Add back in warning for conflicting new and legacy secrets

Brought back all the secret specs as well. And updated the gitlab.rb doc link for the CI section

Add back in warning for conflicting new and legacy secrets
d4f3f5d5 · DJ Mountney · Marin Jankovski · 5511b246 · 5511b246 · 5511b246
Commit d4f3f5d5 authored 8 years ago by DJ Mountney Committed by Marin Jankovski 8 years ago
--- a/files/gitlab-cookbooks/gitlab/recipes/ci-sidekiq.rb
+++ b/files/gitlab-cookbooks/gitlab/recipes/ci-sidekiq.rb
-#
-# Copyright:: Copyright (c) 2012 Opscode, Inc.
-# Copyright:: Copyright (c) 2014 GitLab B.V.
-# License:: Apache License, Version 2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-sidekiq_service 'ci-sidekiq' do
-  rails_app 'gitlab-ci'
-  user AccountHelper.new(node).gitlab_ci_user
-end
--- a/files/gitlab-cookbooks/gitlab/recipes/ci-sidekiq_disable.rb
+++ b/files/gitlab-cookbooks/gitlab/recipes/ci-sidekiq_disable.rb
-#
-# Copyright:: Copyright (c) 2012 Opscode, Inc.
-# Copyright:: Copyright (c) 2014 GitLab B.V.
-# License:: Apache License, Version 2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-runit_service "ci-sidekiq" do
-  action :disable
-end
--- a/files/gitlab-cookbooks/gitlab/recipes/ci-unicorn.rb
+++ b/files/gitlab-cookbooks/gitlab/recipes/ci-unicorn.rb
-#
-# Copyright:: Copyright (c) 2012 Opscode, Inc.
-# Copyright:: Copyright (c) 2014 GitLab B.V.
-# License:: Apache License, Version 2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-unicorn_service 'ci-unicorn' do
-  rails_app 'gitlab-ci'
-  user AccountHelper.new(node).gitlab_ci_user
-end
--- a/files/gitlab-cookbooks/gitlab/recipes/ci-unicorn_disable.rb
+++ b/files/gitlab-cookbooks/gitlab/recipes/ci-unicorn_disable.rb
-#
-# Copyright:: Copyright (c) 2012 Opscode, Inc.
-# Copyright:: Copyright (c) 2014 GitLab B.V.
-# License:: Apache License, Version 2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-runit_service "ci-unicorn" do
-  action :disable
-end
--- a/files/gitlab-cookbooks/gitlab/recipes/cron.rb
+++ b/files/gitlab-cookbooks/gitlab/recipes/cron.rb
-#
-# Copyright:: Copyright (c) 2014 GitLab B.V.
-# License:: Apache License, Version 2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# Remove all cronjobs for gitlab-ci builds
-
-cron 'gitlab-ci schedule builds' do
-  user 'root'
-  action :delete
-end
-
-cron 'gitlab-ci schedule builds' do
-  user AccountHelper.new(node).gitlab_ci_user
-  action :delete
-end
--- a/files/gitlab-cookbooks/gitlab/recipes/default.rb
+++ b/files/gitlab-cookbooks/gitlab/recipes/default.rb
@@ -69,8 +69,6 @@ if node['gitlab']['gitlab-rails']['enable']
  include_recipe "gitlab::gitlab-rails"
 end
  
-include_recipe "gitlab::gitlab-ci-proxying"
-
 include_recipe "gitlab::selinux"
  
 # add trusted certs recipe
@@ -80,9 +78,7 @@ include_recipe "gitlab::add_trusted_certs"
 # the corresponding service recipe is not loaded below.
 [
  "unicorn",
-  "ci-unicorn",
  "sidekiq",
-  "ci-sidekiq",
  "mailroom"
 ].each do |dummy|
  service "create a temporary #{dummy} service" do

--- a/files/gitlab-cookbooks/gitlab/recipes/gitlab-ci-proxying.rb
+++ b/files/gitlab-cookbooks/gitlab/recipes/gitlab-ci-proxying.rb
-#
-# Copyright:: Copyright (c) 2012 Opscode, Inc.
-# Copyright:: Copyright (c) 2015 GitLab B.V.
-# License:: Apache License, Version 2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-omnibus_helper = OmnibusHelper.new(node)
-ci_nginx_vars = node['gitlab']['ci-nginx'].to_hash
-
-if ci_nginx_vars['listen_https'].nil?
-  ci_nginx_vars['https'] = node['gitlab']['gitlab-ci']['gitlab_ci_https']
-else
-  ci_nginx_vars['https'] = ci_nginx_vars['listen_https']
-end
-
-nginx_conf_dir = File.join(node['gitlab']['nginx']['dir'], "conf")
-gitlab_ci_http_config = File.join(nginx_conf_dir, "gitlab-ci-http.conf")
-
-if node["gitlab"]['gitlab-ci']['gitlab_ci_host']
-  template gitlab_ci_http_config do
-    source "nginx-gitlab-ci-http.conf.erb"
-    owner "root"
-    group "root"
-    mode "0644"
-    variables(ci_nginx_vars.merge(
-      {
-        :fqdn => node['gitlab']['gitlab-ci']['gitlab_ci_host'],
-        :port => node['gitlab']['gitlab-ci']['gitlab_ci_port'],
-        :socket => node['gitlab']['ci-unicorn']['socket'],
-        :gitlab_fqdn => CiHelper.gitlab_server_fqdn
-      }
-    ))
-    notifies :restart, 'service[nginx]' if omnibus_helper.should_notify?("nginx")
-  end
-
-  node.override["gitlab"]['nginx']["gitlab_ci_http_config"] = gitlab_ci_http_config
-else
-  template gitlab_ci_http_config do
-    source "nginx-gitlab-ci-http.conf.erb"
-    action :delete
-  end
-
-  node.override["gitlab"]['nginx']["gitlab_ci_http_config"] = nil
-end
-
-if node["gitlab"]['gitlab-ci']["enable"]
-  node.override["gitlab"]['gitlab-ci']["enable"] = false
-end
--- a/files/gitlab-cookbooks/gitlab/recipes/nginx.rb
+++ b/files/gitlab-cookbooks/gitlab/recipes/nginx.rb
@@ -213,7 +213,6 @@ template nginx_status_conf do
 end
  
 nginx_vars['gitlab_access_log_format'] = node['gitlab']['nginx']['log_format']
-nginx_vars['gitlab_ci_access_log_format'] = node['gitlab']['ci-nginx']['log_format']
 nginx_vars['gitlab_mattermost_access_log_format'] = node['gitlab']['mattermost-nginx']['log_format']
  
 template nginx_config do

--- a/files/gitlab-cookbooks/gitlab/templates/default/gitlab-ci-rc.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/gitlab-ci-rc.erb
-gitlab_ci_user='<%= node['gitlab']['gitlab-ci']['username'] %>'
--- a/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-ci-http.conf.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-ci-http.conf.erb
-# This file is managed by gitlab-ctl. Manual changes will be
-# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
-# and run `sudo gitlab-ctl reconfigure`.
-
-## GitLab CI
-
-<% if @https && @redirect_http_to_https %>
-server {
-<% @listen_addresses.each do |listen_address| %>
-  listen <%= listen_address %>:<%= @redirect_http_to_https_port %>;
-<% end %>
-  server_name <%= @fqdn %>;
-  server_tokens off;
-  rewrite ^(.*) https://<%= @fqdn %>:<%= @port %>$1 permanent;
-  access_log  <%= @log_directory %>/gitlab_ci_access.log gitlab_ci_access;
-  error_log   <%= @log_directory %>/gitlab_ci_error.log;
-}
-<% end %>
-
-server {
-<% @listen_addresses.each do |listen_address| %>
-  listen <%= listen_address %>:<%= @listen_port %><% if @https %> ssl<% end %>;
-<% end %>
-  server_name <%= @fqdn %>;
-  server_tokens off;     # don't show the version number, a security best practice
-
-  <% if @https %>
-  ssl on;
-  ssl_certificate <%= @ssl_certificate %>;
-  ssl_certificate_key <%= @ssl_certificate_key %>;
-  <% if @ssl_client_certificate %>
-  ssl_client_certificate <%= @ssl_client_certificate%>;
-   <% end %>
-  <% if @ssl_verify_client %>
-  ssl_verify_client <%= @ssl_verify_client%>;
-  ssl_verify_depth <%= @ssl_verify_depth%>;
-  <% end %>
-  ssl_ciphers '<%= @ssl_ciphers %>';
-  ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>;
-  ssl_protocols  <%= @ssl_protocols %>;
-  ssl_session_cache  <%= @ssl_session_cache %>;
-  ssl_session_timeout  <%= @ssl_session_timeout %>;
-  <% if @ssl_dhparam %>
-  ssl_dhparam <%= @ssl_dhparam %>;
-  <% end %>
-  <% end %>
-
-  ## Individual nginx logs for this GitLab CI vhost
-  access_log  <%= @log_directory %>/gitlab_ci_access.log gitlab_ci_access;
-  error_log   <%= @log_directory %>/gitlab_ci_error.log;
-
-  # expose API to fix runners
-  location /api {
-    proxy_read_timeout      <%= @proxy_read_timeout %>;
-    proxy_connect_timeout   <%= @proxy_connect_timeout %>;
-    proxy_redirect          off;
-    proxy_set_header      X-Real-IP $remote_addr;
-
-    # You need to specify your DNS servers that are able to resolve YOUR_GITLAB_SERVER_FQDN
-    resolver <%= @resolver %>;
-    proxy_pass  <%= @https ? "https" : "http" %>://<%= @gitlab_fqdn %>/ci$request_uri;
-  }
-
-  # expose build endpoint to allow trigger builds
-  location ~ ^/projects/\d+/build$ {
-    proxy_read_timeout      <%= @proxy_read_timeout %>;
-    proxy_connect_timeout   <%= @proxy_connect_timeout %>;
-    proxy_redirect          off;
-    proxy_set_header      X-Real-IP $remote_addr;
-
-    # You need to specify your DNS servers that are able to resolve YOUR_GITLAB_SERVER_FQDN
-    resolver <%= @resolver %>;
-    proxy_pass  <%= @https ? "https" : "http" %>://<%= @gitlab_fqdn %>/ci$request_uri;
-  }
-
-  # redirect all other CI requests
-  location / {
-    return 301 <%= @https ? "https" : "http" %>://<%= @gitlab_fqdn %>/ci$request_uri;
-  }
-
-  # adjust this to match the largest build log your runners might submit,
-  # set to 0 to disable limit
-  client_max_body_size <%= @client_max_body_size %>;
-
-  <%= @custom_gitlab_ci_server_config %>
-}
--- a/files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/nginx.conf.erb
@@ -15,7 +15,6 @@ events {
  
 http {
  log_format gitlab_access '<%= @gitlab_access_log_format %>';
-  log_format gitlab_ci_access '<%= @gitlab_ci_access_log_format %>';
  log_format gitlab_mattermost_access '<%= @gitlab_mattermost_access_log_format %>';
  
  server_names_hash_bucket_size <%= @server_names_hash_bucket_size %>;
@@ -46,10 +45,6 @@ http {
  include <%= @gitlab_http_config %>;
  <% end %>
  
-  <% if @gitlab_ci_http_config %>
-  include <%= @gitlab_ci_http_config %>;
-  <% end %>
-
  <% if @gitlab_pages_http_config %>
  include <%= @gitlab_pages_http_config %>;
  <% end %>

--- a/files/gitlab-cookbooks/gitlab/templates/default/pg_ident.conf.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/pg_ident.conf.erb
@@ -41,7 +41,6 @@
  
 # MAPNAME       SYSTEM-USERNAME         PG-USERNAME
 gitlab  <%= node['gitlab']['user']['username'] %>  <%= node['gitlab']['postgresql']['sql_user'] %>
-gitlab  <%= node['gitlab']['gitlab-ci']['username'] %>  <%= node['gitlab']['postgresql']['sql_ci_user'] %>
 gitlab  <%= node['gitlab']['mattermost']['username'] %>  <%= node['gitlab']['postgresql']['sql_mattermost_user'] %>
 # Default to a 1-1 mapping between system usernames and Postgres usernames
 gitlab  /^(.*)$  \1
--- a/spec/chef/secrets_spec.rb
+++ b/spec/chef/secrets_spec.rb
@@ -184,29 +184,6 @@ describe 'secrets' do
        end
      end
  
-      context 'when there is a legacy CI gitlab_server key' do
-        before do
-          stub_gitlab_secrets_json(gitlab_ci: { gitlab_server: { url: 'json_ci_gitlab_server' } })
-          allow_any_instance_of(Object).to receive(:warn)
-        end
-
-        it 'warns that this value is no longer used, and prints the value' do
-          expect_any_instance_of(Object).to receive(:warn) do |value|
-            expect(value).to include('gitlab_server')
-            expect(value).to include('json_ci_gitlab_server')
-          end
-
-          chef_run
-        end
-
-        it 'does not write the value to the new file' do
-          chef_run
-
-          expect(new_secrets).not_to have_key('gitlab_ci')
-          expect(new_secrets.to_json).not_to include('json_ci_gitlab_server')
-        end
-      end
-
      context 'when secrets are ambiguous and cannot be migrated automatically' do
        before { stub_gitlab_secrets_json({}) }