Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add 'db_key_base' for Gitlab CI 7.13 #22

Closed
tobru opened this issue Jul 23, 2015 · 0 comments
Closed

Add 'db_key_base' for Gitlab CI 7.13 #22

tobru opened this issue Jul 23, 2015 · 0 comments

Comments

@tobru
Copy link
Contributor

tobru commented Jul 23, 2015

Excerpt from https://about.gitlab.com/2015/07/22/gitlab-7-13-released/:

GitLab CI now uses symmetric encryption to share ‘secure variables’ (provided by your users) in the SQL database. Symmetric encryption needs a secret key, which GitLab CI will generate for you when you install / upgrade to 7.13.

The key is called db_key_base and can be found in /etc/gitlab/gitlab-secrets.json (in Omnibus packages) or config/secrets.yml (in installations from source). If you lose this secret key during a backup restore or a server migration, your users will lose their ‘secure variables’.

Don’t store the secret key in the same place as your database backups. If you do, somebody who steals your backup also gets your users' secure variables.

If you use configuration management (Chef, Puppet etc.) you should store the secret key securely in your configuration management system. This way, your CI server uses the correct DB secret key after a server rebuild.
@tobru tobru changed the title Add db_key_base for Gitlab CI 7.13 Add 'db_key_base' for Gitlab CI 7.13 Jul 23, 2015
@tobru tobru closed this as completed in 4253a1d Jul 24, 2015
b4ldr added a commit to icann-dns/puppet-gitlab that referenced this issue Apr 3, 2018
@b4ldr
# This is a combination of 26 commits.
b0607f5 
# This is the 1st commit message:

.

# This is the commit message #2:

remove duplicate githooks

# This is the commit message #3:

Refactor cirunners

-

-

update

# This is the commit message #4:

add deprecation notice

# This is the commit message #5:

add travis secret for publishing module

# This is the commit message #6:

release 1.16.0

# This is the commit message #7:

rename changelog for release gem

# This is the commit message voxpupuli#8:

rewrite changelog with github-changelog-generator

# This is the commit message voxpupuli#9:

[blacksmith] Bump version to 1.16.1-rc0

# This is the commit message voxpupuli#10:

modulesync 1.7.0

# This is the commit message voxpupuli#11:

modulesync 1.7.0 take 2

# This is the commit message voxpupuli#12:

fix spec test hiera location

# This is the commit message voxpupuli#13:

release 1.16.1

# This is the commit message voxpupuli#14:

[blacksmith] Bump version to 1.16.2-rc0

# This is the commit message voxpupuli#15:

Propose small spelling change

# This is the commit message voxpupuli#16:

Fixed redhat installation
# This is the commit message voxpupuli#17:

add letsencrypt section to gitlab.rb

# This is the commit message voxpupuli#18:

I think there were some minor problems with voxpupuli#155.  This allows managing the backup cron w/o managing the config file and fixing SKIP syntax.

# This is the commit message voxpupuli#19:

setup fast indexing of ssh keys

# This is the commit message voxpupuli#20:

add unit test for store_git_keys_in_db

# This is the commit message voxpupuli#21:

added docs for using store_git_keys_in_db feature

# This is the commit message voxpupuli#22:

add variable to scope

# This is the commit message voxpupuli#23:

update regex in ssh fast lookup spec

# This is the commit message voxpupuli#24:

another stab at regex

# This is the commit message voxpupuli#25:

typo correction

# This is the commit message voxpupuli#26:

checking file exists first
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tobru