From 8d82aab171450b42e23def241e5c609d59c770c6 Mon Sep 17 00:00:00 2001 From: Nobuhiro Takaichi Date: Sat, 28 Sep 2024 05:10:49 +0000 Subject: [PATCH 1/6] feat: Enable AWS_BACKUP_USE_IAM_PROFILE functionality --- assets/runtime/config/gitlabhq/gitlab.yml | 5 +++++ assets/runtime/env-defaults | 2 ++ assets/runtime/functions | 17 +++++++++++++++-- 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index f828dd6f5..c4d43d03b 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -1096,8 +1096,13 @@ production: &base region: {{AWS_BACKUP_REGION}} endpoint: {{AWS_BACKUP_ENDPOINT}} path_style: {{AWS_BACKUP_PATH_STYLE}} + #start-backup-secret-access-key-aws aws_access_key_id: {{AWS_BACKUP_ACCESS_KEY_ID}} aws_secret_access_key: '{{AWS_BACKUP_SECRET_ACCESS_KEY}}' + #end-backup-secret-access-key-aws + #start-backup-use-iam-profile-aws + use_iam_profile: {{AWS_BACKUP_USE_IAM_PROFILE}} + #end-backup-use-iam-profile-aws aws_signature_version: {{AWS_BACKUP_SIGNATURE_VERSION}} # The remote 'directory' to store your backups. For S3, this would be the bucket name. remote_directory: '{{AWS_BACKUP_BUCKET}}' diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 7c6de6d97..6c8b9ee23 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -108,6 +108,7 @@ GITLAB_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_OBJECT_STORE_CONNECTION_PROVIDE #-- AWS AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID:-AWS_ACCESS_KEY_ID} AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY:-AWS_SECRET_ACCESS_KEY} +AWS_BACKUP_USE_IAM_PROFILE=${AWS_BACKUP_USE_IAM_PROFILE:-AWS_BACKUP_USE_IAM_PROFILE} AWS_REGION=${AWS_REGION:-us-east-1} AWS_HOST=${AWS_HOST:-s3.amazonaws.com} AWS_ENDPOINT=${AWS_ENDPOINT:-nil} @@ -313,6 +314,7 @@ AWS_BACKUP_ENDPOINT=${AWS_BACKUP_ENDPOINT} AWS_BACKUP_PATH_STYLE=${AWS_BACKUP_PATH_STYLE:-false} AWS_BACKUP_ACCESS_KEY_ID=${AWS_BACKUP_ACCESS_KEY_ID} AWS_BACKUP_SECRET_ACCESS_KEY=${AWS_BACKUP_SECRET_ACCESS_KEY} +AWS_BACKUP_USE_IAM_PROFILE=${AWS_BACKUP_USE_IAM_PROFILE} AWS_BACKUP_BUCKET=${AWS_BACKUP_BUCKET} AWS_BACKUP_MULTIPART_CHUNK_SIZE=${AWS_BACKUP_MULTIPART_CHUNK_SIZE} AWS_BACKUP_ENCRYPTION=${AWS_BACKUP_ENCRYPTION} diff --git a/assets/runtime/functions b/assets/runtime/functions index a9a778c53..d91f92a3b 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -983,9 +983,21 @@ gitlab_configure_backups_aws() { AWS_BACKUP_PATH_STYLE="true" fi - if [[ -z ${AWS_BACKUP_ACCESS_KEY_ID} || -z ${AWS_BACKUP_SECRET_ACCESS_KEY} || -z ${AWS_BACKUP_BUCKET} ]]; then - echo "\nMissing AWS options. Aborting...\n" + if [[ ${AWS_BACKUP_USE_IAM_PROFILE} != true ]]; then + if [[ -z ${AWS_BACKUP_ACCESS_KEY_ID} || -z ${AWS_BACKUP_SECRET_ACCESS_KEY} || -z ${AWS_BACKUP_BUCKET} ]]; then + echo "Missing AWS options. Aborting..." + return 1 + else + exec_as_git sed -i "/#start-backup-use-iam-profile-aws/,/#end-backup-use-iam-profile-aws/d" ${GITLAB_CONFIG} + fi + elif [[ -z ${AWS_BACKUP_BUCKET} ]]; then + echo "Missing AWS options. Aborting..." return 1 + elif [[ -n ${AWS_BACKUP_ACCESS_KEY_ID} || -n ${AWS_BACKUP_SECRET_ACCESS_KEY} ]]; then + echo "If using an IAM Profile, don't configure aws_access_key_id & aws_secret_access_key. Aborting..." + return 1 + else + exec_as_git sed -i "/#start-backup-secret-access-key-aws/,/#end-backup-secret-access-key-aws/d" ${GITLAB_CONFIG} fi update_template ${GITLAB_CONFIG} \ @@ -994,6 +1006,7 @@ gitlab_configure_backups_aws() { AWS_BACKUP_PATH_STYLE \ AWS_BACKUP_ACCESS_KEY_ID \ AWS_BACKUP_SECRET_ACCESS_KEY \ + AWS_BACKUP_USE_IAM_PROFILE \ AWS_BACKUP_BUCKET \ AWS_BACKUP_MULTIPART_CHUNK_SIZE \ AWS_BACKUP_STORAGE_CLASS \ From d8d7804a1d1fdd69c1fb5c4f61e79e31e8743333 Mon Sep 17 00:00:00 2001 From: Nobuhiro Takaichi Date: Sat, 28 Sep 2024 05:16:32 +0000 Subject: [PATCH 2/6] feat: Add symbolic link to the correct location of ca-cert file based on: https://forum.gitlab.com/t/backup-error-openssl-ssl-ctx-load-verify-file-system-lib/102723/4 --- Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile b/Dockerfile index 82bc05091..87c11736a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -82,6 +82,8 @@ LABEL \ EXPOSE 22/tcp 80/tcp 443/tcp +RUN ln -s /etc/ssl/certs/ca-certificates.crt /usr/lib/ssl/cert.pem + VOLUME ["${GITLAB_DATA_DIR}", "${GITLAB_LOG_DIR}","${GITLAB_HOME}/gitlab/node_modules"] WORKDIR ${GITLAB_INSTALL_DIR} ENTRYPOINT ["/sbin/entrypoint.sh"] From 07544d1743baeacabc60e9c51de5af0094014b5e Mon Sep 17 00:00:00 2001 From: Nobuhiro Takaichi Date: Sat, 28 Sep 2024 12:41:34 +0000 Subject: [PATCH 3/6] feat: Enable AWS_USE_IAM_PROFILE for other, ARTIFACTS, PACKAGES, TERRAFORM STATE, and LFS functions --- assets/runtime/config/gitlabhq/gitlab.yml | 25 +++++++ assets/runtime/env-defaults | 7 +- assets/runtime/functions | 80 +++++++++++++++++++++-- 3 files changed, 106 insertions(+), 6 deletions(-) diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml index c4d43d03b..50b03c6ae 100644 --- a/assets/runtime/config/gitlabhq/gitlab.yml +++ b/assets/runtime/config/gitlabhq/gitlab.yml @@ -225,8 +225,13 @@ production: &base connection: provider: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER}} # Only AWS supported at the moment #start-artifacts-aws + #start-artifacts-secret-access-key-aws aws_access_key_id: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} aws_secret_access_key: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} + #end-artifacts-secret-access-key-aws + #start-artifacts-use-iam-profile-aws + use_iam_profile: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE}} + #end-artifacts-use-iam-profile-aws region: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION}} host: '{{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com aws_signature_version: {{GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. @@ -271,8 +276,13 @@ production: &base connection: provider: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER}} #start-lfs-aws + #start-lfs-secret-access-key-aws aws_access_key_id: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} aws_secret_access_key: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} + #end-lfs-secret-access-key-aws + #start-lfs-use-iam-profile-aws + use_iam_profile: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE}} + #end-lfs-use-iam-profile-aws aws_signature_version: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. region: {{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION}} host: '{{GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com @@ -305,8 +315,13 @@ production: &base connection: provider: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER}} #start-uploads-aws + #start-uploads-secret-access-key-aws aws_access_key_id: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} aws_secret_access_key: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} + #end-uploads-secret-access-key-aws + #start-uploads-use-iam-profile-aws + use_iam_profile: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE}} + #end-uploads-use-iam-profile-aws aws_signature_version: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. region: {{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION}} host: '{{GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com @@ -333,8 +348,13 @@ production: &base connection: provider: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER}} # Only AWS supported at the moment #start-packages-aws + #start-packages-secret-access-key-aws aws_access_key_id: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} aws_secret_access_key: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} + #end-packages-secret-access-key-aws + #start-packages-use-iam-profile-aws + use_iam_profile: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE}} + #end-packages-use-iam-profile-aws region: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION}} host: '{{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com aws_signature_version: {{GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SIGNATURE_VERSION}} # For creation of signed URLs. Set to 2 if provider does not support v4. @@ -380,8 +400,13 @@ production: &base connection: provider: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER}} #start-terraform_state-aws + #start-terraform_state-secret-access-key-aws aws_access_key_id: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID}} aws_secret_access_key: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY}} + #end-terraform_state-secret-access-key-aws + #start-terraform_state-use-iam-profile-aws + use_iam_profile: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE}} + #end-terraform_state-use-iam-profile-aws region: {{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION}} host: '{{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST}}' # default: s3.amazonaws.com endpoint: '{{GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT}}' # default: nil diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 6c8b9ee23..162d96f3b 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -108,7 +108,7 @@ GITLAB_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_OBJECT_STORE_CONNECTION_PROVIDE #-- AWS AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID:-AWS_ACCESS_KEY_ID} AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY:-AWS_SECRET_ACCESS_KEY} -AWS_BACKUP_USE_IAM_PROFILE=${AWS_BACKUP_USE_IAM_PROFILE:-AWS_BACKUP_USE_IAM_PROFILE} +AWS_USE_IAM_PROFILE=${AWS_USE_IAM_PROFILE:-AWS_USE_IAM_PROFILE} AWS_REGION=${AWS_REGION:-us-east-1} AWS_HOST=${AWS_HOST:-s3.amazonaws.com} AWS_ENDPOINT=${AWS_ENDPOINT:-nil} @@ -135,6 +135,7 @@ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_ARTIFACTS_OBJECT_STOR # ARTIFACTS:AWS GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID} GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY} +GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE:-$AWS_USE_IAM_PROFILE} GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION} GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST} GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT} @@ -161,6 +162,7 @@ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_PACKAGES_OBJECT_STORE_ # PACKAGES:AWS GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID} GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY} +GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE:-$AWS_USE_IAM_PROFILE} GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION} GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST} GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT} @@ -183,6 +185,7 @@ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_TERRAFORM_STATE # TERRAFORM STATE:AWS GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID} GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY} +GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE:-$AWS_USE_IAM_PROFILE} GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION} GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST} GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT} @@ -211,6 +214,7 @@ GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_LFS_OBJECT_STORE_CONNECTION # LFS:AWS GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID} GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY} +GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE:-$AWS_USE_IAM_PROFILE} GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION} GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST} GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT} @@ -236,6 +240,7 @@ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_UPLOADS_OBJECT_STORE_CO # Uploads:AWS GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID:-$AWS_ACCESS_KEY_ID} GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY:-$AWS_SECRET_ACCESS_KEY} +GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE:-$AWS_USE_IAM_PROFILE} GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION:-$AWS_REGION} GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST:-$AWS_HOST} GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT=${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT:-$AWS_ENDPOINT} diff --git a/assets/runtime/functions b/assets/runtime/functions index d91f92a3b..4abc5cc10 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -1161,6 +1161,19 @@ gitlab_configure_artifacts() { exec_as_git sed -i "/#start-artifacts-gcs/,/#end-artifacts-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-artifacts-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-artifacts-aws/d" ${GITLAB_CONFIG} + + if [[ "${GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE}" == true ]]; then + echo " -> AWS ARTIFACTS USE IAM PROFILE selected removing access key config" + exec_as_git sed -i "/#start-artifacts-secret-access-key-aws/,/#end-artifacts-secret-access-key-aws/d" ${GITLAB_CONFIG} + else + echo " -> AWS ARTIFACTS USE IAM PROFILE is not selected removing its config" + exec_as_git sed -i "/#start-artifacts-use-iam-profile-aws/,/#end-artifacts-use-iam-profile-aws/d" ${GITLAB_CONFIG} + fi + + exec_as_git sed -i "/#start-artifacts-secret-access-key-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-artifacts-secret-access-key-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#start-artifacts-use-iam-profile-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-artifacts-use-iam-profile-aws/d" ${GITLAB_CONFIG} fi update_template ${GITLAB_CONFIG} \ @@ -1171,6 +1184,7 @@ gitlab_configure_artifacts() { GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_PROVIDER \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \ + GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_HOST \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \ @@ -1180,7 +1194,7 @@ gitlab_configure_artifacts() { GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \ GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION else - exec_as_git sed -i -e "/path: {{GITLAB_ARTIFACTS_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} + exec_as_git sed -i -e "/path: {{GITLAB_ARTIFACTS_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} fi echo "Configuring gitlab::artifacts..." @@ -1208,6 +1222,19 @@ gitlab_configure_packages() { exec_as_git sed -i "/#start-packages-gcs/,/#end-packages-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-packages-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-packages-aws/d" ${GITLAB_CONFIG} + + if [[ "${GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE}" == true ]]; then + echo " -> AWS PACKAGES USE IAM PROFILE selected removing access key config" + exec_as_git sed -i "/#start-packages-secret-access-key-aws/,/#end-packages-secret-access-key-aws/d" ${GITLAB_CONFIG} + else + echo " -> AWS PACKAGES USE IAM PROFILE is not selected removing its config" + exec_as_git sed -i "/#start-packages-use-iam-profile-aws/,/#end-packages-use-iam-profile-aws/d" ${GITLAB_CONFIG} + fi + + exec_as_git sed -i "/#start-packages-secret-access-key-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-packages-secret-access-key-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#start-packages-use-iam-profile-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-packages-use-iam-profile-aws/d" ${GITLAB_CONFIG} fi update_template ${GITLAB_CONFIG} \ @@ -1218,6 +1245,7 @@ gitlab_configure_packages() { GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_PROVIDER \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \ + GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_HOST \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \ @@ -1227,7 +1255,7 @@ gitlab_configure_packages() { GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \ GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION else - exec_as_git sed -i -e "/path: {{GITLAB_PACKAGES_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} + exec_as_git sed -i -e "/path: {{GITLAB_PACKAGES_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} fi echo "Configuring gitlab::packages..." @@ -1254,6 +1282,19 @@ gitlab_configure_terraform_state() { exec_as_git sed -i "/#start-terraform_state-gcs/,/#end-terraform_state-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-terraform_state-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-terraform_state-aws/d" ${GITLAB_CONFIG} + + if [[ "${GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE}" == true ]]; then + echo " -> AWS TERRAFORM STATE USE IAM PROFILE selected removing access key config" + exec_as_git sed -i "/#start-terraform_state-secret-access-key-aws/,/#end-terraform_state-secret-access-key-aws/d" ${GITLAB_CONFIG} + else + echo " -> AWS TERRAFORM STATE USE IAM PROFILE is not selected removing its config" + exec_as_git sed -i "/#start-terraform_state-use-iam-profile-aws/,/#end-terraform_state-use-iam-profile-aws/d" ${GITLAB_CONFIG} + fi + + exec_as_git sed -i "/#start-terraform_state-secret-access-key-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-terraform_state-secret-access-key-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#start-terraform_state-use-iam-profile-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-terraform_state-use-iam-profile-aws/d" ${GITLAB_CONFIG} fi update_template ${GITLAB_CONFIG} \ @@ -1261,6 +1302,7 @@ gitlab_configure_terraform_state() { GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_PROVIDER \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \ + GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_HOST \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \ @@ -1270,7 +1312,7 @@ gitlab_configure_terraform_state() { GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \ GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION else - exec_as_git sed -i -e "/storage_path: {{GITLAB_TERRAFORM_STATE_STORAGE_PATH}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} + exec_as_git sed -i -e "/storage_path: {{GITLAB_TERRAFORM_STATE_STORAGE_PATH}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} fi echo "Configuring gitlab::terraform_state..." @@ -1297,6 +1339,19 @@ gitlab_configure_lfs() { exec_as_git sed -i "/#start-lfs-gcs/,/#end-lfs-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-lfs-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-lfs-aws/d" ${GITLAB_CONFIG} + + if [[ "${GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE}" == true ]]; then + echo " -> AWS LFS USE IAM PROFILE selected removing access key config" + exec_as_git sed -i "/#start-lfs-secret-access-key-aws/,/#end-lfs-secret-access-key-aws/d" ${GITLAB_CONFIG} + else + echo " -> AWS LFS USE IAM PROFILE is not selected removing its config" + exec_as_git sed -i "/#start-lfs-use-iam-profile-aws/,/#end-lfs-use-iam-profile-aws/d" ${GITLAB_CONFIG} + fi + + exec_as_git sed -i "/#start-lfs-secret-access-key-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-lfs-secret-access-key-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#start-lfs-use-iam-profile-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-lfs-use-iam-profile-aws/d" ${GITLAB_CONFIG} fi update_template ${GITLAB_CONFIG} \ @@ -1307,6 +1362,7 @@ gitlab_configure_lfs() { GITLAB_LFS_OBJECT_STORE_CONNECTION_PROVIDER \ GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \ GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \ + GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE \ GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION \ GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_HOST \ GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \ @@ -1316,7 +1372,7 @@ gitlab_configure_lfs() { GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_CLIENT_EMAIL \ GITLAB_LFS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION else - exec_as_git sed -i -e "/path: {{GITLAB_LFS_OBJECTS_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} + exec_as_git sed -i -e "/path: {{GITLAB_LFS_OBJECTS_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} fi echo "Configuring gitlab::lfs..." @@ -1343,6 +1399,19 @@ gitlab_configure_uploads() { exec_as_git sed -i "/#start-uploads-gcs/,/#end-uploads-gcs/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#start-uploads-aws/d" ${GITLAB_CONFIG} exec_as_git sed -i "/#end-uploads-aws/d" ${GITLAB_CONFIG} + + if [[ "${GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE}" == true ]]; then + echo " -> AWS UPLOADS USE IAM PROFILE selected removing access key config" + exec_as_git sed -i "/#start-uploads-secret-access-key-aws/,/#end-uploads-secret-access-key-aws/d" ${GITLAB_CONFIG} + else + echo " -> AWS UPLOADS USE IAM PROFILE is not selected removing its config" + exec_as_git sed -i "/#start-uploads-use-iam-profile-aws/,/#end-uploads-use-iam-profile-aws/d" ${GITLAB_CONFIG} + fi + + exec_as_git sed -i "/#start-uploads-secret-access-key-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-uploads-secret-access-key-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#start-uploads-use-iam-profile-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-uploads-use-iam-profile-aws/d" ${GITLAB_CONFIG} fi update_template ${GITLAB_CONFIG} \ @@ -1353,6 +1422,7 @@ gitlab_configure_uploads() { GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_PROVIDER \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY \ + GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_REGION \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_HOST \ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_AWS_ENDPOINT \ @@ -1363,7 +1433,7 @@ gitlab_configure_uploads() { GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION else - exec_as_git sed -i -e "/base_dir: {{GITLAB_UPLOADS_BASE_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} + exec_as_git sed -i -e "/base_dir: {{GITLAB_UPLOADS_BASE_DIR}}/{n;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;N;d;}" ${GITLAB_CONFIG} fi echo "Configuring gitlab::uploads..." From d3d00ea25d11dc798574be21e7f26bc0f860cab3 Mon Sep 17 00:00:00 2001 From: Nobuhiro Takaichi Date: Sat, 28 Sep 2024 13:14:32 +0000 Subject: [PATCH 4/6] feat: Add default values for IAM profile --- assets/runtime/env-defaults | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults index 7f6241d2d..e7491060a 100644 --- a/assets/runtime/env-defaults +++ b/assets/runtime/env-defaults @@ -108,7 +108,7 @@ GITLAB_OBJECT_STORE_CONNECTION_PROVIDER=${GITLAB_OBJECT_STORE_CONNECTION_PROVIDE #-- AWS AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID:-AWS_ACCESS_KEY_ID} AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY:-AWS_SECRET_ACCESS_KEY} -AWS_USE_IAM_PROFILE=${AWS_USE_IAM_PROFILE:-AWS_USE_IAM_PROFILE} +AWS_USE_IAM_PROFILE=${AWS_USE_IAM_PROFILE:-false} AWS_REGION=${AWS_REGION:-us-east-1} AWS_HOST=${AWS_HOST:-s3.amazonaws.com} AWS_ENDPOINT=${AWS_ENDPOINT:-nil} @@ -319,7 +319,7 @@ AWS_BACKUP_ENDPOINT=${AWS_BACKUP_ENDPOINT} AWS_BACKUP_PATH_STYLE=${AWS_BACKUP_PATH_STYLE:-false} AWS_BACKUP_ACCESS_KEY_ID=${AWS_BACKUP_ACCESS_KEY_ID} AWS_BACKUP_SECRET_ACCESS_KEY=${AWS_BACKUP_SECRET_ACCESS_KEY} -AWS_BACKUP_USE_IAM_PROFILE=${AWS_BACKUP_USE_IAM_PROFILE} +AWS_BACKUP_USE_IAM_PROFILE=${AWS_BACKUP_USE_IAM_PROFILE:-false} AWS_BACKUP_BUCKET=${AWS_BACKUP_BUCKET} AWS_BACKUP_MULTIPART_CHUNK_SIZE=${AWS_BACKUP_MULTIPART_CHUNK_SIZE} AWS_BACKUP_ENCRYPTION=${AWS_BACKUP_ENCRYPTION} From 4d7338fc549d823ba0e49ac10479877b61601019 Mon Sep 17 00:00:00 2001 From: Nobuhiro Takaichi Date: Sun, 29 Sep 2024 13:16:58 +0000 Subject: [PATCH 5/6] doc: Add instructions for use IAM profile --- README.md | 35 +++++++++++++++++++++++++++++++---- 1 file changed, 31 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 876092305..bd94ab696 100644 --- a/README.md +++ b/README.md @@ -1081,6 +1081,10 @@ Default AWS access key to be used for object store. Defaults to `AWS_ACCESS_KEY_ Default AWS access key to be used for object store. Defaults to `AWS_SECRET_ACCESS_KEY` +##### `AWS_USE_IAM_PROFILE` + +Set to `true` to enable IAM Instance Profile for default authencicating to AWS. Defaults to `false`. Note: If set to `true`, `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` configurations will be ignored. + ##### `AWS_REGION` AWS Region. Defaults to `us-east-1` @@ -1149,6 +1153,10 @@ AWS Access Key ID for the Bucket. Defaults to `$AWS_ACCESS_KEY_ID` AWS Secret Access Key. Defaults to `$AWS_SECRET_ACCESS_KEY` +##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE` + +Set to `true` to enable IAM Instance Profile for authencicating to AWS. Defaults to `$AWS_USE_IAM_PROFILE`. Note: If set to `true`, `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` and `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` configurations will be ignored. + ##### `GITLAB_ARTIFACTS_OBJECT_STORE_CONNECTION_AWS_REGION` AWS Region. Defaults to `$AWS_REGION` @@ -1221,6 +1229,10 @@ AWS Access Key ID for the Bucket. Defaults to `AWS_ACCESS_KEY_ID` AWS Secret Access Key. Defaults to `AWS_SECRET_ACCESS_KEY` +#### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE` + +Set to `true` to enable IAM Instance Profile for authencicating to AWS. Defaults to `$AWS_USE_IAM_PROFILE`. Note: If set to `true`, `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` and `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE` configurations will be ignored. + ##### `GITLAB_LFS_OBJECT_STORE_CONNECTION_AWS_REGION` AWS Region. Defaults to `$AWS_REGION` @@ -1293,6 +1305,11 @@ AWS Access Key ID for the Bucket. Defaults to `$AWS_ACCESS_KEY_ID` AWS Secret Access Key. Defaults to `$AWS_SECRET_ACCESS_KEY` +##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE` + +Set to `true` to enable IAM Instance Profile for authencicating to AWS. Defaults to `$AWS_USE_IAM_PROFILE`. Note: If set to `true`, `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` and `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` configurations will be ignored. + + ##### `GITLAB_PACKAGES_OBJECT_STORE_CONNECTION_AWS_REGION` AWS Region. Defaults to `$AWS_REGION` @@ -1349,6 +1366,10 @@ AWS Access Key ID for the Bucket. Defaults to `$AWS_ACCESS_KEY_ID` AWS Secret Access Key. Defaults to `$AWS_SECRET_ACCESS_KEY` +##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_USE_IAM_PROFILE` + +Set to `true` to enable IAM Instance Profile for authencicating to AWS. Defaults to `$AWS_USE_IAM_PROFILE`. Note: If set to `true`, `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_ACCESS_KEY_ID` and `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_SECRET_ACCESS_KEY` configurations will be ignored. + ##### `GITLAB_TERRAFORM_STATE_OBJECT_STORE_CONNECTION_AWS_REGION` AWS Region. Defaults to `$AWS_REGION` @@ -2430,11 +2451,15 @@ AWS endpoint. No defaults. ##### `AWS_BACKUP_ACCESS_KEY_ID` -AWS access key id. No defaults. +AWS access key id. No defaults. Don't configure this value if you enable `AWS_BACKUP_USE_IAM_PROFILE`. ##### `AWS_BACKUP_SECRET_ACCESS_KEY` -AWS secret access key. No defaults. +AWS secret access key. No defaults. Don't configure this value if you enable `AWS_BACKUP_USE_IAM_PROFILE`. + +##### `AWS_BACKUP_USE_IAM_PROFILE` + +Set to `true` to enable IAM Instance Profile for authencicating to AWS for backup. Defaults to `false`. Don't configure this value if you enable `AWS_BACKUP_ACCESS_KEY_ID` and `AWS_BACKUP_SECRET_ACCESS_KEY`. ##### `AWS_BACKUP_BUCKET` @@ -2638,9 +2663,11 @@ By default, when automated backups are enabled, backups are held for a period of #### Amazon Web Services (AWS) Remote Backups -The image can be configured to automatically upload the backups to an AWS S3 bucket. To enable automatic AWS backups first add `--env 'AWS_BACKUPS=true'` to the docker run command. In addition `AWS_BACKUP_REGION` and `AWS_BACKUP_BUCKET` must be properly configured to point to the desired AWS location. Finally an IAM user must be configured with appropriate access permission and their AWS keys exposed through `AWS_BACKUP_ACCESS_KEY_ID` and `AWS_BACKUP_SECRET_ACCESS_KEY`. +The image can be configured to automatically upload the backups to an AWS S3 bucket. To enable automatic AWS backups first add `--env 'AWS_BACKUPS=true'` to the docker run command. In addition `AWS_BACKUP_REGION` and `AWS_BACKUP_BUCKET` must be properly configured to point to the desired AWS location. Finally, either an IAM user or IAM instance profile (IAM role) must be configured with appropriate access permission. + +If you use IAM user to execute remote backup, their AWS keys exposed through `AWS_BACKUP_ACCESS_KEY_ID` and `AWS_BACKUP_SECRET_ACCESS_KEY`. Or, if you use IAM instance profile (IAM role), add `--env 'AWS_BACKUP_USE_IAM_PROFILE=true'` to the docker run command. -More details about the appropriate IAM user properties can found on [doc.gitlab.com](http://doc.gitlab.com/ce/raketasks/backup_restore.html#upload-backups-to-remote-cloud-storage) +More details about the appropriate properties of IAM user and IAM instance profile can found on [docs.gitlab.com](https://docs.gitlab.com/ee/administration/backup_restore/backup_gitlab.html#upload-backups-to-a-remote-cloud-storage) For remote backup to self-hosted s3 compatible storage, use `AWS_BACKUP_ENDPOINT`. From cfbd86ea44caead8dae5daf20e6b66a7cf6aa9b7 Mon Sep 17 00:00:00 2001 From: Nobuhiro Takaichi Date: Sun, 29 Sep 2024 13:34:53 +0000 Subject: [PATCH 6/6] fix: Add sed commands to trim comment lines --- assets/runtime/functions | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/assets/runtime/functions b/assets/runtime/functions index afa58ba73..56c41d11e 100644 --- a/assets/runtime/functions +++ b/assets/runtime/functions @@ -993,6 +993,8 @@ gitlab_configure_backups_aws() { return 1 else exec_as_git sed -i "/#start-backup-use-iam-profile-aws/,/#end-backup-use-iam-profile-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#start-backup-secret-access-key-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-backup-secret-access-key-aws/d" ${GITLAB_CONFIG} fi elif [[ -z ${AWS_BACKUP_BUCKET} ]]; then echo "Missing AWS options. Aborting..." @@ -1002,6 +1004,8 @@ gitlab_configure_backups_aws() { return 1 else exec_as_git sed -i "/#start-backup-secret-access-key-aws/,/#end-backup-secret-access-key-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#start-backup-use-iam-profile-aws/d" ${GITLAB_CONFIG} + exec_as_git sed -i "/#end-backup-use-iam-profile-aws/d" ${GITLAB_CONFIG} fi update_template ${GITLAB_CONFIG} \