Skip to content
Snippets Groups Projects
Commit 8dd17632 authored by Valery Sizov's avatar Valery Sizov
Browse files

Merge remote-tracking branch 'origin/master' into pitr

parents 90c50385 2ff21947
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 571 additions and 61 deletions
files/gitlab-cookbooks/letsencrypt/recipes/disable.rb
+ 0
2
View file @ 8dd17632
crond_job 'letsencrypt-renew' do
action :delete
end
include_recipe "crond::disable"
files/gitlab-cookbooks/package/libraries/helpers/selinux_helper.rb
+ 14
8
View file @ 8dd17632
require_relative '../helpers/shell_out_helper'
class SELinuxHelper
class << self
include ShellOutHelper
def commands(node)
ssh_dir = File.join(node['gitlab']['user']['home'], ".ssh")
authorized_keys = node['gitlab']['gitlab-shell']['auth_file']
@@ -8,28 +12,30 @@ class SELinuxHelper
gitlab_rails_dir = node['gitlab']['gitlab-rails']['dir']
gitlab_rails_etc_dir = File.join(gitlab_rails_dir, "etc")
gitlab_shell_secret_file = File.join(gitlab_rails_etc_dir, 'gitlab_shell_secret')
gitlab_workhorse_sockets_directory = node['gitlab']['gitlab-workhorse']['sockets_directory']
 
# If SELinux is enabled, make sure that OpenSSH thinks the .ssh directory and authorized_keys file of the
# git_user is valid.
selinux_code = []
if File.exist?(ssh_dir)
selinux_code << "semanage fcontext -a -t ssh_home_t '#{ssh_dir}(/.*)?'"
selinux_code << "restorecon -R -v '#{ssh_dir}'"
end
selinux_code << "semanage fcontext -a -t gitlab_shell_t '#{ssh_dir}(/.*)?'"
selinux_code << "restorecon -R -v '#{ssh_dir}'" if File.exist?(ssh_dir)
[
authorized_keys,
gitlab_shell_config_file,
gitlab_shell_secret_file
gitlab_shell_secret_file,
gitlab_workhorse_sockets_directory
].each do |file|
selinux_code << "semanage fcontext -a -t gitlab_shell_t '#{file}'"
next unless File.exist?(file)
 
selinux_code << "semanage fcontext -a -t ssh_home_t '#{file}'"
selinux_code << "restorecon -v '#{file}'"
end
 
selinux_code.join("\n")
end
def enabled?
success?('id -Z')
end
end
end
files/gitlab-cookbooks/patroni/attributes/default.rb
+ 7
0
View file @ 8dd17632
@@ -15,8 +15,15 @@ default['patroni']['max_timelines_history'] = 0
default['patroni']['master_start_timeout'] = 300
default['patroni']['use_pg_rewind'] = false
default['patroni']['use_slots'] = true
default['patroni']['replication_password'] = nil
default['patroni']['replication_slots'] = {}
 
# Standby cluster replication settings
default['patroni']['standby_cluster']['enable'] = false
default['patroni']['standby_cluster']['host'] = nil
default['patroni']['standby_cluster']['port'] = 5432
default['patroni']['standby_cluster']['primary_slot_name'] = nil
# Global/Universal settings
default['patroni']['name'] = node.name
default['patroni']['scope'] = 'postgresql-ha'
files/gitlab-cookbooks/patroni/libraries/patroni_helper.rb
+ 10
0
View file @ 8dd17632
@@ -63,6 +63,16 @@ class PatroniHelper < BaseHelper
dcs['slots'][slot_name] = parse_replication_slots_options(options)
end
 
if node['patroni']['standby_cluster']['enable']
dcs['standby_cluster'] = {}
node['patroni']['standby_cluster'].each do |key, value|
next if key == 'enable'
dcs['standby_cluster'][key] = value
end
end
dcs
end
 
files/gitlab-cookbooks/patroni/templates/default/patroni.yaml.erb
+ 2
2
View file @ 8dd17632
@@ -20,8 +20,8 @@ postgresql:
username: <%= account_helper.postgresql_user %>
replication:
username: <%= @postgresql_defaults['sql_replication_user'] %>
<% if @postgresql_defaults['sql_replication_password'] %>
password: <%= "md5#{@postgresql_defaults['sql_replication_password']}" %>
<% if @replication_password %>
password: <%= "#{@replication_password}" %>
<% end %>
bootstrap:
dcs: <%= patroni_helper.dynamic_settings.to_json %>
files/gitlab-cookbooks/postgresql/attributes/default.rb
+ 1
0
View file @ 8dd17632
@@ -34,6 +34,7 @@ default['postgresql']['ssl_cert_file'] = 'server.crt'
default['postgresql']['ssl_key_file'] = 'server.key'
default['postgresql']['ssl_ca_file'] = "#{node['package']['install-dir']}/embedded/ssl/certs/cacert.pem"
default['postgresql']['ssl_crl_file'] = nil
default['postgresql']['cert_auth_addresses'] = {}
 
default['postgresql']['shmmax'] = /x86_64/.match?(node['kernel']['machine']) ? 17179869184 : 4294967295
default['postgresql']['shmall'] = /x86_64/.match?(node['kernel']['machine']) ? 4194304 : 1048575
files/gitlab-cookbooks/postgresql/templates/default/pg_hba.conf.erb
+ 3
0
View file @ 8dd17632
@@ -89,3 +89,6 @@ host<% if @hostssl %>ssl<% end %> replication <%= @sql_replication_user %> <%
<% end %>
<% end %>
 
<% @cert_auth_addresses.each do |addr, data| %>
hostssl <%= data['database'] %> <%= data['user'] %> <%= addr %> cert
<% end %>
files/gitlab-selinux/rhel/7/gitlab-13.5.0-gitlab-shell.pp 0 → 100644
+ 0
0
View file @ 8dd17632
File added
files/gitlab-selinux/rhel/7/gitlab-13.5.0-gitlab-shell.te 0 → 100644
+ 17
0
View file @ 8dd17632
module gitlab-13.5.0-gitlab-shell 1.0;
type gitlab_shell_t;
require {
type sshd_t;
attribute file_type;
class sock_file write;
class file { open read getattr };
}
typeattribute gitlab_shell_t file_type;
allow sshd_t gitlab_shell_t:file read;
allow sshd_t gitlab_shell_t:file open;
allow sshd_t gitlab_shell_t:file getattr;
allow sshd_t gitlab_shell_t:sock_file write;
spec/chef/patroni/libraries/patroni_helper_spec.rb 0 → 100644
+ 85
0
View file @ 8dd17632
require 'chef_helper'
RSpec.describe PatroniHelper do
let(:chef_run) do
ChefSpec::SoloRunner.new(step_into: %w(patroni)).converge('gitlab-ee::default')
end
subject(:helper) { PatroniHelper.new(chef_run.node) }
before do
allow(Gitlab).to receive(:[]).and_call_original
end
describe '#ctl_command' do
it 'returns a full path to the ctl_command' do
expect(helper.ctl_command).to eq('/opt/gitlab/embedded/bin/patronictl')
end
end
describe '#bootstrapped?' do
before do
allow(File).to receive(:exist?).and_call_original
end
it 'returns true when patroni.dynamic.json exists in postgresql data directory' do
allow(File).to receive(:exist?).with('/var/opt/gitlab/postgresql/data/patroni.dynamic.json').and_return(true)
expect(helper.bootstrapped?).to eq(true)
end
it 'returns false when patroni.dynamic.json does not exist in postgresql data directory' do
allow(File).to receive(:exist?).with('/var/opt/gitlab/postgresql/data/patroni.dynamic.json').and_return(false)
expect(helper.bootstrapped?).to eq(false)
end
end
describe '#dynamic_settings' do
it 'returns a hash with required keys' do
expected_root_keys = PatroniHelper::DCS_ATTRIBUTES + %w[postgresql slots]
expect(helper.dynamic_settings.keys).to match_array(expected_root_keys)
end
context 'with standby cluster enabled' do
it 'includes standby cluster attributes' do
stub_gitlab_rb(
patroni: {
enable: true,
standby_cluster: {
enable: true
}
}
)
expected_root_keys = PatroniHelper::DCS_ATTRIBUTES + %w[postgresql slots standby_cluster]
expect(helper.dynamic_settings.keys).to match_array(expected_root_keys)
end
end
end
describe '#public_attributes' do
context 'when patroni is enabled' do
it 'returns a hash with required keys' do
stub_gitlab_rb(
patroni: {
enable: true
}
)
expected_patroni_keys = %w(config_dir data_dir log_dir api_address)
expect(helper.public_attributes.keys).to match_array('patroni')
expect(helper.public_attributes['patroni'].keys).to match_array(expected_patroni_keys)
end
end
context 'when patroni is disabled' do
it 'returns an empty hash' do
expect(helper.public_attributes).to be_empty
end
end
end
end
spec/chef/gitlab-ee/recipes/patroni_spec.rb spec/chef/patroni/recipes/patroni_spec.rb
+ 69
4
View file @ 8dd17632
@@ -152,11 +152,11 @@ RSpec.describe 'patroni cookbook' do
postgresql: {
username: 'test_psql_user',
sql_user: 'test_sql_user',
sql_user_password: '32596e8376077c3ef8d5cf52f15279ba',
sql_user_password: 'dbda601b8d4dc3d1697ef84dbbb8e61b',
sql_replication_user: 'test_sql_replication_user',
sql_replication_password: '5b3e5a380c8fe8f8180d396be021951a',
sql_replication_password: '48e84afb4b268128ac14f7c66fc7af42',
pgbouncer_user: 'test_pgbouncer_user',
pgbouncer_user_password: '3b244bd6e459bc406013417367587d41',
pgbouncer_user_password: '2bc94731612abb74aea7805a41dfcb09',
connect_port: 15432,
},
patroni: {
@@ -171,6 +171,7 @@ RSpec.describe 'patroni cookbook' do
use_pg_rewind: true,
connect_address: '1.2.3.4',
connect_port: 18008,
replication_password: 'fakepassword',
replication_slots: {
'geo_secondary' => { 'type' => 'physical' }
},
@@ -205,7 +206,7 @@ RSpec.describe 'patroni cookbook' do
},
replication: {
username: 'test_sql_replication_user',
password: 'md55b3e5a380c8fe8f8180d396be021951a'
password: 'fakepassword'
}
)
expect(cfg[:restapi][:connect_address]).to eq('1.2.3.4:18008')
@@ -254,6 +255,70 @@ RSpec.describe 'patroni cookbook' do
end
end
 
context 'when standby cluster is enabled' do
before do
stub_gitlab_rb(
roles: %w(postgres_role),
patroni: {
enable: true,
use_pg_rewind: true,
replication_password: 'fakepassword',
standby_cluster: {
enable: true,
host: '1.2.3.4',
port: 5432,
primary_slot_name: 'geo_secondary'
}
},
postgresql: {
sql_user_password: 'a4125c87ce2572ce271cd77e0de9a0ad',
sql_replication_password: 'e64b415e9b9a34ac7ac6e53ae16ccacb',
md5_auth_cidr_addresses: '1.2.3.4/32'
}
)
end
it 'should be reflected in patroni configuration file' do
expect(chef_run).to render_file('/var/opt/gitlab/patroni/patroni.yaml').with_content { |content|
cfg = YAML.safe_load(content, permitted_classes: [Symbol], symbolize_names: true)
expect(cfg[:postgresql][:authentication]).to include(
replication: {
username: 'gitlab_replicator',
password: 'fakepassword'
}
)
expect(cfg[:bootstrap][:dcs]).to include(
standby_cluster: {
host: '1.2.3.4',
port: 5432,
primary_slot_name: 'geo_secondary'
}
)
expect(cfg[:bootstrap][:dcs][:postgresql]).to include(
use_pg_rewind: true
)
}
end
it 'should reflect into dcs config file' do
expect(chef_run).to render_file('/var/opt/gitlab/patroni/dcs.yaml').with_content { |content|
cfg = YAML.safe_load(content, permitted_classes: [Symbol], symbolize_names: true)
expect(cfg).to include(
standby_cluster: {
host: '1.2.3.4',
port: 5432,
primary_slot_name: 'geo_secondary'
}
)
expect(cfg[:postgresql]).to include(
use_pg_rewind: true
)
}
end
end
context 'when building a cluster' do
before do
stub_gitlab_rb(
spec/chef/recipes/gitaly_spec.rb
+ 31
7
View file @ 8dd17632
@@ -144,7 +144,7 @@ RSpec.describe 'gitaly' do
 
it 'populates gitaly config.toml with gitlab-workhorse socket' do
expect(chef_run).to render_file(config_path)
.with_content(%r{\[gitlab\]\s+url = 'http\+unix://%2Fvar%2Fopt%2Fgitlab%2Fgitlab-workhorse%2Fsocket'\s+relative_url_root = ''})
.with_content(%r{\[gitlab\]\s+url = 'http\+unix://%2Fvar%2Fopt%2Fgitlab%2Fgitlab-workhorse%2Fsockets%2Fsocket'\s+relative_url_root = ''})
end
end
 
@@ -488,13 +488,37 @@ RSpec.describe 'gitaly' do
end
 
context 'with a non-default workhorse unix socket' do
before do
stub_gitlab_rb(gitlab_workhorse: { listen_addr: '/fake/workhorse/socket' })
context 'with only a listen address set' do
before do
stub_gitlab_rb(gitlab_workhorse: { listen_addr: '/fake/workhorse/socket' })
end
it 'create config file with provided values' do
expect(chef_run).to render_file(config_path)
.with_content(%r{\[gitlab\]\s+url = 'http\+unix://%2Ffake%2Fworkhorse%2Fsocket'\s+relative_url_root = ''})
end
end
 
it 'create config file with provided values' do
expect(chef_run).to render_file(config_path)
.with_content(%r{\[gitlab\]\s+url = 'http\+unix://%2Ffake%2Fworkhorse%2Fsocket'\s+relative_url_root = ''})
context 'with only a socket directory set' do
before do
stub_gitlab_rb(gitlab_workhorse: { sockets_directory: '/fake/workhorse/sockets' })
end
it 'create config file with provided values' do
expect(chef_run).to render_file(config_path)
.with_content(%r{\[gitlab\]\s+url = 'http\+unix://%2Ffake%2Fworkhorse%2Fsockets%2Fsocket'\s+relative_url_root = ''})
end
end
context 'with a listen_address and a sockets_directory set' do
before do
stub_gitlab_rb(gitlab_workhorse: { listen_addr: '/sockets/in/the/wind', sockets_directory: '/sockets/in/the' })
end
it 'create config file with provided values' do
expect(chef_run).to render_file(config_path)
.with_content(%r{\[gitlab\]\s+url = 'http\+unix://%2Fsockets%2Fin%2Fthe%2Fwind'\s+relative_url_root = ''})
end
end
end
 
@@ -524,7 +548,7 @@ RSpec.describe 'gitaly' do
 
it 'create config file with the relative_url_root set' do
expect(chef_run).to render_file(config_path)
.with_content(%r{\[gitlab\]\s+url = 'http\+unix://%2Fvar%2Fopt%2Fgitlab%2Fgitlab-workhorse%2Fsocket'\s+relative_url_root = '/gitlab'})
.with_content(%r{\[gitlab\]\s+url = 'http\+unix://%2Fvar%2Fopt%2Fgitlab%2Fgitlab-workhorse%2Fsockets%2Fsocket'\s+relative_url_root = '/gitlab'})
end
end
end
spec/chef/recipes/gitlab-healthcheck_spec.rb
+ 1
1
View file @ 8dd17632
@@ -46,7 +46,7 @@ RSpec.describe 'gitlab::gitlab-healthcheck' do
expect(chef_run).to render_file("/opt/gitlab/etc/gitlab-healthcheck-rc")
.with_content(%r{url='http://localhost/help'})
expect(chef_run).to render_file("/opt/gitlab/etc/gitlab-healthcheck-rc")
.with_content(%r{flags='--unix-socket /var/opt/gitlab/gitlab-workhorse/socket'})
.with_content(%r{flags='--unix-socket /var/opt/gitlab/gitlab-workhorse/sockets/socket'})
end
 
it 'correctly renders healthcheck-rc file using workhorse on a port' do
spec/chef/recipes/gitlab-rails_spec.rb
+ 49
18
View file @ 8dd17632
@@ -53,13 +53,27 @@ RSpec.describe 'gitlab::gitlab-rails' do
RSpec::Mocks.with_temporary_scope do
stub_gitlab_rb(gitlab_rails: { shared_path: '/tmp/shared',
uploads_directory: '/tmp/uploads',
builds_directory: '/tmp/builds' },
uploads_storage_path: '/tmp/uploads_storage' },
gitlab_ci: { builds_directory: '/tmp/builds' },
git_data_dirs: {
"some_storage" => {
"path" => "/tmp/git-data"
}
},
manage_storage_directories: { enable: false })
end
 
ChefSpec::SoloRunner.new.converge('gitlab::default')
end
 
it 'does not create the git-data directory' do
expect(chef_run).not_to run_ruby_block('directory resource: /tmp/git-data')
end
it 'does not create the repositories directory' do
expect(chef_run).not_to run_ruby_block('directory resource: /tmp/git-data/repositories')
end
it 'does not create the shared directory' do
expect(chef_run).not_to run_ruby_block('directory resource: /tmp/shared')
end
@@ -88,16 +102,20 @@ RSpec.describe 'gitlab::gitlab-rails' do
expect(chef_run).not_to run_ruby_block('directory resource: /tmp/shared/terraform_state')
end
 
it 'does not create the uploads storage directory' do
it 'does not create the GitLab pages directory' do
expect(chef_run).not_to run_ruby_block('directory resource: /tmp/shared/pages')
end
it 'does not create the uploads directory' do
expect(chef_run).not_to run_ruby_block('directory resource: /tmp/uploads')
end
 
it 'does not create the ci builds directory' do
expect(chef_run).not_to run_ruby_block('directory resource: /tmp/builds')
expect(chef_run).not_to run_ruby_block('directory resource: /tmp/uploads_storage')
end
 
it 'does not create the GitLab pages directory' do
expect(chef_run).not_to run_ruby_block('directory resource: /tmp/shared/pages')
it 'does not create the uploads storage directory' do
expect(chef_run).not_to run_ruby_block('directory resource: /tmp/uploads_storage')
end
end
 
@@ -107,14 +125,27 @@ RSpec.describe 'gitlab::gitlab-rails' do
stub_gitlab_rb(gitlab_rails: { shared_path: '/tmp/shared',
uploads_directory: '/tmp/uploads',
uploads_storage_path: '/tmp/uploads_storage' },
gitlab_ci: { builds_directory: '/tmp/builds' })
gitlab_ci: { builds_directory: '/tmp/builds' },
git_data_dirs: {
"some_storage" => {
"path" => "/tmp/git-data"
}
})
end
 
ChefSpec::SoloRunner.converge('gitlab::default')
end
 
it 'creates the git-data directory' do
expect(chef_run).to create_storage_directory('/tmp/git-data').with(owner: 'git', mode: '0700')
end
it 'creates the repositories directory' do
expect(chef_run).to create_storage_directory('/tmp/git-data/repositories').with(owner: 'git', group: 'git', mode: '2770')
end
it 'creates the shared directory' do
expect(chef_run).to create_storage_directory('/tmp/shared').with(owner: 'git', mode: '0751')
expect(chef_run).to create_storage_directory('/tmp/shared').with(owner: 'git', group: 'gitlab-www', mode: '0751')
end
 
it 'creates the artifacts directory' do
@@ -141,16 +172,8 @@ RSpec.describe 'gitlab::gitlab-rails' do
expect(chef_run).to create_storage_directory('/tmp/shared/terraform_state').with(owner: 'git', mode: '0700')
end
 
it 'creates the uploads directory' do
expect(chef_run).to create_storage_directory('/tmp/uploads').with(owner: 'git', mode: '0700')
end
it 'creates the ci builds directory' do
expect(chef_run).to create_storage_directory('/tmp/builds').with(owner: 'git', mode: '0700')
end
it 'creates the GitLab pages directory' do
expect(chef_run).to create_storage_directory('/tmp/shared/pages').with(owner: 'git', mode: '0750')
expect(chef_run).to create_storage_directory('/tmp/shared/pages').with(owner: 'git', group: 'gitlab-www', mode: '0750')
end
 
it 'creates the shared tmp directory' do
@@ -161,6 +184,14 @@ RSpec.describe 'gitlab::gitlab-rails' do
expect(chef_run).to create_storage_directory('/tmp/shared/cache').with(owner: 'git', mode: '0700')
end
 
it 'creates the uploads directory' do
expect(chef_run).to create_storage_directory('/tmp/uploads').with(owner: 'git', mode: '0700')
end
it 'creates the ci builds directory' do
expect(chef_run).to create_storage_directory('/tmp/builds').with(owner: 'git', mode: '0700')
end
it 'creates the uploads storage directory' do
expect(chef_run).to create_storage_directory('/tmp/uploads_storage').with(owner: 'git', mode: '0700')
end
@@ -802,7 +833,7 @@ RSpec.describe 'gitlab::gitlab-rails' do
stub_gitlab_rb(
git_data_dirs: {
"second_storage" => {
"path" => "tmp/storage"
"path" => "/tmp/storage"
}
}
)
@@ -811,7 +842,7 @@ RSpec.describe 'gitlab::gitlab-rails' do
hash_including(
'repositories_storages' => {
'second_storage' => {
'path' => 'tmp/storage/repositories',
'path' => '/tmp/storage/repositories',
'gitaly_address' => 'unix:/var/opt/gitlab/gitaly/gitaly.socket'
}
}
spec/chef/recipes/gitlab-shell_spec.rb
+ 38
13
View file @ 8dd17632
@@ -49,7 +49,7 @@ RSpec.describe 'gitlab::gitlab-shell' do
log_format: "json",
custom_hooks_dir: nil,
migration: { enabled: true, features: [] },
gitlab_url: 'http+unix://%2Fvar%2Fopt%2Fgitlab%2Fgitlab-workhorse%2Fsocket',
gitlab_url: 'http+unix://%2Fvar%2Fopt%2Fgitlab%2Fgitlab-workhorse%2Fsockets%2Fsocket',
gitlab_relative_path: ''
)
)
@@ -90,7 +90,7 @@ RSpec.describe 'gitlab::gitlab-shell' do
before { stub_gitlab_rb(user: { home: '/tmp/user' }) }
 
it 'creates the ssh dir in the user\'s home directory' do
expect(chef_run).to create_storage_directory('/tmp/user/.ssh').with(owner: 'git', mode: '0700')
expect(chef_run).to create_storage_directory('/tmp/user/.ssh').with(owner: 'git', group: 'git', mode: '0700')
end
 
it 'creates the config file with the auth_file within user\'s ssh directory' do
@@ -106,11 +106,11 @@ RSpec.describe 'gitlab::gitlab-shell' do
before { stub_gitlab_rb(user: { home: '/tmp/user' }, gitlab_shell: { auth_file: '/tmp/ssh/authorized_keys' }) }
 
it 'creates the ssh dir in the user\'s home directory' do
expect(chef_run).to create_storage_directory('/tmp/user/.ssh').with(owner: 'git', mode: '0700')
expect(chef_run).to create_storage_directory('/tmp/user/.ssh').with(owner: 'git', group: 'git', mode: '0700')
end
 
it 'creates the auth_file\'s parent directory' do
expect(chef_run).to create_storage_directory('/tmp/ssh').with(owner: 'git', mode: '0700')
expect(chef_run).to create_storage_directory('/tmp/ssh').with(owner: 'git', group: 'git', mode: '0700')
end
 
it 'creates the config file with the auth_file at the specified location' do
@@ -122,6 +122,14 @@ RSpec.describe 'gitlab::gitlab-shell' do
end
end
 
context 'when manage-storage-directories is disabled' do
before { stub_gitlab_rb(user: { home: '/tmp/user' }, manage_storage_directories: { enable: false }) }
it 'doesn\'t create the ssh dir in the user\'s home directory' do
expect(chef_run).not_to run_ruby_block('directory resource: /tmp/user/.ssh')
end
end
context 'with custom settings' do
before do
stub_gitlab_rb(
@@ -174,17 +182,34 @@ RSpec.describe 'gitlab::gitlab-shell' do
end
 
context 'with a non-default workhorse unix socket' do
before do
stub_gitlab_rb(gitlab_workhorse: { listen_addr: '/fake/workhorse/socket' })
context 'without sockets_directory defined' do
before do
stub_gitlab_rb(gitlab_workhorse: { listen_addr: '/fake/workhorse/socket' })
end
it 'create config file with provided values' do
expect(chef_run).to create_templatesymlink('Create a config.yml and create a symlink to Rails root').with_variables(
hash_including(
gitlab_url: 'http+unix://%2Ffake%2Fworkhorse%2Fsocket',
gitlab_relative_path: ''
)
)
end
end
 
it 'create config file with provided values' do
expect(chef_run).to create_templatesymlink('Create a config.yml and create a symlink to Rails root').with_variables(
hash_including(
gitlab_url: 'http+unix://%2Ffake%2Fworkhorse%2Fsocket',
gitlab_relative_path: ''
context 'with sockets_directory defined' do
before do
stub_gitlab_rb(gitlab_workhorse: { 'sockets_directory': '/fake/workhorse/sockets/' })
end
it 'create config file with provided values' do
expect(chef_run).to create_templatesymlink('Create a config.yml and create a symlink to Rails root').with_variables(
hash_including(
gitlab_url: 'http+unix://%2Ffake%2Fworkhorse%2Fsockets%2Fsocket',
gitlab_relative_path: ''
)
)
)
end
end
end
 
@@ -217,7 +242,7 @@ RSpec.describe 'gitlab::gitlab-shell' do
it 'create config file with provided values' do
expect(chef_run).to create_templatesymlink('Create a config.yml and create a symlink to Rails root').with_variables(
hash_including(
gitlab_url: 'http+unix://%2Fvar%2Fopt%2Fgitlab%2Fgitlab-workhorse%2Fsocket',
gitlab_url: 'http+unix://%2Fvar%2Fopt%2Fgitlab%2Fgitlab-workhorse%2Fsockets%2Fsocket',
gitlab_relative_path: '/gitlab'
)
)
spec/chef/recipes/gitlab-workhorse_spec.rb
+ 10
0
View file @ 8dd17632
@@ -39,6 +39,16 @@ RSpec.describe 'gitlab::gitlab-workhorse' do
end
end
 
context 'when the deprecated socket file exists' do
it 'includes a cleanup for the orphan socket' do
allow(File).to receive(:exist?).and_call_original
allow(File).to receive(:exist?).with('/var/opt/gitlab/gitlab-workhorse/socket').and_return(true)
expect(chef_run).to render_file("/opt/gitlab/sv/gitlab-workhorse/run").with_content { |content|
expect(content).to match(%r(Removing orphaned workhorse socket at))
}
end
end
context 'user and group' do
context 'default values' do
it_behaves_like "enabled runit service", "gitlab-workhorse", "root", "root"
spec/chef/recipes/postgresql_spec.rb
+ 27
0
View file @ 8dd17632
@@ -832,6 +832,33 @@ RSpec.describe 'postgresql 9.6' do
expect(postgresql_config).to notify('execute[reload postgresql]').to(:run).immediately
expect(postgresql_config).to notify('execute[start postgresql]').to(:run).immediately
end
context 'cert authentication' do
it 'is disabled by default' do
expect(chef_run).to render_file(pg_hba_conf).with_content { |content|
expect(content).to_not match(/cert$/)
}
end
it 'can be enabled' do
stub_gitlab_rb(
postgresql: {
cert_auth_addresses: {
'1.2.3.4/32' => {
database: 'fakedatabase',
user: 'fakeuser'
},
'fakehostname' => {
database: 'anotherfakedatabase',
user: 'anotherfakeuser'
},
}
}
)
expect(chef_run).to render_file(pg_hba_conf).with_content('hostssl fakedatabase fakeuser 1.2.3.4/32 cert')
expect(chef_run).to render_file(pg_hba_conf).with_content('hostssl anotherfakedatabase anotherfakeuser fakehostname cert')
end
end
end
 
it 'creates sysctl files' do
spec/chef/recipes/selinux_spec.rb
+ 35
6
View file @ 8dd17632
@@ -2,37 +2,42 @@ require 'chef_helper'
 
RSpec.describe 'gitlab::gitlab-selinux' do
let(:chef_run) { ChefSpec::SoloRunner.new(step_into: %w(templatesymlink storage_directory)).converge('gitlab::default') }
let(:templatesymlink) { chef_run.templatesymlink('Create a config.yml and create a symlink to Rails root') }
 
before do
allow(Gitlab).to receive(:[]).and_call_original
stub_default_should_notify?(true)
end
 
context 'when NOT running on selinux' do
before { stub_command('id -Z').and_return(false) }
before do
allow_any_instance_of(ShellOutHelper).to receive(:success?).with('id -Z').and_return(false)
end
 
it 'should not run the semanage bash command' do
expect(chef_run).not_to run_bash('Set proper security context on ssh files for selinux')
expect(templatesymlink).to_not notify('bash[Set proper security context on ssh files for selinux]').delayed
end
end
 
context 'when running on selinux' do
before do
stub_command('id -Z').and_return('')
allow_any_instance_of(ShellOutHelper).to receive(:success?).with('id -Z').and_return(true)
allow(File).to receive(:exist?).and_call_original
allow(File).to receive(:exist?).with('/var/opt/gitlab/.ssh').and_return(true)
allow(File).to receive(:exist?).with('/var/opt/gitlab/.ssh/authorized_keys').and_return(true)
allow(File).to receive(:exist?).with('/var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret').and_return(true)
allow(File).to receive(:exist?).with('/var/opt/gitlab/gitlab-shell/config.yml').and_return(true)
allow(File).to receive(:exist?).with('/var/opt/gitlab/gitlab-workhorse/sockets').and_return(true)
end
 
let(:bash_block) { chef_run.bash('Set proper security context on ssh files for selinux') }
 
def semanage_fcontext(filename)
"semanage fcontext -a -t ssh_home_t '#{filename}'"
"semanage fcontext -a -t gitlab_shell_t '#{filename}'"
end
 
it 'should run the semanage bash command' do
expect(chef_run).to run_bash('Set proper security context on ssh files for selinux')
expect(templatesymlink).to notify('bash[Set proper security context on ssh files for selinux]').delayed
end
 
it 'sets the security context of gitlab-shell files' do
@@ -40,7 +45,8 @@ RSpec.describe 'gitlab::gitlab-selinux' do
files = %w(/var/opt/gitlab/.ssh(/.*)?
/var/opt/gitlab/.ssh/authorized_keys
/var/opt/gitlab/gitlab-shell/config.yml
/var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret)
/var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret
/var/opt/gitlab/gitlab-workhorse/sockets)
managed_files = files.map { |file| semanage_fcontext(file) }
 
expect(lines).to include(*managed_files)
@@ -48,6 +54,29 @@ RSpec.describe 'gitlab::gitlab-selinux' do
expect(lines).to include("restorecon -v '/var/opt/gitlab/.ssh/authorized_keys'")
expect(lines).to include("restorecon -v '/var/opt/gitlab/gitlab-shell/config.yml'")
expect(lines).to include("restorecon -v '/var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret'")
expect(lines).to include("restorecon -v '/var/opt/gitlab/gitlab-workhorse/sockets'")
end
context 'and the user configured a custom workhorse sockets directory' do
let(:user_sockets_directory) { '/how/do/you/do' }
before do
stub_gitlab_rb(
gitlab_workhorse: {
listen_network: 'unix',
sockets_directory: user_sockets_directory
}
)
end
it 'sets the security context of a custom workhorse sockets directory' do
allow(File).to receive(:exist?).with(user_sockets_directory).and_return(true)
lines = bash_block.code.split("\n")
files = [user_sockets_directory]
managed_files = files.map { |file| semanage_fcontext(file) }
expect(lines).to include(*managed_files)
expect(lines).to include("restorecon -v '#{user_sockets_directory}'")
end
end
 
context 'when gitlab-rails is disabled' do
spec/libraries/helpers/gitlab_workhorse_helper_spec.rb 0 → 100644
+ 47
0
View file @ 8dd17632
require 'chef_helper'
RSpec.describe GitlabWorkhorseHelper do
let(:node) { chef_run.node }
subject { described_class.new(node) }
before do
allow(Gitlab).to receive(:[]).and_call_original
end
context 'workhorse is listening on a tcp socket' do
cached(:chef_run) { converge_config }
let(:tcp_address) { '1.9.8.4' }
before do
stub_gitlab_rb(
gitlab_workhorse: {
listen_network: 'http',
listen_addr: tcp_address
}
)
end
describe '#unix_socket?' do
it 'returns false' do
expect(subject.unix_socket?).to be false
end
end
end
context 'workhorse is listening on a unix socket' do
cached(:chef_run) { converge_config }
before do
stub_gitlab_rb(
gitlab_workhorse: {
listen_network: 'unix'
}
)
end
describe '#unix_socket?' do
it 'returns true' do
expect(subject.unix_socket?).to be true
end
end
end
end
spec/libraries/workhorse_spec.rb 0 → 100644
+ 125
0
View file @ 8dd17632
# This spec is to test the Workhorse library and whether the values parsed
# are the ones we expect
require 'chef_helper'
RSpec.describe 'GitlabWorkhorse' do
let(:node) { chef_run.node }
let(:user_socket) { '/where/is/my/ten/mm/socket_now' }
let(:user_sockets_directory) { '/where/is/my/ten/mm/sockets' }
let(:default_sockets_directory) { '/var/opt/gitlab/gitlab-workhorse/sockets' }
let(:default_socket) { '/var/opt/gitlab/gitlab-workhorse/sockets/socket' }
let(:tcp_listen_address) { '1.9.8.4' }
before do
allow(Gitlab).to receive(:[]).and_call_original
end
context '.parse_variables' do
context 'listening on a tcp socket' do
let(:chef_run) { converge_config }
before do
stub_gitlab_rb(
gitlab_workhorse: {
listen_network: 'http',
listen_addr: tcp_listen_address
}
)
end
it 'uses the user configured TCP listen address' do
expect(node['gitlab']['gitlab-workhorse']['listen_addr']).to eq(tcp_listen_address)
end
it 'keeps the sockets_directory as nil' do
expect(node['gitlab']['gitlab-workhorse']['sockets_directory']).to eq(nil)
end
end
context 'listening on a unix socket' do
context 'using default configuration' do
let(:chef_run) { converge_config }
before do
stub_gitlab_rb(
gitlab_workhorse: {
listen_network: 'unix'
}
)
end
it 'uses the default sockets directory' do
expect(node['gitlab']['gitlab-workhorse']['sockets_directory']).to eq(default_sockets_directory)
end
it 'uses the default socket file path' do
expect(node['gitlab']['gitlab-workhorse']['listen_addr']).to eq(default_socket)
end
end
context 'only listen_addr is set' do
let(:chef_run) { converge_config }
before do
stub_gitlab_rb(
gitlab_workhorse: {
listen_network: 'unix',
listen_addr: user_socket
}
)
end
it 'uses the user configured listen address' do
expect(node['gitlab']['gitlab-workhorse']['listen_addr']).to eq(user_socket)
end
it 'keeps the sockets_directory as nil' do
expect(node['gitlab']['gitlab-workhorse']['sockets_directory']).to eq(nil)
end
end
context 'only sockets_directory is set' do
let(:chef_run) { converge_config }
before do
stub_gitlab_rb(
gitlab_workhorse: {
listen_network: 'unix',
sockets_directory: user_sockets_directory
}
)
end
it 'uses the user configured sockets directory' do
expect(node['gitlab']['gitlab-workhorse']['sockets_directory']).to eq(user_sockets_directory)
end
it 'creates a socket named socket in the user configured sockets directory' do
expect(node['gitlab']['gitlab-workhorse']['listen_addr']).to eq("#{user_sockets_directory}/socket")
end
end
context 'listen_addr and sockets_directory are both set' do
let(:chef_run) { converge_config }
before do
stub_gitlab_rb(
gitlab_workhorse: {
listen_network: 'unix',
listen_addr: user_socket,
sockets_directory: user_sockets_directory
}
)
end
it 'uses the user configured sockets directory' do
expect(node['gitlab']['gitlab-workhorse']['sockets_directory']).to eq(user_sockets_directory)
end
it 'creates a socket matching the configured listen_addr' do
expect(node['gitlab']['gitlab-workhorse']['listen_addr']).to eq(user_socket)
end
end
end
end
end
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment