Merge branch 'redis-extra-config-command' into 'master'

Support specifying config_command to Rails's Redis configurations

See merge request https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7355

Merged-by: Robert Marshall <[email protected]>
Approved-by: Andrew Patterson <[email protected]>
Approved-by: Robert Marshall <[email protected]>
Reviewed-by: Balasankar 'Balu' C <[email protected]>
Reviewed-by: Matthew Badeau <[email protected]>
Co-authored-by: Balasankar 'Balu' C <[email protected]>

Author: Robert Marshall

files/gitlab-cookbooks/gitlab/attributes/default.rb

@@ -447,6 +447,7 @@
 default['gitlab']['gitlab_rails']['redis_tls_client_cert_file'] = nil
 default['gitlab']['gitlab_rails']['redis_tls_client_key_file'] = nil
 default['gitlab']['gitlab_rails']['redis_password'] = nil
+default['gitlab']['gitlab_rails']['redis_extra_config_command'] = nil
 default['gitlab']['gitlab_rails']['redis_encrypted_settings_file'] = nil
 default['gitlab']['gitlab_rails']['redis_socket'] = "/var/opt/gitlab/redis/redis.socket"
 default['gitlab']['gitlab_rails']['redis_enable_client'] = true
@@ -458,6 +459,7 @@
 default['gitlab']['gitlab_rails']['redis_cache_username'] = nil
 default['gitlab']['gitlab_rails']['redis_cache_password'] = nil
 default['gitlab']['gitlab_rails']['redis_cache_encrypted_settings_file'] = nil
+default['gitlab']['gitlab_rails']['redis_cache_extra_config_command'] = nil
 default['gitlab']['gitlab_rails']['redis_cache_cluster_nodes'] = []
 default['gitlab']['gitlab_rails']['redis_cache_ssl'] = false
 default['gitlab']['gitlab_rails']['redis_cache_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
@@ -468,6 +470,7 @@
 default['gitlab']['gitlab_rails']['redis_queues_username'] = nil
 default['gitlab']['gitlab_rails']['redis_queues_password'] = nil
 default['gitlab']['gitlab_rails']['redis_queues_encrypted_settings_file'] = nil
+default['gitlab']['gitlab_rails']['redis_queues_extra_config_command'] = nil
 default['gitlab']['gitlab_rails']['redis_queues_sentinels'] = []
 default['gitlab']['gitlab_rails']['redis_queues_sentinels_password'] = nil
 default['gitlab']['gitlab_rails']['redis_queues_cluster_nodes'] = []
@@ -482,6 +485,7 @@
 default['gitlab']['gitlab_rails']['redis_shared_state_username'] = nil
 default['gitlab']['gitlab_rails']['redis_shared_state_password'] = nil
 default['gitlab']['gitlab_rails']['redis_shared_state_encrypted_settings_file'] = nil
+default['gitlab']['gitlab_rails']['redis_shared_state_extra_config_command'] = nil
 default['gitlab']['gitlab_rails']['redis_shared_state_cluster_nodes'] = []
 default['gitlab']['gitlab_rails']['redis_shared_state_ssl'] = false
 default['gitlab']['gitlab_rails']['redis_shared_state_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
@@ -494,6 +498,7 @@
 default['gitlab']['gitlab_rails']['redis_trace_chunks_username'] = nil
 default['gitlab']['gitlab_rails']['redis_trace_chunks_password'] = nil
 default['gitlab']['gitlab_rails']['redis_trace_chunks_encrypted_settings_file'] = nil
+default['gitlab']['gitlab_rails']['redis_trace_chunks_extra_config_command'] = nil
 default['gitlab']['gitlab_rails']['redis_trace_chunks_cluster_nodes'] = []
 default['gitlab']['gitlab_rails']['redis_trace_chunks_ssl'] = false
 default['gitlab']['gitlab_rails']['redis_trace_chunks_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
@@ -506,6 +511,7 @@
 default['gitlab']['gitlab_rails']['redis_actioncable_username'] = nil
 default['gitlab']['gitlab_rails']['redis_actioncable_password'] = nil
 default['gitlab']['gitlab_rails']['redis_actioncable_encrypted_settings_file'] = nil
+default['gitlab']['gitlab_rails']['redis_actioncable_extra_config_command'] = nil
 default['gitlab']['gitlab_rails']['redis_actioncable_cluster_nodes'] = []
 default['gitlab']['gitlab_rails']['redis_actioncable_ssl'] = false
 default['gitlab']['gitlab_rails']['redis_actioncable_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
@@ -518,6 +524,7 @@
 default['gitlab']['gitlab_rails']['redis_rate_limiting_username'] = nil
 default['gitlab']['gitlab_rails']['redis_rate_limiting_password'] = nil
 default['gitlab']['gitlab_rails']['redis_rate_limiting_encrypted_settings_file'] = nil
+default['gitlab']['gitlab_rails']['redis_rate_limiting_extra_config_command'] = nil
 default['gitlab']['gitlab_rails']['redis_rate_limiting_cluster_nodes'] = []
 default['gitlab']['gitlab_rails']['redis_rate_limiting_ssl'] = false
 default['gitlab']['gitlab_rails']['redis_rate_limiting_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
@@ -530,6 +537,7 @@
 default['gitlab']['gitlab_rails']['redis_sessions_username'] = nil
 default['gitlab']['gitlab_rails']['redis_sessions_password'] = nil
 default['gitlab']['gitlab_rails']['redis_sessions_encrypted_settings_file'] = nil
+default['gitlab']['gitlab_rails']['redis_sessions_extra_config_command'] = nil
 default['gitlab']['gitlab_rails']['redis_sessions_cluster_nodes'] = []
 default['gitlab']['gitlab_rails']['redis_sessions_ssl'] = false
 default['gitlab']['gitlab_rails']['redis_sessions_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
@@ -542,6 +550,7 @@
 default['gitlab']['gitlab_rails']['redis_repository_cache_username'] = nil
 default['gitlab']['gitlab_rails']['redis_repository_cache_password'] = nil
 default['gitlab']['gitlab_rails']['redis_repository_cache_encrypted_settings_file'] = nil
+default['gitlab']['gitlab_rails']['redis_repository_cache_extra_config_command'] = nil
 default['gitlab']['gitlab_rails']['redis_repository_cache_cluster_nodes'] = []
 default['gitlab']['gitlab_rails']['redis_repository_cache_ssl'] = false
 default['gitlab']['gitlab_rails']['redis_repository_cache_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
@@ -554,6 +563,7 @@
 default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_username'] = nil
 default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_password'] = nil
 default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_encrypted_settings_file'] = nil
+default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_extra_config_command'] = nil
 default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_cluster_nodes'] = []
 default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_ssl'] = false
 default['gitlab']['gitlab_rails']['redis_cluster_rate_limiting_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
@@ -566,6 +576,7 @@
 default['gitlab']['gitlab_rails']['redis_workhorse_username'] = nil
 default['gitlab']['gitlab_rails']['redis_workhorse_password'] = nil
 default['gitlab']['gitlab_rails']['redis_workhorse_cluster_nodes'] = []
+default['gitlab']['gitlab_rails']['redis_workhorse_extra_config_command'] = nil
 default['gitlab']['gitlab_rails']['redis_workhorse_ssl'] = false
 default['gitlab']['gitlab_rails']['redis_workhorse_tls_ca_cert_dir'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_dir'].dup
 default['gitlab']['gitlab_rails']['redis_workhorse_tls_ca_cert_file'] = default['gitlab']['gitlab_rails']['redis_tls_ca_cert_file'].dup

files/gitlab-cookbooks/gitlab/libraries/gitlab_rails.rb

@@ -35,6 +35,7 @@ def parse_variables
       parse_incoming_email_logfile
       parse_service_desk_email_logfile
       parse_maximum_request_duration
+      parse_redis_extra_config_command
       validate_smtp_settings!
       validate_ssh_settings!
     end
@@ -337,6 +338,12 @@ def parse_encrypted_settings_path
       Gitlab['gitlab_rails']['redis_encrypted_settings_file'] ||= File.join(encrypted_settings_path, 'redis.yml.enc')
     end
 
+    def parse_redis_extra_config_command
+      RedisHelper::REDIS_INSTANCES.each do |instance|
+        Gitlab['gitlab_rails']["redis_#{instance}_extra_config_command"] ||= Gitlab['gitlab_rails']['redis_extra_config_command']
+      end
+    end
+
     def parse_pages_dir
       # This requires the parse_shared_dir to be executed before
       Gitlab['gitlab_rails']['pages_path'] ||= File.join(Gitlab['gitlab_rails']['shared_path'], 'pages')

files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb

@@ -218,6 +218,7 @@
 redis_tls_client_cert_file = node['gitlab']['gitlab_rails']['redis_tls_client_cert_file']
 redis_tls_client_key_file = node['gitlab']['gitlab_rails']['redis_tls_client_key_file']
 redis_encrypted_settings_file = node['gitlab']['gitlab_rails']['redis_encrypted_settings_file']
+redis_extra_config_command = node['gitlab']['gitlab_rails']['redis_extra_config_command']
 
 templatesymlink "Create a secrets.yml and create a symlink to Rails root" do
   link_from File.join(gitlab_rails_source_dir, "config/secrets.yml")
@@ -255,7 +256,8 @@
     redis_tls_ca_cert_file: redis_tls_ca_cert_file,
     redis_tls_client_cert_file: redis_tls_client_cert_file,
     redis_tls_client_key_file: redis_tls_client_key_file,
-    redis_encrypted_settings_file: redis_encrypted_settings_file
+    redis_encrypted_settings_file: redis_encrypted_settings_file,
+    redis_extra_config_command: redis_extra_config_command
   )
   dependent_services.each { |svc| notifies :restart, svc }
   sensitive true
@@ -308,6 +310,7 @@
   certificate_file = node['gitlab']['gitlab_rails']["redis_#{instance}_tls_client_cert_file"]
   key_file = node['gitlab']['gitlab_rails']["redis_#{instance}_tls_client_key_file"]
   instance_encrypted_settings_file = node['gitlab']['gitlab_rails']["redis_#{instance}_encrypted_settings_file"]
+  instance_extra_config_command = node['gitlab']['gitlab_rails']["redis_#{instance}_extra_config_command"]
   from_filename = File.join(gitlab_rails_source_dir, "config/#{filename}")
   to_filename = File.join(gitlab_rails_etc_dir, filename)
 
@@ -333,7 +336,8 @@
       redis_tls_ca_cert_file: ca_cert_file,
       redis_tls_client_cert_file: certificate_file,
       redis_tls_client_key_file: key_file,
-      redis_encrypted_settings_file: instance_encrypted_settings_file
+      redis_encrypted_settings_file: instance_encrypted_settings_file,
+      redis_extra_config_command: instance_extra_config_command
     )
     dependent_services.each { |svc| notifies :restart, svc }
     action :delete if url.nil? && clusters.empty?

files/gitlab-cookbooks/gitlab/templates/default/resque.yml.erb

@@ -1,4 +1,7 @@
 production:
+  <%- if @redis_extra_config_command -%>
+  config_command: "<%= @redis_extra_config_command %>"
+  <%- end -%>
   <% if !@redis_enable_client %>
   id:
   <% end %>

spec/chef/cookbooks/gitlab/recipes/gitlab-rails_spec.rb

@@ -441,7 +441,8 @@
               redis_tls_ca_cert_file: "/opt/gitlab/embedded/ssl/certs/cacert.pem",
               redis_tls_client_cert_file: nil,
               redis_tls_client_key_file: nil,
-              redis_encrypted_settings_file: "/var/opt/gitlab/gitlab-rails/shared/encrypted_settings/redis.#{instance}.yml.enc"
+              redis_encrypted_settings_file: "/var/opt/gitlab/gitlab-rails/shared/encrypted_settings/redis.#{instance}.yml.enc",
+              redis_extra_config_command: nil
             )
 
             expect(chef_run).to render_file("/var/opt/gitlab/gitlab-rails/etc/redis.#{instance}.yml").with_content { |content|
@@ -484,7 +485,8 @@
               redis_tls_ca_cert_file: "/opt/gitlab/embedded/ssl/certs/cacert.pem",
               redis_tls_client_cert_file: nil,
               redis_tls_client_key_file: nil,
-              redis_encrypted_settings_file: "/var/opt/gitlab/gitlab-rails/shared/encrypted_settings/redis.#{instance}.yml.enc"
+              redis_encrypted_settings_file: "/var/opt/gitlab/gitlab-rails/shared/encrypted_settings/redis.#{instance}.yml.enc",
+              redis_extra_config_command: nil
             )
 
             expect(chef_run).to render_file("/var/opt/gitlab/gitlab-rails/etc/redis.#{instance}.yml").with_content { |content|
@@ -527,7 +529,8 @@
                 redis_tls_ca_cert_file: "/opt/gitlab/embedded/ssl/certs/cacert.pem",
                 redis_tls_client_cert_file: nil,
                 redis_tls_client_key_file: nil,
-                redis_encrypted_settings_file: "/var/opt/gitlab/gitlab-rails/shared/encrypted_settings/redis.#{instance}.yml.enc"
+                redis_encrypted_settings_file: "/var/opt/gitlab/gitlab-rails/shared/encrypted_settings/redis.#{instance}.yml.enc",
+                redis_extra_config_command: nil
               )
 
               expect(chef_run).to render_file("/var/opt/gitlab/gitlab-rails/etc/redis.#{instance}.yml").with_content { |content|
@@ -584,6 +587,59 @@
           end
         end
       end
+
+      describe 'extra config command' do
+        let(:cache_command) { '/opt/redis-cache-password.sh' }
+        let(:global_command) { '/opt/redis-global.sh' }
+
+        context 'with single Redis instance' do
+          before do
+            stub_gitlab_rb(
+              gitlab_rails: {
+                redis_extra_config_command: global_command
+              }
+            )
+          end
+
+          it 'populates resque.yml with specified config command' do
+            expect(chef_run).to render_file("/var/opt/gitlab/gitlab-rails/etc/resque.yml").with_content { |content|
+              generated_yml = YAML.safe_load(content)
+              expect(generated_yml.dig('production', 'config_command')).to eq(global_command)
+            }
+          end
+        end
+
+        context 'with separate command for an instance' do
+          cached(:chef_run) do
+            ChefSpec::SoloRunner.new(step_into: %w(templatesymlink)).converge('gitlab::default')
+          end
+
+          before do
+            stub_gitlab_rb(
+              gitlab_rails: {
+                redis_extra_config_command: global_command,
+                redis_cache_instance: 'redis://redis.cache.instance',
+                redis_cache_extra_config_command: cache_command,
+                redis_shared_state_instance: 'redis://redis.shared_state.instance'
+              }
+            )
+          end
+
+          it 'uses specified command for the cache instance' do
+            expect(chef_run).to render_file("/var/opt/gitlab/gitlab-rails/etc/redis.cache.yml").with_content { |content|
+              generated_yml = YAML.safe_load(content)
+              expect(generated_yml.dig('production', 'config_command')).to eq(cache_command)
+            }
+          end
+
+          it 'uses global command for the shared state instance' do
+            expect(chef_run).to render_file("/var/opt/gitlab/gitlab-rails/etc/redis.shared_state.yml").with_content { |content|
+              generated_yml = YAML.safe_load(content)
+              expect(generated_yml.dig('production', 'config_command')).to eq(global_command)
+            }
+          end
+        end
+      end
     end
 
     context 'redis.yml override' do