Merge branch '8131-kas-redis-tls' into 'master'

Robert Marshall · balasankarc · Robert Marshall · commit ca07b628049d · 2023-11-01T04:49:55.000Z
Add Redis TLS settings for KAS Closes #8131 See merge request https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7180 Merged-by: Robert Marshall <rmarshall@gitlab.com> Approved-by: Clemens Beck <cbeck@gitlab.com> Approved-by: Robert Marshall <rmarshall@gitlab.com> Reviewed-by: Clemens Beck <cbeck@gitlab.com> Co-authored-by: Balasankar "Balu" C <balasankar@gitlab.com>
diff --git a/files/gitlab-config-template/gitlab.rb.template b/files/gitlab-config-template/gitlab.rb.template
@@ -2109,6 +2109,21 @@ external_url 'GENERATED_EXTERNAL_URL'
 # gitlab_kas['log_group'] = nil
 # gitlab_kas['env_directory'] = '/opt/gitlab/etc/gitlab-kas/env'
 
+##! Redis settings for GitLab KAS
+# gitlab_kas['redis_socket'] = ''
+# gitlab_kas['redis_host'] = '127.0.0.1'
+# gitlab_kas['redis_port'] = '6379'
+# gitlab_kas['redis_password'] = nil
+
+# gitlab_kas['redis_sentinels'] = {}
+# gitlab_kas['redis_sentinels_master_name'] = nil
+# gitlab_kas['redis_sentinels_password'] = ''
+
+# gitlab_kas['redis_ssl'] = false
+# gitlab_kas['redis_tls_ca_cert_file'] = '/opt/gitlab/embedded/ssl/certs/cacert.pem'
+# gitlab_kas['redis_tls_client_cert_file'] = nil
+# gitlab_kas['redis_tls_client_key_file'] = nil
+
 ################################################################################
 ## GitLab Suggested Reviewers (EE Only)
 ##! Docs: https://docs.gitlab.com/ee/user/project/merge_requests/reviews/#suggested-reviewers
diff --git a/files/gitlab-cookbooks/gitlab-kas/attributes/default.rb b/files/gitlab-cookbooks/gitlab-kas/attributes/default.rb
@@ -43,3 +43,18 @@
 }
 
 default['gitlab-kas'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab_kas'].to_h }, "node['gitlab-kas']", "node['gitlab_kas']")
+
+# Defaults of the following settings are computed from `gitlab_rails`, and are
+# set in the library. If a new key is added here that needs to be computed from
+# the Rails counterpart, make sure it is added to the list in the library too
+default['gitlab_kas']['redis_socket'] = nil
+default['gitlab_kas']['redis_host'] = nil
+default['gitlab_kas']['redis_port'] = nil
+default['gitlab_kas']['redis_password'] = nil
+default['gitlab_kas']['redis_sentinels'] = nil
+default['gitlab_kas']['redis_sentinels_master_name'] = nil
+default['gitlab_kas']['redis_sentinels_password'] = nil
+default['gitlab_kas']['redis_ssl'] = nil
+default['gitlab_kas']['redis_tls_ca_cert_file'] = nil
+default['gitlab_kas']['redis_tls_client_cert_file'] = nil
+default['gitlab_kas']['redis_tls_client_key_file'] = nil
diff --git a/files/gitlab-cookbooks/gitlab-kas/libraries/gitlab_kas.rb b/files/gitlab-cookbooks/gitlab-kas/libraries/gitlab_kas.rb
@@ -25,6 +25,7 @@ def parse_variables
       parse_gitlab_kas_enabled
       parse_gitlab_kas_external_url
       parse_gitlab_kas_internal_url
+      parse_redis_settings
     end
 
     def parse_address
@@ -105,6 +106,26 @@ def validate_secrets
       raise "gitlab_kas['private_api_secret_key'] should be exactly 32 bytes" if private_api_secret_key.length != 32
     end
 
+    def parse_redis_settings
+      settings_copied_from_gitlab_rails = %w[
+        redis_socket
+        redis_host
+        redis_port
+        redis_password
+        redis_sentinels
+        redis_sentinels_password
+        redis_ssl
+        redis_tls_ca_cert_file
+        redis_tls_client_cert_file
+        redis_tls_client_key_file
+      ]
+      settings_copied_from_gitlab_rails.each do |setting|
+        Gitlab['gitlab_kas'][setting] = Gitlab['gitlab_rails'][setting] || Gitlab['node']['gitlab']['gitlab_rails'][setting] unless Gitlab['gitlab_kas'].key?(setting)
+      end
+
+      Gitlab['gitlab_kas']['redis_sentinels_master_name'] = Gitlab['redis']['master_name'] || Gitlab['node']['redis']['master_name'] unless Gitlab['gitlab_kas'].key?('redis_sentinels_master_name')
+    end
+
     private
 
     def parse_gitlab_kas_external_url_with_gitlab_domain
diff --git a/files/gitlab-cookbooks/gitlab-kas/recipes/enable.rb b/files/gitlab-cookbooks/gitlab-kas/recipes/enable.rb
@@ -26,23 +26,26 @@
 gitlab_kas_config_file = File.join(working_dir, 'gitlab-kas-config.yml')
 gitlab_kas_authentication_secret_file = File.join(working_dir, 'authentication_secret_file')
 gitlab_kas_private_api_authentication_secret_file = File.join(working_dir, 'private_api_authentication_secret_file')
-redis_host, redis_port, redis_password = redis_helper.redis_params
+redis_host, redis_port, redis_password = redis_helper.kas_params
 redis_password_present = redis_password && !redis_password.empty?
-redis_sentinels = node['gitlab']['gitlab_rails']['redis_sentinels']
-redis_sentinels_master_name = node['redis']['master_name']
-redis_sentinels_password = node['gitlab']['gitlab_rails']['redis_sentinels_password']
+redis_sentinels = node['gitlab_kas']['redis_sentinels']
+redis_sentinels_master_name = node['gitlab_kas']['redis_sentinels_master_name']
+redis_sentinels_password = node['gitlab_kas']['redis_sentinels_password']
 redis_sentinels_password_present = redis_sentinels_password && !redis_sentinels_password.empty?
 
 gitlab_kas_redis_password_file = File.join(working_dir, 'redis_password_file')
 gitlab_kas_redis_sentinels_password_file = File.join(working_dir, 'redis_sentinels_password_file')
 redis_default_port = URI::Redis::DEFAULT_PORT
 redis_network = redis_helper.redis_url.scheme == 'unix' ? 'unix' : 'tcp'
-redis_ssl = node['gitlab']['gitlab_rails']['redis_ssl']
+redis_ssl = node['gitlab_kas']['redis_ssl']
 redis_address = if redis_network == 'tcp'
                   "#{redis_host}:#{redis_port || redis_default_port}"
                 else
-                  node['gitlab']['gitlab_rails']['redis_socket']
+                  node['gitlab_kas']['redis_socket']
                 end
+redis_tls_ca_cert_file = node['gitlab_kas']['redis_tls_ca_cert_file']
+redis_tls_client_cert_file = node['gitlab_kas']['redis_tls_client_cert_file']
+redis_tls_client_key_file = node['gitlab_kas']['redis_tls_client_key_file']
 
 [
   working_dir,
@@ -119,6 +122,9 @@
       redis_network: redis_network,
       redis_address: redis_address,
       redis_ssl: redis_ssl,
+      redis_tls_ca_cert_file: redis_tls_ca_cert_file,
+      redis_tls_client_cert_file: redis_tls_client_cert_file,
+      redis_tls_client_key_file: redis_tls_client_key_file,
       redis_default_port: redis_default_port,
       redis_password_file: redis_password_present ? gitlab_kas_redis_password_file : nil,
       redis_sentinels_master_name: redis_sentinels_master_name,
diff --git a/files/gitlab-cookbooks/gitlab-kas/templates/default/gitlab-kas-config.yml.erb b/files/gitlab-cookbooks/gitlab-kas/templates/default/gitlab-kas-config.yml.erb
@@ -45,6 +45,17 @@ redis:
   network: <%= @redis_network %>
   tls:
     enabled: <%= @redis_ssl %>
+    <%- if @redis_ssl %>
+    <%- if @redis_tls_ca_cert_file %>
+    ca_certificate_file: "<%= @redis_tls_ca_cert_file %>"
+    <% end %>
+    <%- if @redis_tls_client_cert_file %>
+    certificate_file: "<%= @redis_tls_client_cert_file %>"
+    <% end %>
+    <%- if @redis_tls_client_key_file %>
+    key_file: "<%= @redis_tls_client_key_file %>"
+    <% end %>
+    <% end %>
   <%- if @redis_password_file %>
   password_file: <%= @redis_password_file %>
   <%- end %>
diff --git a/files/gitlab-cookbooks/gitlab/libraries/redis_helper.rb b/files/gitlab-cookbooks/gitlab/libraries/redis_helper.rb
@@ -13,17 +13,15 @@ def redis
     @node['redis']
   end
 
-  def redis_params(support_sentinel_groupname: true)
-    gitlab_rails_config = @node['gitlab']['gitlab_rails']
-
+  def redis_params(service_config: @node['gitlab']['gitlab_rails'], support_sentinel_groupname: true)
     raise 'Redis announce_ip and announce_ip_from_hostname are mutually exclusive, please unset one of them' if redis['announce_ip'] && redis['announce_ip_from_hostname']
 
     params = if RedisHelper::Checks.has_sentinels? && support_sentinel_groupname
                [redis['master_name'], redis['master_port'], redis['master_password']]
              else
-               host = gitlab_rails_config['redis_host'] || Gitlab['redis']['master_ip']
-               port = gitlab_rails_config['redis_port'] || Gitlab['redis']['master_port']
-               password = gitlab_rails_config['redis_password'] || Gitlab['redis']['master_password']
+               host = service_config['redis_host'] || Gitlab['redis']['master_ip']
+               port = service_config['redis_port'] || Gitlab['redis']['master_port']
+               password = service_config['redis_password'] || Gitlab['redis']['master_password']
 
                [host, port, password]
              end
@@ -75,6 +73,10 @@ def workhorse_params
     end
   end
 
+  def kas_params
+    redis_params(service_config: @node['gitlab_kas'])
+  end
+
   def validate_instance_shard_config(instance)
     gitlab_rails = @node['gitlab']['gitlab_rails']
 
diff --git a/spec/chef/cookbooks/gitlab-kas/recipes/gitlab-kas_spec.rb b/spec/chef/cookbooks/gitlab-kas/recipes/gitlab-kas_spec.rb
