diff options
author | Vladimir Shushlin <vshushlin@gitlab.com> | 2019-05-28 07:47:34 +0300 |
---|---|---|
committer | Stan Hu <stanhu@gmail.com> | 2019-05-28 07:47:34 +0300 |
commit | 4687ff7c9be789341e82a6440234fce43f30b5be (patch) | |
tree | 59b72fafa974c92af04590e7fc3b64c6536aef70 /db/migrate/20190524062810_generate_lets_encrypt_private_key.rb | |
parent | af43970834b911242eecf9b7c815faf0f6b50048 (diff) |
Store Let's Encrypt private key in settings
Storing this key in secrets.yml was a bad idea,
it would require users using HA setups to manually
replicate secrets across nodes during update,
it also needed support from omnibus package
* Revert "Generate Let's Encrypt private key"
This reverts commit 444959bfa0b79e827a2a1a7a314acac19390f976.
* Add Let's Encrypt private key to settings
as encrypted attribute
* Generate Let's Encrypt private key
in database migration
Diffstat (limited to 'db/migrate/20190524062810_generate_lets_encrypt_private_key.rb')
-rw-r--r-- | db/migrate/20190524062810_generate_lets_encrypt_private_key.rb | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/db/migrate/20190524062810_generate_lets_encrypt_private_key.rb b/db/migrate/20190524062810_generate_lets_encrypt_private_key.rb new file mode 100644 index 00000000000..21d7049b998 --- /dev/null +++ b/db/migrate/20190524062810_generate_lets_encrypt_private_key.rb @@ -0,0 +1,33 @@ +# frozen_string_literal: true + +# See http://doc.gitlab.com/ce/development/migration_style_guide.html +# for more information on how to write migrations for GitLab. + +class GenerateLetsEncryptPrivateKey < ActiveRecord::Migration[5.1] + include Gitlab::Database::MigrationHelpers + + # Set this constant to true if this migration requires downtime. + DOWNTIME = false + + class ApplicationSetting < ActiveRecord::Base + self.table_name = 'application_settings' + + attr_encrypted :lets_encrypt_private_key, + mode: :per_attribute_iv, + key: Settings.attr_encrypted_db_key_base_truncated, + algorithm: 'aes-256-gcm', + encode: true + end + + def up + ApplicationSetting.reset_column_information + + private_key = OpenSSL::PKey::RSA.new(4096).to_pem + ApplicationSetting.find_each do |setting| + setting.update!(lets_encrypt_private_key: private_key) + end + end + + def down + end +end |