diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-10-16 21:10:30 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-10-16 21:10:30 +0300 |
commit | 5fcd4e5fbcad7d74d1c5efa09c6785303af2ebd7 (patch) | |
tree | 4a7245bc4c4f6fcc7be3c3c4965a60bed541e533 /doc/administration | |
parent | 533ad4ac834baef990e3ebf613c2b1fe54f13127 (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc/administration')
-rw-r--r-- | doc/administration/audit_event_streaming/index.md | 96 | ||||
-rw-r--r-- | doc/administration/geo/disaster_recovery/bring_primary_back.md | 2 | ||||
-rw-r--r-- | doc/administration/raketasks/check.md | 48 |
3 files changed, 138 insertions, 8 deletions
diff --git a/doc/administration/audit_event_streaming/index.md b/doc/administration/audit_event_streaming/index.md index acf6d3c02e0..8f40dc6c34c 100644 --- a/doc/administration/audit_event_streaming/index.md +++ b/doc/administration/audit_event_streaming/index.md @@ -261,9 +261,13 @@ To delete Google Cloud Logging streaming destinations to a top-level group: > - [Feature flag `ff_external_audit_events`](https://gitlab.com/gitlab-org/gitlab/-/issues/393772) enabled by default in GitLab 16.2. > - Instance streaming destinations [made generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/393772) in GitLab 16.4. [Feature flag `ff_external_audit_events`](https://gitlab.com/gitlab-org/gitlab/-/issues/417708) removed. +Manage streaming destinations for an entire instance. + +### HTTP destinations + Manage HTTP streaming destinations for an entire instance. -### Add a new HTTP destination +#### Add a new HTTP destination Add a new HTTP streaming destination to an instance. @@ -285,7 +289,7 @@ To add a streaming destination for an instance: 20 headers per streaming destination. 1. After all headers have been filled out, select **Add** to add the new streaming destination. -### List HTTP destinations +#### List HTTP destinations Prerequisites: @@ -299,7 +303,7 @@ To list the streaming destinations for an instance: 1. On the main area, select **Streams** tab. 1. Select the stream to expand it and see all the custom HTTP headers. -### Update an HTTP destination +#### Update an HTTP destination Prerequisites: @@ -329,7 +333,7 @@ To update a instance streaming destination's custom HTTP headers: 20 headers per streaming destination. 1. Select **Save** to update the streaming destination. -### Delete an HTTP destination +#### Delete an HTTP destination Delete streaming destinations for an entire instance. When the last destination is successfully deleted, streaming is disabled for the instance. @@ -360,7 +364,7 @@ To delete only the custom HTTP headers for a streaming destination: 1. To the right of the header, select **Delete** (**{remove}**). 1. Select **Save** to update the streaming destination. -### Verify event authenticity +#### Verify event authenticity > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/398107) in GitLab 16.1 [with a flag](../feature_flags.md) named `ff_external_audit_events`. Disabled by default. > - [Feature flag `ff_external_audit_events`](https://gitlab.com/gitlab-org/gitlab/-/issues/393772) enabled by default in GitLab 16.2. @@ -384,7 +388,7 @@ To list streaming destinations for an instance and see the verification tokens: 1. On the main area, select the **Streams** tab. 1. View the verification token on the right side of each item. -### Update event filters +#### Update event filters > Event type filtering in the UI with a defined list of audit event types [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/415013) in GitLab 16.3. @@ -404,7 +408,7 @@ To update a streaming destination's event filters: 1. Select the dropdown list and select or clear the required event types. 1. Select **Save** to update the event filters. -### Override default content type header +#### Override default content type header By default, streaming destinations use a `content-type` header of `application/x-www-form-urlencoded`. However, you might want to set the `content-type` header to something else. For example ,`application/json`. @@ -414,6 +418,84 @@ To override the `content-type` header default value for an instance streaming de - The [GitLab UI](#update-an-http-destination-1). - The [GraphQL API](graphql_api.md#update-streaming-destinations). +### Google Cloud Logging destinations + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131851) in GitLab 16.5. + +Manage Google Cloud Logging destinations for an entire instance. + +#### Prerequisites + +Before setting up Google Cloud Logging streaming audit events, you must: + +1. Create a service account for Google Cloud with the appropriate credentials and permissions. This account is used to configure audit log streaming authentication. + For more information, see [Creating and managing service accounts in the Google Cloud documentation](https://cloud.google.com/iam/docs/service-accounts-create#creating). +1. Enable the **Logs Writer** role for the service account to enable logging on Google Cloud. For more information, see [Access control with IAM](https://cloud.google.com/logging/docs/access-control#logging.logWriter). +1. Create a JSON key for the service account. For more information, see [Creating a service account key](https://cloud.google.com/iam/docs/keys-create-delete#creating). + +#### Add a new Google Cloud Logging destination + +Prerequisites: + +- Administrator access on the instance. + +To add Google Cloud Logging streaming destinations to an instance: + +1. On the left sidebar, select **Search or go to**. +1. Select **Admin Area**. +1. On the left sidebar, select **Monitoring > Audit Events**. +1. On the main area, select **Streams** tab. +1. Select **Add streaming destination** and select **Google Cloud Logging** to show the section for adding destinations. +1. Enter the Google project ID, Google client email, log ID, and Google private key to add. +1. Select **Add** to add the new streaming destination. + +#### List Google Cloud Logging destinations + +Prerequisites: + +- Administrator access on the instance. + +To list Google Cloud Logging streaming destinations for an instance: + +1. On the left sidebar, select **Search or go to**. +1. Select **Admin Area**. +1. On the left sidebar, select **Monitoring > Audit Events**. +1. On the main area, select **Streams** tab. +1. Select the Google Cloud Logging stream to expand and see all the fields. + +#### Update a Google Cloud Logging destination + +Prerequisites: + +- Administrator access on the instance. + +To update Google Cloud Logging streaming destinations to an instance: + +1. On the left sidebar, select **Search or go to**. +1. Select **Admin Area**. +1. On the left sidebar, select **Monitoring > Audit Events**. +1. On the main area, select **Streams** tab. +1. Select the Google Cloud Logging stream to expand. +1. Enter the Google project ID, Google client email, and log ID to update. +1. Select **Add a new private key** and enter a Google private key to update the private key. +1. Select **Save** to update the streaming destination. + +#### Delete a Google Cloud Logging streaming destination + +Prerequisites: + +- Administrator access on the instance. + +To delete Google Cloud Logging streaming destinations to an instance: + +1. On the left sidebar, select **Search or go to**. +1. Select **Admin Area**. +1. On the left sidebar, select **Monitoring > Audit Events**. +1. On the main area, select **Streams** tab. +1. Select the Google Cloud Logging stream to expand. +1. Select **Delete destination**. +1. Confirm by selecting **Delete destination** in the dialog. + ## Payload schema > Documentation for an audit event streaming schema was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/358149) in GitLab 15.3. diff --git a/doc/administration/geo/disaster_recovery/bring_primary_back.md b/doc/administration/geo/disaster_recovery/bring_primary_back.md index fe05b52cec9..5f2cbd4d03b 100644 --- a/doc/administration/geo/disaster_recovery/bring_primary_back.md +++ b/doc/administration/geo/disaster_recovery/bring_primary_back.md @@ -55,7 +55,7 @@ To bring the former **primary** site up to date: [block all the writes to this site](planned_failover.md#prevent-updates-to-the-primary-site) during this procedure. -1. [Set up database replication](../setup/database.md). In this case, the **secondary** site +1. [Set up Geo](../setup/index.md). In this case, the **secondary** site refers to the former **primary** site. 1. If [PgBouncer](../../postgresql/pgbouncer.md) was enabled on the **current secondary** site (when it was a primary site) disable it by editing `/etc/gitlab/gitlab.rb` diff --git a/doc/administration/raketasks/check.md b/doc/administration/raketasks/check.md index 9ced19b53b7..ec28b6bee67 100644 --- a/doc/administration/raketasks/check.md +++ b/doc/administration/raketasks/check.md @@ -283,6 +283,54 @@ I, [2020-06-11T17:18:15.575711 #27148] INFO -- : Done! <!-- vale gitlab.SentenceSpacing = YES --> +## Reset encrypted tokens when they can't be recovered + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131893) in GitLab 16.6. + +WARNING: +This operation is dangerous and can result in data-loss. Proceed with extreme caution. +You must have knowledge about GitLab internals before you perform this operation. + +In some cases, encrypted tokens can no longer be recovered and cause issues. +Most often, runner registration tokens for groups and projects might be broken on very large instances. + +To reset broken tokens: + +1. Identify the database models that have broken encrypted tokens. For example, it can be `Group` and `Project`. +1. Identify the broken tokens. For example `runners_token`. +1. To reset broken tokens, run `gitlab:doctor:reset_encrypted_tokens` with `VERBOSE=true MODEL_NAMES=Model1,Model2 TOKEN_NAMES=broken_token1,broken_token2`. For example: + + ```shell + VERBOSE=true MODEL_NAMES=Project,Group TOKEN_NAMES=runners_token bundle exec rake gitlab:doctor:reset_encrypted_tokens + ``` + + You will see every action this task would try to perform: + + ```plain + I, [2023-09-26T16:20:23.230942 #88920] INFO -- : Resetting runners_token on Project, Group if they can not be read + I, [2023-09-26T16:20:23.230975 #88920] INFO -- : Executing in DRY RUN mode, no records will actually be updated + D, [2023-09-26T16:20:30.151585 #88920] DEBUG -- : > Fix Project[1].runners_token + I, [2023-09-26T16:20:30.151617 #88920] INFO -- : Checked 1/9 Projects + D, [2023-09-26T16:20:30.151873 #88920] DEBUG -- : > Fix Project[3].runners_token + D, [2023-09-26T16:20:30.152975 #88920] DEBUG -- : > Fix Project[10].runners_token + I, [2023-09-26T16:20:30.152992 #88920] INFO -- : Checked 11/29 Projects + I, [2023-09-26T16:20:30.153230 #88920] INFO -- : Checked 21/29 Projects + I, [2023-09-26T16:20:30.153882 #88920] INFO -- : Checked 29 Projects + D, [2023-09-26T16:20:30.195929 #88920] DEBUG -- : > Fix Group[22].runners_token + I, [2023-09-26T16:20:30.196125 #88920] INFO -- : Checked 1/19 Groups + D, [2023-09-26T16:20:30.196192 #88920] DEBUG -- : > Fix Group[25].runners_token + D, [2023-09-26T16:20:30.197557 #88920] DEBUG -- : > Fix Group[82].runners_token + I, [2023-09-26T16:20:30.197581 #88920] INFO -- : Checked 11/19 Groups + I, [2023-09-26T16:20:30.198455 #88920] INFO -- : Checked 19 Groups + I, [2023-09-26T16:20:30.198462 #88920] INFO -- : Done! + ``` + +1. If you are confident that this operation resets the correct tokens, disable dry-run mode and run the operation again: + + ```shell + DRY_RUN=false VERBOSE=true MODEL_NAMES=Project,Group TOKEN_NAMES=runners_token bundle exec rake gitlab:doctor:reset_encrypted_tokens + ``` + ## Troubleshooting The following are solutions to problems you might discover using the Rake tasks documented |