Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/doc/administration/geo/setup/database.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/administration/geo/setup/database.md')
-rw-r--r--doc/administration/geo/setup/database.md36
1 files changed, 34 insertions, 2 deletions
diff --git a/doc/administration/geo/setup/database.md b/doc/administration/geo/setup/database.md
index 9c917be123e..52f4adc4e03 100644
--- a/doc/administration/geo/setup/database.md
+++ b/doc/administration/geo/setup/database.md
@@ -300,6 +300,24 @@ There is an [issue where support is being discussed](https://gitlab.com/gitlab-o
need it when setting up the **secondary** node! The certificate is not sensitive
data.
+ However, this certificate is created with a generic `PostgreSQL` Common Name. For this,
+ you must use the `verify-ca` mode when replicating the database, otherwise,
+ the hostname mismatch will cause errors.
+
+1. Optional. Generate your own SSL certificate and manually
+ [configure SSL for PostgreSQL](https://docs.gitlab.com/omnibus/settings/database.html#configuring-ssl),
+ instead of using the generated certificate.
+
+ You will need at least the SSL certificate and key, and set the `postgresql['ssl_cert_file']` and
+ `postgresql['ssl_key_file']` values to their full paths, as per the Database SSL docs.
+
+ This allows you to use the `verify-full` SSL mode when replicating the database
+ and get the extra benefit of verifying the full hostname in the CN.
+
+ You can use this certificate (that you have also set in `postgresql['ssl_cert_file']`) instead
+ of the certificate from the point above going forward. This will allow you to use `verify-full`
+ without replication errors if the CN matches.
+
#### Step 2. Configure the **secondary** server
1. SSH into your GitLab **secondary** server and login as root:
@@ -367,7 +385,13 @@ There is an [issue where support is being discussed](https://gitlab.com/gitlab-o
-h <primary_node_ip>
```
- When prompted enter the password you set in the first step for the
+ NOTE:
+ If you are using manually generated certificates and plan on using
+ `sslmode=verify-full` to benefit of the full hostname verification,
+ make sure to replace `verify-ca` to `verify-full` when
+ running the command.
+
+ When prompted enter the _plaintext_ password you set in the first step for the
`gitlab_replicator` user. If all worked correctly, you should see
the list of **primary** node's databases.
@@ -455,6 +479,7 @@ data before running `pg_basebackup`.
gitlab-ctl replicate-geo-database \
--slot-name=<secondary_node_name> \
--host=<primary_node_ip>
+ --sslmode=verify-ca
```
NOTE:
@@ -463,6 +488,13 @@ data before running `pg_basebackup`.
When prompted, enter the _plaintext_ password you set up for the `gitlab_replicator`
user in the first step.
+ NOTE:
+ If you have generated custom PostgreSQL certificates, you will want to use
+ `--sslmode=verify-full` (or omit the `sslmode` line entirely), to benefit from the extra
+ validation of the full host name in the certificate CN / SAN for additional security.
+ Otherwise, using the automatically created certificate with `verify-full` will fail,
+ as it has a generic `PostgreSQL` CN which will not match the `--host` value in this command.
+
This command also takes a number of additional options. You can use `--help`
to list them all, but here are a couple of tips:
@@ -1061,7 +1093,7 @@ For each node running the `gitlab-rails`, `sidekiq`, and `geo-logcursor` service
1. Run the tracking database migrations:
```shell
- gitlab-rake geo:db:migrate
+ gitlab-rake db:migrate:geo
```
### Migrating a single tracking database node to Patroni
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-01 13:44:05 +0300