Sync config v14.2.0 : gitlab: Add commented-out config for encrypted SMTP credentials

kkimurak · kkimurak · commit c95365c94b4a · 2022-10-24T18:19:08.000+09:00
See corresponding MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/67802
diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml
@@ -123,11 +123,12 @@ production: &base
       # ca_certs_file: /home/git/gitlab/.gitlab_smime_ca_certs
 
     # Email server smtp settings are in config/initializers/smtp_settings.rb.sample
+    # File location to read encrypted SMTP secrets from
+    # email_smtp_secret_file: /mnt/gitlab/smtp.yaml.enc # Default: shared/encrypted_settings/smtp.yaml.enc
 
     default_projects_limit: {{GITLAB_PROJECTS_LIMIT}}
     default_can_create_group: {{GITLAB_CREATE_GROUP}}  # default: true
     username_changing_enabled: {{GITLAB_USERNAME_CHANGE}} # default: true - User can change their username/namespace
-    signup_enabled: {{GITLAB_SIGNUP_ENABLED}}
     ## Default theme ID
     ##   1 - Indigo
     ##   2 - Dark
diff --git a/assets/runtime/config/gitlabhq/smtp_settings.rb b/assets/runtime/config/gitlabhq/smtp_settings.rb
@@ -9,13 +9,18 @@
 
 if Rails.env.production?
   Rails.application.config.action_mailer.delivery_method = :smtp
+  secrets = Gitlab::Email::SmtpConfig.secrets
 
   ActionMailer::Base.delivery_method = :smtp
   ActionMailer::Base.smtp_settings = {
     address: "{{SMTP_HOST}}",
     port: {{SMTP_PORT}},
     user_name: "{{SMTP_USER}}",
     password: "{{SMTP_PASS}}",
+    ## If you are using encrypted smtp credentials then you should instead use the secrets user_name/password
+    ## See: https://docs.gitlab.com/ee/administration/raketasks/smtp.html#secrets
+    # user_name: secrets.username,
+    # password: secrets.password,
     domain: "{{SMTP_DOMAIN}}",
     authentication: "{{SMTP_AUTHENTICATION}}",
     enable_starttls_auto: {{SMTP_STARTTLS}},
@@ -34,6 +39,7 @@
 #
 # if Rails.env.production?
 #   Rails.application.config.action_mailer.delivery_method = :smtp_pool
+#   secrets = Gitlab::Email::SmtpConfig.secrets
 #
 #   ActionMailer::Base.delivery_method = :smtp_pool
 #   ActionMailer::Base.smtp_pool_settings = {
@@ -43,6 +49,10 @@
 #       port: 465,
 #       user_name: "smtp",
 #       password: "123456",
+#       ## If you are using encrypted smtp credentials then you should instead use the secrets user_name/password
+#       ## See: https://docs.gitlab.com/ee/administration/raketasks/smtp.html#secrets
+#       # user_name: secrets.username,
+#       # password: secrets.password,
 #       domain: "gitlab.company.com",
 #       authentication: :login,
 #       enable_starttls_auto: true,
diff --git a/assets/runtime/functions b/assets/runtime/functions
@@ -1843,7 +1843,6 @@ configure_gitlab() {
     GITLAB_SSH_HOST \
     GITLAB_SSH_LISTEN_PORT \
     GITLAB_SSH_PORT \
-    GITLAB_SIGNUP_ENABLED \
     GITLAB_IMPERSONATION_ENABLED \
     GITLAB_PROJECTS_LIMIT \
     GITLAB_USERNAME_CHANGE \
@@ -1887,6 +1886,15 @@ configure_gitlab() {
   generate_healthcheck_script
   gitlab_configure_content_security_policy
 
+  # some configurations are stored in database
+  ## GITLAB_SIGNUP_ENABLED : `signup_enabled` in `application_settings` table
+  ## avoid injection: set to false unless explicitly specified to be true
+  if [[ "${GITLAB_SIGNUP_ENABLED}" != true ]]; then
+    GITLAB_SIGNUP_ENABLED=false
+  fi
+  printf "Configurating application_settings.signup_enabled=%s :" ${GITLAB_SIGNUP_ENABLED}
+  PGPASSWORD="${DB_PASS}" psql -h "${DB_HOST}" -p "${DB_PORT}" -U "${DB_USER}" -d "${DB_NAME}" -Atw -c "UPDATE application_settings SET signup_enabled = ${GITLAB_SIGNUP_ENABLED}"
+
   # remove stale gitlab.socket
   rm -rf ${GITLAB_INSTALL_DIR}/tmp/sockets/gitlab.socket
 }
