Merge branch 'sh-fix-sentinel-tls' into 'master'

balasankarc · stanhu · balasankarc · commit 1fe0e0bdff8b · 2023-09-19T05:23:47.000Z
Fix reconfigure failing when Sentinel TLS is only enabled See merge request https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7086 Merged-by: Balasankar 'Balu' C <balasankar@gitlab.com> Approved-by: Hossein Pursultani <hpursultani@gitlab.com> Approved-by: Balasankar 'Balu' C <balasankar@gitlab.com> Co-authored-by: Stan Hu <stanhu@gmail.com>
diff --git a/files/gitlab-cookbooks/gitlab-ee/libraries/sentinel_helper.rb b/files/gitlab-cookbooks/gitlab-ee/libraries/sentinel_helper.rb
@@ -29,7 +29,7 @@ def use_hostnames
   def running_version
     return unless OmnibusHelper.new(@node).service_up?('sentinel')
 
-    command = "/opt/gitlab/embedded/bin/redis-cli -h #{sentinel['bind']} -p #{sentinel['port']} INFO"
+    command = "/opt/gitlab/embedded/bin/redis-cli #{redis_cli_connect_options} INFO"
     env =
       if sentinel['password']
         { 'REDISCLI_AUTH' => sentinel['password'] }
@@ -109,4 +109,44 @@ def save_to_file(data)
   def generate_myid
     SecureRandom.hex(20) # size will be n*2 -> 40 characters
   end
+
+  def redis_cli_connect_options
+    args = ["-h #{sentinel['bind']}"]
+    port = sentinel['port'].to_i
+
+    if port.zero?
+      redis_cli_tls_options(args)
+    else
+      args << "-p #{port}"
+    end
+
+    args.join(' ')
+  end
+
+  def redis_cli_tls_options(args)
+    tls_port = sentinel['tls_port'].to_i
+
+    raise "No Sentinel port available: sentinel['port'] or sentinel['tls_port'] must be non-zero" if tls_port.zero?
+
+    args << "--tls"
+    args << "-p #{tls_port}"
+    args << "--cacert '#{sentinel['tls_ca_cert_file']}'" if sentinel['tls_ca_cert_file']
+    args << "--cacertdir '#{sentinel['tls_ca_cert_dir']}'" if sentinel['tls_ca_cert_dir']
+
+    return unless client_certs_required?
+
+    raise "Sentinel TLS client authentication requires sentinel['tls_cert_file'] and sentinel['tls_key_file'] options" unless client_cert_and_key_available?
+
+    args << "--cert '#{sentinel['tls_cert_file']}'"
+    args << "--key '#{sentinel['tls_key_file']}'"
+  end
+
+  def client_certs_required?
+    sentinel['tls_auth_clients'] == 'yes'
+  end
+
+  def client_cert_and_key_available?
+    sentinel['tls_cert_file'] && !sentinel['tls_cert_file'].empty? &&
+      sentinel['tls_key_file'] && !sentinel['tls_key_file'].empty?
+  end
 end
diff --git a/spec/chef/cookbooks/gitlab-ee/libraries/sentinel_helper_spec.rb b/spec/chef/cookbooks/gitlab-ee/libraries/sentinel_helper_spec.rb
@@ -45,6 +45,69 @@
         expect(subject.running_version).to eq('1.2.3')
       end
     end
+
+    context 'with both TLS and unencrypted ports disabled' do
+      let(:gitlab_rb) do
+        {
+          sentinel: {
+            port: 0,
+            tls_port: 0
+          }
+        }
+      end
+
+      it 'raises an error' do
+        expect { subject.running_version }.to raise_error("No Sentinel port available: sentinel['port'] or sentinel['tls_port'] must be non-zero")
+      end
+    end
+
+    context 'with TLS enabled' do
+      let(:cmd) { "/opt/gitlab/embedded/bin/redis-cli -h 0.0.0.0 --tls -p 6380 --cacert '#{tls_ca_cert_file}' --cacertdir '#{tls_ca_cert_dir}' INFO" }
+      let(:tls_auth_clients) { 'no' }
+      let(:tls_cert_file) { '/etc/gitlab/ssl/redis.crt' }
+      let(:tls_key_file) { '/etc/gitlab/ssl/redis.key' }
+      let(:tls_ca_cert_file) { '/etc/gitlab/ssl/redis-ca.crt' }
+      let(:tls_ca_cert_dir) { '/opt/gitlab/embedded/ssl/certs' }
+      let(:gitlab_rb) do
+        {
+          sentinel: {
+            port: 0,
+            tls_port: 6380,
+            tls_cert_file: tls_cert_file,
+            tls_key_file: tls_key_file,
+            tls_dh_params_file: '/etc/gitlab/ssl/redis-dhparams',
+            tls_ca_cert_file: tls_ca_cert_file,
+            tls_ca_cert_dir: tls_ca_cert_dir,
+            tls_auth_clients: tls_auth_clients
+          }
+        }
+      end
+
+      it 'connects with TLS server certificates' do
+        expect(VersionHelper).to receive(:do_shell_out).with(cmd, env: {}).and_return(status_success)
+
+        expect(subject.running_version).to eq('1.2.3')
+      end
+
+      context 'with TLS client certs required' do
+        let(:tls_auth_clients) { 'yes' }
+        let(:cmd) { "/opt/gitlab/embedded/bin/redis-cli -h 0.0.0.0 --tls -p 6380 --cacert '#{tls_ca_cert_file}' --cacertdir '#{tls_ca_cert_dir}' --cert '#{tls_cert_file}' --key '#{tls_key_file}' INFO" }
+
+        it 'connects with TLS server and client certificates' do
+          expect(VersionHelper).to receive(:do_shell_out).with(cmd, env: {}).and_return(status_success)
+
+          expect(subject.running_version).to eq('1.2.3')
+        end
+
+        context 'with missing TLS client cert' do
+          let(:tls_key_file) { nil }
+
+          it 'raises an error' do
+            expect { subject.running_version }.to raise_error("Sentinel TLS client authentication requires sentinel['tls_cert_file'] and sentinel['tls_key_file'] options")
+          end
+        end
+      end
+    end
   end
 
   context '#myid' do
