Add Azure Blob Storage configuration

Unlike AWS and Google, Azure needs to use an Azure client inside Workhorse to support direct uploads. Using standard HTTP transfers with pre-signed URLs with the Azure Put Blob API (https://docs.microsoft.com/en-us/rest/api/storageservices/put-blob) doesn't work because Azure doesn't support chunked transfer encoding. However, Azure does support uploading files in segments via the Put Block and Put Block List API (https://docs.microsoft.com/en-us/rest/api/storageservices/put-block), but this requires an Azure client. To support this, this commit extracts the Azure Fog credentials from the Rails connection information and adds them to the Workhorse configuration. This changes requires two merge requests to work: 1. https://gitlab.com/gitlab-org/gitlab-workhorse/-/merge_requests/555 2. https://gitlab.com/gitlab-org/gitlab/-/merge_requests/38882 Part of https://gitlab.com/gitlab-org/gitlab/-/issues/25877

Add Azure Blob Storage configuration
4d79d41a · Stan Hu · b87b6256 · 4d79d41a · 4d79d41a · 4d79d41a
Commit 4d79d41a authored 4 years ago by Stan Hu
--- a/changelogs/unreleased/sh-add-azure-blob-credentials.yml
+++ b/changelogs/unreleased/sh-add-azure-blob-credentials.yml
+---
+title: Add Azure Blob Storage configuration
+merge_request: 4505
+author:
+type: added
--- a/files/gitlab-cookbooks/gitlab/recipes/gitlab-workhorse.rb
+++ b/files/gitlab-cookbooks/gitlab/recipes/gitlab-workhorse.rb
@@ -73,7 +73,8 @@ redis_sentinel_master = node['redis']['master_name']
 redis_sentinel_master_password = node['redis']['master_password']
 config_file_path = File.join(working_dir, "config.toml")
 object_store = node['gitlab']['gitlab-rails']['object_store']
-object_store_provider = object_store.dig('connection', 'provider')
+provider = object_store.dig('connection', 'provider')
+object_store_provider = provider if %w(AWS AzureRM).include?(provider)
  
 template config_file_path do
  source "workhorse-config.toml.erb"

--- a/files/gitlab-cookbooks/gitlab/templates/default/workhorse-config.toml.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/workhorse-config.toml.erb
@@ -8,12 +8,17 @@ SentinelMaster = "<%= @sentinel_master %>"
 Password = "<%= @master_password %>"
 <% end %>
  
-<%- if @object_store['enabled'] && @object_store_provider == 'AWS' %>
+<%- if @object_store['enabled'] && @object_store_provider %>
 [object_storage]
-  enabled = true
  provider = "<%= @object_store_provider %>"
  
+<%- if @object_store_provider == 'AWS' %>
 [object_storage.s3]
  aws_access_key_id = "<%= @object_store.dig('connection', 'aws_access_key_id') %>"
  aws_secret_access_key = "<%= @object_store.dig('connection', 'aws_secret_access_key') %>"
+<%- elsif @object_store_provider == 'AzureRM' %>
+[object_storage.azurerm]
+  azure_storage_account_name = "<%= @object_store.dig('connection', 'azure_storage_account_name') %>"
+  azure_storage_access_key = "<%= @object_store.dig('connection', 'azure_storage_access_key') %>"
+<%- end %>
 <%- end %>
--- a/spec/chef/recipes/gitlab-workhorse_spec.rb
+++ b/spec/chef/recipes/gitlab-workhorse_spec.rb
@@ -156,23 +156,46 @@ RSpec.describe 'gitlab::gitlab-workhorse' do
  context 'consolidated object store settings' do
    include_context 'object storage config'
  
-    before do
-      stub_gitlab_rb(
-        gitlab_rails: {
-          object_store: {
-            enabled: true,
-            connection: aws_connection_hash,
-            objects: object_config
+    context 'with S3 config' do
+      before do
+        stub_gitlab_rb(
+          gitlab_rails: {
+            object_store: {
+              enabled: true,
+              connection: aws_connection_hash,
+              objects: object_config
+            }
          }
+        )
+      end
+
+      it 'includes S3 credentials' do
+        expect(chef_run).to render_file(config_file).with_content { |content|
+          expect(content).to match(/\[object_storage\]\n  provider = "AWS"\n/m)
+          expect(content).to match(/\[object_storage.s3\]\n  aws_access_key_id = "AKIAKIAKI"\n  aws_secret_access_key = "secret123"\n/m)
        }
-      )
+      end
    end
  
-    it 'includes S3 credentials' do
-      expect(chef_run).to render_file(config_file).with_content { |content|
-        expect(content).to match(/\[object_storage\]\n  enabled = true\n  provider = "AWS"\n/m)
-        expect(content).to match(/\[object_storage.s3\]\n  aws_access_key_id = "AKIAKIAKI"\n  aws_secret_access_key = "secret123"\n/m)
-      }
+    context 'with Azure config' do
+      before do
+        stub_gitlab_rb(
+          gitlab_rails: {
+            object_store: {
+              enabled: true,
+              connection: azure_connection_hash,
+              objects: object_config
+            }
+          }
+        )
+      end
+
+      it 'includes Azure credentials' do
+        expect(chef_run).to render_file(config_file).with_content { |content|
+          expect(content).to match(/\[object_storage\]\n  provider = "AzureRM"\n/m)
+          expect(content).to match(/\[object_storage.azurerm\]\n  azure_storage_account_name = "testaccount"\n  azure_storage_access_key = "1234abcd"\n/m)
+        }
+      end
    end
  end
  

--- a/spec/support/shared_examples/object_store_shared_context.rb
+++ b/spec/support/shared_examples/object_store_shared_context.rb
@@ -27,4 +27,11 @@ RSpec.shared_context 'object storage config' do
      'server_side_encryption_kms_key_id' => 'arn:aws:12345'
    }
  end
+  let(:azure_connection_hash) do
+    {
+      'provider' => 'AzureRM',
+      'azure_storage_account_name' => 'testaccount',
+      'azure_storage_access_key' => '1234abcd'
+    }
+  end
 end