After upgrade to GitLab 10.4.3 each puppet run wants to remove

[gdubicki]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 3.8.7
• Ruby: ruby 2.0.0p648 (2015-12-16) [x86_64-linux]
• Distribution: CentOS Linux release 7.4.1708 (Core)
• Module version: 1.16.1

How to reproduce (e.g Puppet code you use)

The same as before GitLab upgrade - see below.

What are you seeing

After GitLab upgrade from 10.1.x to 10.4.3 each puppet run wants to remove postgres' internal_certificate and internal_key from gitlab-secrets.json and thus restart gitlab.

[root@XXXXXX ~]# puppet agent -t --noop
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for XXXXXX.YYYYYY
Warning: Non-string values for the file mode property are deprecated. It must be a string, either a symbolic mode like 'o+w,a+r' or an octal representation like '0644' or '755'.
   (at /usr/share/ruby/vendor_ruby/puppet/type/file/mode.rb:69:in `block (2 levels) in <module:Puppet>')
Info: Applying configuration version '1518736992'
(...)
Notice: Class[Profiles::Common]: Would have triggered 'refresh' from 1 events
Notice: /Stage[main]/Gitlab::Config/File[/etc/gitlab/gitlab-secrets.json]/content:
--- /etc/gitlab/gitlab-secrets.json     2018-02-15 23:22:06.165707956 +0000
+++ /tmp/puppet-file20180215-134031-1focon      2018-02-15 23:24:28.530491292 +0000
@@ -27,9 +27,5 @@
     "gitlab_auth_endpoint": "https://XXXXXX.YYYYYY/oauth/authorize",
     "gitlab_token_endpoint": "https://XXXXXX.YYYYYY/oauth/token",
     "gitlab_user_api_endpoint": "https://XXXXXX.YYYYYY/api/v3/user"
-  },
-  "postgresql": {
-    "internal_certificate": "-----BEGIN CERTIFICATE-----(...redacted...)-----END CERTIFICATE-----\n",
-    "internal_key": "-----BEGIN RSA PRIVATE KEY-----(...redacted...)-----END RSA PRIVATE KEY-----\n"
   }
 }

Notice: /Stage[main]/Gitlab::Config/File[/etc/gitlab/gitlab-secrets.json]/content: current_value {md5}aaaaaaaaaa, should be {md5}bbbbbbbb (noop)
Info: /Stage[main]/Gitlab::Config/File[/etc/gitlab/gitlab-secrets.json]: Scheduling refresh of Exec[gitlab_reconfigure]
Notice: /Stage[main]/Gitlab::Config/Exec[gitlab_reconfigure]: Would have triggered 'refresh' from 1 events
Notice: Class[Gitlab::Config]: Would have triggered 'refresh' from 2 events
Info: Class[Gitlab::Config]: Scheduling refresh of Class[Gitlab::Service]

I disabled ssl to postgres with this in hiera and I have verified according to https://docs.gitlab.com/omnibus/settings/database.html that it works:

gitlab::postgresql:
  ssl: 'off'

...but it didn't help with the issue above.

I think that the problem is that GitLab generates those values of secrets file on each run, so even setting them in hiera doesn't seem to help.

What behaviour did you expect instead

Puppet run should not change gitlab-secrets.json and not restart gitlab.

Any additional information you'd like to impart

We have been using old vshn/gitlab: 1.7.2 before switching to puppet-gitlab: 1.16.1 and it behaved the same way.

[gdubicki]

I will try workaround from #87 for now - stop managing gitlab-secrets.json completely.

[gdubicki]

Workaround helped.

[LongLiveCHIEF]

I really don't like this feature of the module. The file is called secrets for a reason, and managing those secrets in your puppet module just encourages unwittingly committing sensitive data into your control repos.

I think a better approach would be if this module managed the sharing/mounting of this file in regards to the gitlab-runsvdir service, making it easy to ensure the secrets are shared across nodes in HA nodes, and are included in any CRON backups.