Fix reconfigure failing when Sentinel TLS is only enabled

stanhu · stanhu · commit 6cebe94cb777 · 2023-08-10T14:00:45.000-07:00
If the unencrypted Sentinel port is disabled and only TLS enabled, `gitlab-ctl reconfigure` previously failed because it attempted to talk to port 0, which is an invalid port. This commit fixes this problem by switching to TLS if is the only option. In addition, server and client certificates need to be provided to `redis-cli` if required. Relates to https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/6627 Changelog: fixed
diff --git a/files/gitlab-cookbooks/gitlab-ee/libraries/sentinel_helper.rb b/files/gitlab-cookbooks/gitlab-ee/libraries/sentinel_helper.rb
@@ -29,7 +29,7 @@ def use_hostnames
   def running_version
     return unless OmnibusHelper.new(@node).service_up?('sentinel')
 
-    command = "/opt/gitlab/embedded/bin/redis-cli -h #{sentinel['bind']} -p #{sentinel['port']} INFO"
+    command = "/opt/gitlab/embedded/bin/redis-cli #{redis_cli_connect_options} INFO"
     env =
       if sentinel['password']
         { 'REDISCLI_AUTH' => sentinel['password'] }
@@ -109,4 +109,44 @@ def save_to_file(data)
   def generate_myid
     SecureRandom.hex(20) # size will be n*2 -> 40 characters
   end
+
+  def redis_cli_connect_options
+    args = ["-h #{sentinel['bind']}"]
+    port = sentinel['port'].to_i
+
+    if port.zero?
+      redis_cli_tls_options(args)
+    else
+      args << "-p #{port}"
+    end
+
+    args.join(' ')
+  end
+
+  def redis_cli_tls_options(args)
+    tls_port = sentinel['tls_port'].to_i
+
+    raise "No Sentinel port available: sentinel['port'] or sentinel['tls_port'] must be non-zero" if tls_port.zero?
+
+    args << "--tls"
+    args << "-p #{tls_port}"
+    args << "--cacert '#{sentinel['tls_ca_cert_file']}'" if sentinel['tls_ca_cert_file']
+    args << "--cacertdir '#{sentinel['tls_ca_cert_dir']}'" if sentinel['tls_ca_cert_dir']
+
+    return unless client_certs_required?
+
+    raise "Sentinel TLS client authentication requires sentinel['tls_cert_file'] and sentinel['tls_key_file'] options" unless client_cert_and_key_available?
+
+    args << "--cert '#{sentinel['tls_cert_file']}'"
+    args << "--key '#{sentinel['tls_key_file']}'"
+  end
+
+  def client_certs_required?
+    sentinel['tls_auth_clients'] == 'yes'
+  end
+
+  def client_cert_and_key_available?
+    sentinel['tls_cert_file'] && !sentinel['tls_cert_file'].empty? &&
+      sentinel['tls_key_file'] && !sentinel['tls_key_file'].empty?
+  end
 end
diff --git a/spec/chef/cookbooks/gitlab-ee/libraries/sentinel_helper_spec.rb b/spec/chef/cookbooks/gitlab-ee/libraries/sentinel_helper_spec.rb
@@ -45,6 +45,69 @@
         expect(subject.running_version).to eq('1.2.3')
       end
     end
+
+    context 'with both TLS and unencrypted ports disabled' do
+      let(:gitlab_rb) do
+        {
+          sentinel: {
+            port: 0,
+            tls_port: 0
+          }
+        }
+      end
+
+      it 'raises an error' do
+        expect { subject.running_version }.to raise_error("No Sentinel port available: sentinel['port'] or sentinel['tls_port'] must be non-zero")
+      end
+    end
+
+    context 'with TLS enabled' do
+      let(:cmd) { "/opt/gitlab/embedded/bin/redis-cli -h 0.0.0.0 --tls -p 6380 --cacert '#{tls_ca_cert_file}' --cacertdir '#{tls_ca_cert_dir}' INFO" }
+      let(:tls_auth_clients) { 'no' }
+      let(:tls_cert_file) { '/etc/gitlab/ssl/redis.crt' }
+      let(:tls_key_file) { '/etc/gitlab/ssl/redis.key' }
+      let(:tls_ca_cert_file) { '/etc/gitlab/ssl/redis-ca.crt' }
+      let(:tls_ca_cert_dir) { '/opt/gitlab/embedded/ssl/certs' }
+      let(:gitlab_rb) do
+        {
+          sentinel: {
+            port: 0,
+            tls_port: 6380,
+            tls_cert_file: tls_cert_file,
+            tls_key_file: tls_key_file,
+            tls_dh_params_file: '/etc/gitlab/ssl/redis-dhparams',
+            tls_ca_cert_file: tls_ca_cert_file,
+            tls_ca_cert_dir: tls_ca_cert_dir,
+            tls_auth_clients: tls_auth_clients
+          }
+        }
+      end
+
+      it 'connects with TLS server certificates' do
+        expect(VersionHelper).to receive(:do_shell_out).with(cmd, env: {}).and_return(status_success)
+
+        expect(subject.running_version).to eq('1.2.3')
+      end
+
+      context 'with TLS client certs required' do
+        let(:tls_auth_clients) { 'yes' }
+        let(:cmd) { "/opt/gitlab/embedded/bin/redis-cli -h 0.0.0.0 --tls -p 6380 --cacert '#{tls_ca_cert_file}' --cacertdir '#{tls_ca_cert_dir}' --cert '#{tls_cert_file}' --key '#{tls_key_file}' INFO" }
+
+        it 'connects with TLS server and client certificates' do
+          expect(VersionHelper).to receive(:do_shell_out).with(cmd, env: {}).and_return(status_success)
+
+          expect(subject.running_version).to eq('1.2.3')
+        end
+
+        context 'with missing TLS client cert' do
+          let(:tls_key_file) { nil }
+
+          it 'raises an error' do
+            expect { subject.running_version }.to raise_error("Sentinel TLS client authentication requires sentinel['tls_cert_file'] and sentinel['tls_key_file'] options")
+          end
+        end
+      end
+    end
   end
 
   context '#myid' do
