_settings
     end
 
     def parse_secrets
       # gitlab-workhorse expects exactly 32 bytes, encoded with base64
       Gitlab['gitlab_workhorse']['secret_token'] ||= SecureRandom.base64(32)
     end
 
+    def parse_redis_settings
+      gitlab_workhorse_redis_configured = Gitlab['gitlab_workhorse'].key?('redis_socket') ||
+        Gitlab['gitlab_workhorse'].key?('redis_host')
+
+      rails_workhorse_redis_configured =
+        Gitlab['gitlab_rails']['redis_workhorse_instance'] ||
+        (Gitlab['gitlab_rails']['redis_workhorse_sentinels'] &&
+         !Gitlab['gitlab_rails']['redis_workhorse_sentinels'].empty?)
+
+      if gitlab_workhorse_redis_configured
+        # Parse settings from `redis['master_*']` first.
+        parse_redis_master_settings
+        # If gitlab_workhorse settings are specified, populate
+        # gitlab_rails['redis_workhorse_*'] settings from it.
+        update_separate_redis_instance_settings
+      elsif rails_workhorse_redis_configured
+        # If user has specified a separate Redis host for Workhorse via
+        # `gitlab_rails['redis_workhorse_*']` settings, copy them to
+        # `gitlab_workhorse['redis_*']`.
+        parse_separate_redis_instance_settings
+        parse_redis_master_settings
+      else
+        # If user hasn't specified any separate Redis settings for Workhorse,
+        # copy the global settings from GitLab Rails
+        parse_global_rails_redis_settings
+        parse_redis_master_settings
+      end
+    end
+
+    # rubocop:disable Metrics/CyclomaticComplexity
+    # rubocop:disable Metrics/AbcSize
+    # rubocop:disable Metrics/PerceivedComplexity
+    def update_separate_redis_instance_settings
+      if Gitlab['gitlab_workhorse']['redis_host']
+        uri_from_workhorse = NewRedisHelper.build_redis_url(
+          ssl: Gitlab['gitlab_workhorse']['redis_ssl'] || Gitlab['node']['gitlab']['gitlab_workhorse']['redis_ssl'],
+          host: Gitlab['gitlab_workhorse']['redis_host'] || Gitlab['node']['gitlab']['gitlab_workhorse']['redis_host'],
+          port: Gitlab['gitlab_workhorse']['redis_port'] || Gitlab['node']['gitlab']['gitlab_workhorse']['redis_port'],
+          password: Gitlab['gitlab_workhorse']['redis_password'] || Gitlab['node']['gitlab']['gitlab_workhorse']['redis_password'],
+          path: Gitlab['gitlab_workhorse']['redis_database'] || Gitlab['node']['gitlab']['gitlab_workhorse']['redis_database']
+        ).to_s
+
+        uri_from_rails = NewRedisHelper.build_redis_url(
+          ssl: Gitlab['gitlab_rails']['redis_ssl'] || Gitlab['node']['gitlab']['gitlab_rails']['redis_ssl'],
+          host: Gitlab['gitlab_rails']['redis_host'] || Gitlab['node']['gitlab']['gitlab_rails']['redis_host'],
+          port: Gitlab['gitlab_rails']['redis_port'] || Gitlab['node']['gitlab']['gitlab_rails']['redis_port'],
+          password: Gitlab['gitlab_rails']['redis_password'] || Gitlab['node']['gitlab']['gitlab_rails']['redis_password'],
+          path: Gitlab['gitlab_rails']['redis_database'] || Gitlab['node']['gitlab']['gitlab_rails']['redis_database']
+        ).to_s
+        Gitlab['gitlab_rails']['redis_workhorse_instance'] = uri_from_workhorse if uri_from_workhorse != uri_from_rails
+
+      else
+        workhorse_redis_socket = Gitlab['gitlab_workhorse']['redis_socket'] || Gitlab['node']['gitlab']['gitlab_workhorse']['redis_socket']
+        rails_redis_socket = Gitlab['gitlab_rails']['redis_socket'] || Gitlab['node']['gitlab']['gitlab_rails']['redis_socket']
+        Gitlab['gitlab_rails']['redis_workhorse_instance'] = "unix://#{workhorse_redis_socket}" if workhorse_redis_socket != rails_redis_socket
+      end
+
+      %w[username password cluster_nodes sentinels sentinel_master sentinels_password].each do |setting|
+        Gitlab['gitlab_rails']["redis_workhorse_#{setting}"] ||= Gitlab['gitlab_workhorse']["redis_#{setting}"]
+      end
+    end
+    # rubocop:enable Metrics/CyclomaticComplexity
+    # rubocop:enable Metrics/AbcSize
+    # rubocop:enable Metrics/PerceivedComplexity
+
+    def parse_global_rails_redis_settings
+      %w[ssl host socket port password database sentinels sentinels_password].each do |setting|
+        Gitlab['gitlab_workhorse']["redis_#{setting}"] ||= Gitlab['gitlab_rails']["redis_#{setting}"]
+      end
+    end
+
+    def parse_separate_redis_instance_settings
+      # If an individual Redis instance is specified for Workhorse, figure out
+      # host, port, password, etc. from it
+      if Gitlab['gitlab_rails']['redis_workhorse_instance']
+        uri = URI(Gitlab['gitlab_rails']['redis_workhorse_instance'])
+
+        Gitlab['gitlab_workhorse']['redis_ssl'] = uri.scheme == 'rediss' unless Gitlab['gitlab_workhorse'].key?('redis_ssl')
+        if uri.scheme == 'unix'
+          Gitlab['gitlab_workhorse']['redis_socket'] = uri.path
+        else
+          Gitlab['gitlab_workhorse']['redis_host'] ||= if uri.path.start_with?('/')
+                                                         uri.host
+                                                       else
+                                                         uri.path
+                                                       end
+          Gitlab['gitlab_workhorse']['redis_port'] ||= uri.port
+          Gitlab['gitlab_workhorse']['redis_password'] ||= uri.password
+          Gitlab['gitlab_workhorse']['redis_database'] ||= uri.path.delete_prefix('/') if uri.path.start_with?('/')
+        end
+      end
+
+      %w[username password cluster_nodes sentinels sentinel_master sentinels_password].each do |setting|
+        Gitlab['gitlab_workhorse']["redis_#{setting}"] ||= Gitlab['gitlab_rails']["redis_workhorse_#{setting}"]
+      end
+    end
+
+    def parse_redis_master_settings
+      # TODO: When GitLab rails gets it's own set if `redis_sentinel_master_*`
+      # settings, update the following to use them instead of
+      # `Gitlab['redis'][*]` settings. It can be then merged with
+      # `parse_rails_redis_settings` method
+      Gitlab['gitlab_workhorse']['redis_sentinel_master'] ||= Gitlab['redis']['master_name'] || Gitlab[:node]['redis']['master_name']
+      Gitlab['gitlab_workhorse']['redis_sentinel_master_ip'] ||= Gitlab['redis']['master_ip'] || Gitlab[:node]['redis']['master_ip']
+      Gitlab['gitlab_workhorse']['redis_sentinel_master_port'] ||= Gitlab['redis']['master_port'] || Gitlab[:node]['redis']['master_port']
+      Gitlab['gitlab_workhorse']['redis_password'] ||= Gitlab['redis']['master_password'] || Gitlab[:node]['redis']['master_password']
+    end
+
     private
 
     def auth_socket_specified?

files/gitlab-cookbooks/gitlab/recipes/gitlab-workhorse.rb

@@ -15,7 +15,7 @@
 # limitations under the License.
 #
 account_helper = AccountHelper.new(node)
-redis_helper = RedisHelper.new(node)
+redis_helper = NewRedisHelper::GitlabWorkhorse.new(node)
 workhorse_helper = GitlabWorkhorseHelper.new(node)
 logfiles_helper = LogfilesHelper.new(node)
 logging_settings = logfiles_helper.logging_settings('gitlab-workhorse')
@@ -89,7 +89,7 @@
 alt_document_root = node['gitlab']['gitlab_workhorse']['alt_document_root']
 shutdown_timeout = node['gitlab']['gitlab_workhorse']['shutdown_timeout']
 workhorse_keywatcher = node['gitlab']['gitlab_workhorse']['workhorse_keywatcher']
-redis_params = redis_helper.workhorse_params
+redis_params = redis_helper.redis_params
 config_file_path = File.join(working_dir, "config.toml")
 image_scaler_max_procs = node['gitlab']['gitlab_workhorse']['image_scaler_max_procs']
 image_scaler_max_filesize = node['gitlab']['gitlab_workhorse']['image_scaler_max_filesize']

files/gitlab-cookbooks/package/libraries/helpers/new_redis_helper.rb

@@ -0,0 +1,32 @@
+require 'cgi'
+require_relative '../../../gitlab/libraries/redis_uri'
+
+module NewRedisHelper
+  class << self
+    def build_redis_url(ssl:, host:, port:, path:, password:)
+      scheme = ssl ? 'rediss:/' : 'redis:/'
+      uri = URI(scheme)
+      uri.host = host if host
+      uri.port = port if port
+      uri.path = path if path
+      # In case the password has non-alphanumeric passwords, be sure to encode it
+      uri.password = CGI.escape(password) if password
+
+      uri
+    end
+
+    def build_sentinels_urls(sentinels:, password:)
+      return [] if sentinels.nil? || sentinels.empty?
+
+      sentinels.map do |sentinel|
+        build_redis_url(
+          ssl: sentinel['ssl'],
+          host: sentinel['host'],
+          port: sentinel['port'],
+          path: '',
+          password: password
+        )
+      end
+    end
+  end
+end

files/gitlab-cookbooks/package/libraries/helpers/new_redis_helper/base.rb

@@ -0,0 +1,153 @@
+require_relative '../../../../gitlab/libraries/redis_uri'
+
+module NewRedisHelper
+  class Base
+    attr_reader :node
+
+    def initialize(node)
+      @node = node
+    end
+
+    def redis_params
+      # Defined in each component that extends this class. Should return all
+      # the Redis related information required by the component to populate
+      # it's own config file
+      raise NotImplementedError
+    end
+
+    def redis_credentials
+      params = if has_sentinels?
+                 master = support_sentinel_groupname? ? master_name : master_ip
+                 [master, master_port, redis_password]
+               else
+                 [redis_host, redis_port, redis_password]
+               end
+
+      {
+        host: params[0],
+        port: params[1],
+        password: params[2]
+      }
+    end
+
+    def redis_url
+      socket = if connect_to_redis_over_tcp?
+                 false
+               else
+                 redis_socket
+               end
+
+      if socket && !has_sentinels?
+        uri = URI('unix:/')
+        uri.path = socket
+      else
+        params = redis_credentials
+
+        uri = NewRedisHelper.build_redis_url(
+          ssl: redis_ssl,
+          host: params[:host],
+          port: params[:port],
+          password: params[:password],
+          path: "/#{redis_database}"
+        )
+      end
+
+      uri.to_s
+    end
+
+    private
+
+    def node_access_keys
+      # List of keys to obtain the attributes of the service from node object.
+      # For example ['gitlab', 'gitlab_workhorse'] or ['gitlab_kas']
+      raise NotImplementedError
+    end
+
+    def gitlab_rb_attr
+      Gitlab[node_access_keys.last]
+    end
+
+    def node_attr
+      @node.dig(*node_access_keys)
+    end
+
+    def redis
+      @node['redis']
+    end
+
+    def redis_server_over_tcp?
+      redis['port']&.positive? || redis['tls_port']&.positive?
+    end
+
+    def connect_to_redis_over_tcp?
+      gitlab_rb_attr['redis_host']
+    end
+
+    def redis_replica?
+      redis['master'] == false
+    end
+
+    def sentinel_daemon_enabled?
+      Services.enabled?('sentinel')
+    end
+
+    def master_name
+      node_attr['redis_sentinel_master']
+    end
+
+    def master_ip
+      node_attr['redis_sentinel_master_ip']
+    end
+
+    def master_port
+      node_attr['redis_sentinel_master_port']
+    end
+
+    def redis_sentinels_password
+      node_attr['redis_sentinels_password']
+    end
+
+    def redis_socket
+      node_attr['redis_socket']
+    end
+
+    def redis_host
+      node_attr['redis_host']
+    end
+
+    def redis_port
+      node_attr['redis_port']
+    end
+
+    def redis_password
+      node_attr['redis_password']
+    end
+
+    def redis_sentinels
+      node_attr['redis_sentinels']
+    end
+
+    def redis_ssl
+      !!node_attr['redis_ssl']
+    end
+
+    def redis_database
+      node_attr['redis_database']
+    end
+
+    def has_sentinels?
+      node_attr['redis_sentinels'] && !node_attr['redis_sentinels'].empty?
+    end
+
+    def sentinel_urls
+      NewRedisHelper.build_sentinels_urls(sentinels: redis_sentinels, password: redis_sentinels_password)&.map(&:to_s)
+    end
+
+    def support_sentinel_groupname?
+      # Defined in each component that extends this class. Should denote
+      # whether the component can connect to the primary Redis using a
+      # groupname instead of an IP
+      raise NotImplementedError
+    end
+  end
+end