Merge branch 'wc/shell-token-restart' into 'master'

balasankarc · Will Chandler · balasankarc · commit fbb7aa63e76d · 2023-12-21T06:06:19.000Z
Restart Gitaly when updating Gitlab-Shell token See merge request https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7297 Merged-by: Balasankar 'Balu' C <balasankar@gitlab.com> Approved-by: Jason Plum <jplum@gitlab.com> Approved-by: Balasankar 'Balu' C <balasankar@gitlab.com> Co-authored-by: Will Chandler <wchandler@gitlab.com>
diff --git a/files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb b/files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb
@@ -410,6 +410,10 @@
   gitlab_workhorse_services.each { |svc| notifies :restart, svc }
 end
 
+gitlab_shell_secret_services = dependent_services
+gitlab_shell_secret_services += ['runit_service[gitaly]'] if omnibus_helper.should_notify?('gitaly')
+gitlab_shell_secret_services += ['runit_service[gitlab-sshd]'] if Services.enabled?('gitlab_sshd')
+
 templatesymlink "Create a gitlab_shell_secret and create a symlink to Rails root" do
   link_from File.join(gitlab_rails_source_dir, ".gitlab_shell_secret")
   link_to File.join(gitlab_rails_etc_dir, "gitlab_shell_secret")
@@ -419,7 +423,7 @@
   mode "0644"
   sensitive true
   variables(secret_token: node['gitlab']['gitlab_shell']['secret_token'])
-  dependent_services.each { |svc| notifies :restart, svc }
+  gitlab_shell_secret_services.each { |svc| notifies :restart, svc }
   notifies :run, 'bash[Set proper security context on ssh files for selinux]', :delayed if SELinuxHelper.enabled?
 end
 
diff --git a/spec/chef/cookbooks/gitlab/recipes/gitlab-rails_spec.rb b/spec/chef/cookbooks/gitlab/recipes/gitlab-rails_spec.rb
@@ -1141,6 +1141,93 @@
       end
     end
 
+    describe 'gitlab_shell_secret' do
+      let(:templatesymlink) { chef_run.templatesymlink('Create a gitlab_shell_secret and create a symlink to Rails root') }
+
+      context 'by default' do
+        cached(:chef_run) do
+          ChefSpec::SoloRunner.new.converge('gitlab::default')
+        end
+
+        it 'creates the template' do
+          expect(chef_run).to create_templatesymlink("Create a gitlab_pages_secret and create a symlink to Rails root").with(
+            owner: 'root',
+            group: 'root',
+            mode: '0644'
+          )
+        end
+
+        it 'template triggers notifications' do
+          expect(templatesymlink).to notify('runit_service[gitaly]').to(:restart).delayed
+          expect(templatesymlink).to notify('runit_service[puma]').to(:restart).delayed
+          expect(templatesymlink).to notify('sidekiq_service[sidekiq]').to(:restart).delayed
+        end
+      end
+
+      context 'with gitlab-sshd enabled' do
+        let(:templatesymlink) { chef_run.templatesymlink('Create a gitlab_shell_secret and create a symlink to Rails root') }
+
+        cached(:chef_run) do
+          RSpec::Mocks.with_temporary_scope do
+            stub_gitlab_rb(
+              gitlab_sshd: { enable: true }
+            )
+          end
+
+          ChefSpec::SoloRunner.new.converge('gitlab::default')
+        end
+
+        it 'creates the template' do
+          expect(chef_run).to create_templatesymlink("Create a gitlab_pages_secret and create a symlink to Rails root").with(
+            owner: 'root',
+            group: 'root',
+            mode: '0644'
+          )
+        end
+
+        it 'template triggers notifications' do
+          expect(templatesymlink).to notify('runit_service[gitlab-sshd]').to(:restart).delayed
+          expect(templatesymlink).to notify('runit_service[gitaly]').to(:restart).delayed
+          expect(templatesymlink).to notify('runit_service[puma]').to(:restart).delayed
+          expect(templatesymlink).to notify('sidekiq_service[sidekiq]').to(:restart).delayed
+        end
+      end
+
+      context 'with specific gitlab_shell_secret' do
+        let(:gitlab_shell_secret_token) { SecureRandom.base64(32) }
+
+        cached(:chef_run) do
+          RSpec::Mocks.with_temporary_scope do
+            stub_gitlab_rb(
+              gitlab_shell: { secret_token: gitlab_shell_secret_token }
+            )
+          end
+
+          ChefSpec::SoloRunner.new.converge('gitlab::default')
+        end
+
+        it 'renders the correct node attribute' do
+          expect(chef_run).to create_templatesymlink("Create a gitlab_shell_secret and create a symlink to Rails root").with_variables(
+            secret_token: gitlab_shell_secret_token
+          )
+        end
+
+        it 'uses the correct owner and permissions' do
+          expect(chef_run).to create_templatesymlink('Create a gitlab_shell_secret and create a symlink to Rails root').with(
+            owner: 'root',
+            group: 'root',
+            mode: '0644'
+          )
+        end
+
+        it 'template triggers notifications' do
+          expect(templatesymlink).to notify('runit_service[gitaly]').to(:restart).delayed
+          expect(templatesymlink).to notify('runit_service[puma]').to(:restart).delayed
+          expect(templatesymlink).to notify('sidekiq_service[sidekiq]').to(:restart).delayed
+        end
+      end
+    end
+
     describe 'gitlab_pages_secret' do
       let(:templatesymlink) { chef_run.templatesymlink('Create a gitlab_pages_secret and create a symlink to Rails root') }
 
