Restart Gitaly when updating Gitlab-Shell token

Originally Gitaly would shell out to Gitlab-Shell to make internal API
calls. This had no retained state regarding the secret token, so no
service restarts were required in this scenario.

However, for several years the main Gitaly process has been responsible
for calling the internal API. This will only read the Gitlab-Shell
secret file during its startup process, and subsequent changes to that
will not be detected by Gitaly, leading to spurious 401 errors.

To resolve this, restart the Gitaly service when updating
`gitlab_shell['secret_token']`.

Changelog: fixed

Author: Will Chandler

files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb

@@ -410,6 +410,10 @@
   gitlab_workhorse_services.each { |svc| notifies :restart, svc }
 end
 
+gitlab_shell_secret_services = dependent_services
+gitlab_shell_secret_services += ['runit_service[gitaly]'] if omnibus_helper.should_notify?('gitaly')
+gitlab_shell_secret_services += ['runit_service[gitlab-sshd]'] if Services.enabled?('gitlab_sshd')
+
 templatesymlink "Create a gitlab_shell_secret and create a symlink to Rails root" do
   link_from File.join(gitlab_rails_source_dir, ".gitlab_shell_secret")
   link_to File.join(gitlab_rails_etc_dir, "gitlab_shell_secret")
@@ -419,7 +423,7 @@
   mode "0644"
   sensitive true
   variables(secret_token: node['gitlab']['gitlab_shell']['secret_token'])
-  dependent_services.each { |svc| notifies :restart, svc }
+  gitlab_shell_secret_services.each { |svc| notifies :restart, svc }
   notifies :run, 'bash[Set proper security context on ssh files for selinux]', :delayed if SELinuxHelper.enabled?
 end
 

spec/chef/cookbooks/gitlab/recipes/gitlab-rails_spec.rb

@@ -1141,6 +1141,93 @@
       end
     end
 
+    describe 'gitlab_shell_secret' do
+      let(:templatesymlink) { chef_run.templatesymlink('Create a gitlab_shell_secret and create a symlink to Rails root') }
+
+      context 'by default' do
+        cached(:chef_run) do
+          ChefSpec::SoloRunner.new.converge('gitlab::default')
+        end
+
+        it 'creates the template' do
+          expect(chef_run).to create_templatesymlink("Create a gitlab_pages_secret and create a symlink to Rails root").with(
+            owner: 'root',
+            group: 'root',
+            mode: '0644'
+          )
+        end
+
+        it 'template triggers notifications' do
+          expect(templatesymlink).to notify('runit_service[gitaly]').to(:restart).delayed
+          expect(templatesymlink).to notify('runit_service[puma]').to(:restart).delayed
+          expect(templatesymlink).to notify('sidekiq_service[sidekiq]').to(:restart).delayed
+        end
+      end
+
+      context 'with gitlab-sshd enabled' do
+        let(:templatesymlink) { chef_run.templatesymlink('Create a gitlab_shell_secret and create a symlink to Rails root') }
+
+        cached(:chef_run) do
+          RSpec::Mocks.with_temporary_scope do
+            stub_gitlab_rb(
+              gitlab_sshd: { enable: true }
+            )
+          end
+
+          ChefSpec::SoloRunner.new.converge('gitlab::default')
+        end
+
+        it 'creates the template' do
+          expect(chef_run).to create_templatesymlink("Create a gitlab_pages_secret and create a symlink to Rails root").with(
+            owner: 'root',
+            group: 'root',
+            mode: '0644'
+          )
+        end
+
+        it 'template triggers notifications' do
+          expect(templatesymlink).to notify('runit_service[gitlab-sshd]').to(:restart).delayed
+          expect(templatesymlink).to notify('runit_service[gitaly]').to(:restart).delayed
+          expect(templatesymlink).to notify('runit_service[puma]').to(:restart).delayed
+          expect(templatesymlink).to notify('sidekiq_service[sidekiq]').to(:restart).delayed
+        end
+      end
+
+      context 'with specific gitlab_shell_secret' do
+        let(:gitlab_shell_secret_token) { SecureRandom.base64(32) }
+
+        cached(:chef_run) do
+          RSpec::Mocks.with_temporary_scope do
+            stub_gitlab_rb(
+              gitlab_shell: { secret_token: gitlab_shell_secret_token }
+            )
+          end
+
+          ChefSpec::SoloRunner.new.converge('gitlab::default')
+        end
+
+        it 'renders the correct node attribute' do
+          expect(chef_run).to create_templatesymlink("Create a gitlab_shell_secret and create a symlink to Rails root").with_variables(
+            secret_token: gitlab_shell_secret_token
+          )
+        end
+
+        it 'uses the correct owner and permissions' do
+          expect(chef_run).to create_templatesymlink('Create a gitlab_shell_secret and create a symlink to Rails root').with(
+            owner: 'root',
+            group: 'root',
+            mode: '0644'
+          )
+        end
+
+        it 'template triggers notifications' do
+          expect(templatesymlink).to notify('runit_service[gitaly]').to(:restart).delayed
+          expect(templatesymlink).to notify('runit_service[puma]').to(:restart).delayed
+          expect(templatesymlink).to notify('sidekiq_service[sidekiq]').to(:restart).delayed
+        end
+      end
+    end
+
     describe 'gitlab_pages_secret' do
       let(:templatesymlink) { chef_run.templatesymlink('Create a gitlab_pages_secret and create a symlink to Rails root') }