summaryrefslogtreecommitdiff
path: root/config
diff options
context:
space:
mode:
authorYorick Peterse <yorickpeterse@gmail.com>2019-06-13 14:18:01 +0200
committerYorick Peterse <yorickpeterse@gmail.com>2019-06-20 14:51:49 +0200
commit0e41564762cd74c6cbf938dcc319c3b77a891dc7 (patch)
tree1a1a67a7eb29e4e42de345fbd70a86c6dcd35477 /config
parent3cd038e3046a18e38e25d7904cca9e38ea6565dd (diff)
downloadgitlab-ce-0e41564762cd74c6cbf938dcc319c3b77a891dc7.tar.gz
Backport gitlab.yml.example from EEconfig-yaml-differences
To make this happen, we need to conditionally add the group_saml strategy when running tests, but only on EE. This requires some changes to Gitlab.ee? so that it can be used before/without loading the Rails environment. We also have to change how we require a few files, so this can run outside of Rails.
Diffstat (limited to 'config')
-rw-r--r--config/gitlab.yml.example198
-rw-r--r--config/initializers/1_settings.rb14
-rw-r--r--config/settings.rb6
3 files changed, 217 insertions, 1 deletions
diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index c83f569d885..dddc5ec3540 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -230,7 +230,45 @@ production: &base
## Packages (maven repository, npm registry, etc...)
packages:
- enabled: false
+ enabled: true
+ # The location where build packages are stored (default: shared/packages).
+ # storage_path: shared/packages
+ object_store:
+ enabled: false
+ remote_directory: packages # The bucket name
+ # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false)
+ # background_upload: false # Temporary option to limit automatic upload (Default: true)
+ # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
+ connection:
+ provider: AWS
+ aws_access_key_id: AWS_ACCESS_KEY_ID
+ aws_secret_access_key: AWS_SECRET_ACCESS_KEY
+ region: us-east-1
+ # host: 'localhost' # default: s3.amazonaws.com
+ # endpoint: 'http://127.0.0.1:9000' # default: nil
+ # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
+ # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
+
+ ## Dependency Proxy
+ dependency_proxy:
+ enabled: true
+ # The location where build packages are stored (default: shared/dependency_proxy).
+ # storage_path: shared/dependency_proxy
+ object_store:
+ enabled: false
+ remote_directory: dependency_proxy # The bucket name
+ # direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false)
+ # background_upload: false # Temporary option to limit automatic upload (Default: true)
+ # proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
+ connection:
+ provider: AWS
+ aws_access_key_id: AWS_ACCESS_KEY_ID
+ aws_secret_access_key: AWS_SECRET_ACCESS_KEY
+ region: us-east-1
+ # host: 'localhost' # default: s3.amazonaws.com
+ # endpoint: 'http://127.0.0.1:9000' # default: nil
+ # aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
+ # path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
## GitLab Pages
pages:
@@ -306,6 +344,53 @@ production: &base
schedule_migrate_external_diffs_worker:
cron: "15 * * * *"
+ # GitLab EE only jobs. These jobs are automatically enabled for an EE
+ # installation, and ignored for a CE installation.
+ ee_cron_jobs:
+ # Snapshot active users statistics
+ historical_data_worker:
+ cron: "0 12 * * *"
+
+ # In addition to refreshing users when they log in,
+ # periodically refresh LDAP users membership.
+ # NOTE: This will only take effect if LDAP is enabled
+ ldap_sync_worker:
+ cron: "30 1 * * *"
+
+ # Periodically refresh LDAP groups membership.
+ # NOTE: This will only take effect if LDAP is enabled
+ ldap_group_sync_worker:
+ cron: "0 * * * *"
+
+ # GitLab Geo metrics update worker
+ # NOTE: This will only take effect if Geo is enabled
+ geo_metrics_update_worker:
+ cron: "*/1 * * * *"
+
+ # GitLab Geo prune event log worker
+ # NOTE: This will only take effect if Geo is enabled (primary node only)
+ geo_prune_event_log_worker:
+ cron: "*/5 * * * *"
+
+ # GitLab Geo repository sync worker
+ # NOTE: This will only take effect if Geo is enabled (secondary nodes only)
+ geo_repository_sync_worker:
+ cron: "*/1 * * * *"
+
+ # GitLab Geo file download dispatch worker
+ # NOTE: This will only take effect if Geo is enabled (secondary nodes only)
+ geo_file_download_dispatch_worker:
+ cron: "*/1 * * * *"
+
+ # GitLab Geo migrated local files clean up worker
+ # NOTE: This will only take effect if Geo is enabled (secondary nodes only)
+ geo_migrated_local_files_clean_up_worker:
+ cron: "15 */6 * * *"
+
+ # Export pseudonymized data in CSV format for analysis
+ pseudonymizer_worker:
+ cron: "0 * * * *"
+
registry:
# enabled: true
# host: registry.example.com
@@ -323,6 +408,16 @@ production: &base
# clientside_dsn: https://<key>@sentry.io/<project>
# environment: 'production' # e.g. development, staging, production
+ ## Geo
+ # NOTE: These settings will only take effect if Geo is enabled
+ geo:
+ # This is an optional identifier which Geo nodes can use to identify themselves.
+ # For example, if external_url is the same for two secondaries, you must specify
+ # a unique Geo node name for those secondaries.
+ #
+ # If it is blank, it defaults to external_url.
+ node_name: ''
+
#
# 2. GitLab CI settings
# ==========================
@@ -349,6 +444,19 @@ production: &base
# bundle exec rake gitlab:ldap:check RAILS_ENV=production
ldap:
enabled: false
+
+ # This setting controls the number of seconds between LDAP permission checks
+ # for each user. After this time has expired for a given user, their next
+ # interaction with GitLab (a click in the web UI, a git pull, etc.) will be
+ # slower because the LDAP permission check is being performed. How much
+ # slower depends on your LDAP setup, but it is not uncommon for this check
+ # to add seconds of waiting time. The default value is to have a "slow
+ # click" once every 3600 seconds (i.e., once per hour).
+ #
+ # Warning: if you set this value too low, every click in GitLab will be a
+ # "slow click" for all of your LDAP users.
+ # sync_time: 3600
+
servers:
##########################################################################
#
@@ -446,6 +554,10 @@ production: &base
# A value of 0 means there is no timeout.
timeout: 10
+ # Enable smartcard authentication against the LDAP server. Valid values
+ # are "false", "optional", and "required".
+ smartcard_auth: false
+
# This setting specifies if LDAP server is Active Directory LDAP server.
# For non AD servers it skips the AD specific queries.
# If your LDAP server is not AD, set this to false.
@@ -485,6 +597,31 @@ production: &base
#
user_filter: ''
+ # Base where we can search for groups
+ #
+ # Ex. ou=Groups,dc=gitlab,dc=example
+ #
+ group_base: ''
+
+ # LDAP group of users who should be admins in GitLab
+ #
+ # Ex. GLAdmins
+ #
+ admin_group: ''
+
+ # LDAP group of users who should be marked as external users in GitLab
+ #
+ # Ex. ['Contractors', 'Interns']
+ #
+ external_groups: []
+
+ # Name of attribute which holds a ssh public key of the user object.
+ # If false or nil, SSH key syncronisation will be disabled.
+ #
+ # Ex. sshpublickey
+ #
+ sync_ssh_keys: false
+
# LDAP attributes that GitLab will use to create an account for the LDAP user.
# The specified attribute can either be the attribute name as a string (e.g. 'mail'),
# or an array of attribute names to try in order (e.g. ['mail', 'email']).
@@ -516,6 +653,38 @@ production: &base
# host:
# ....
+ ## Smartcard authentication settings
+ smartcard:
+ # Allow smartcard authentication
+ enabled: false
+
+ # Path to a file containing a CA certificate
+ ca_file: '/etc/ssl/certs/CA.pem'
+
+ # Port where the client side certificate is requested by the webserver (NGINX/Apache)
+ # client_certificate_required_port: 3444
+
+ ## Kerberos settings
+ kerberos:
+ # Allow the HTTP Negotiate authentication method for Git clients
+ enabled: false
+
+ # Kerberos 5 keytab file. The keytab file must be readable by the GitLab user,
+ # and should be different from other keytabs in the system.
+ # (default: use default keytab from Krb5 config)
+ # keytab: /etc/http.keytab
+
+ # The Kerberos service name to be used by GitLab.
+ # (default: accept any service name in keytab file)
+ # service_principal_name: HTTP/gitlab.example.com@EXAMPLE.COM
+
+ # Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails.
+ # To support both Basic and Negotiate methods with older versions of Git, configure
+ # nginx to proxy GitLab on an extra port (e.g. 8443) and uncomment the following lines
+ # to dedicate this port to Kerberos authentication. (default: false)
+ # use_dedicated_port: true
+ # port: 8443
+ # https: true
## OmniAuth settings
omniauth:
@@ -635,6 +804,8 @@ production: &base
# name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
# } }
#
+ # - { name: 'group_saml' }
+ #
# - { name: 'crowd',
# args: {
# crowd_server_url: 'CROWD SERVER URL',
@@ -707,6 +878,20 @@ production: &base
# # Specifies Amazon S3 storage class to use for backups, this is optional
# # storage_class: 'STANDARD'
+ ## Pseudonymizer exporter
+ pseudonymizer:
+ # Tables manifest that specifies the fields to extract and pseudonymize.
+ manifest: config/pseudonymizer.yml
+ upload:
+ remote_directory: 'gitlab-elt'
+ # Fog storage connection settings, see http://fog.io/storage/ .
+ connection:
+ # provider: AWS
+ # region: eu-west-1
+ # aws_access_key_id: AKIAKIAKI
+ # aws_secret_access_key: 'secret123'
+ # # The remote 'directory' to store the CSV files. For S3, this would be the bucket name.
+
## GitLab Shell settings
gitlab_shell:
path: /home/git/gitlab-shell/
@@ -872,6 +1057,17 @@ test:
token: secret
backup:
path: tmp/tests/backups
+ pseudonymizer:
+ manifest: config/pseudonymizer.yml
+ upload:
+ # The remote 'directory' to store the CSV files. For S3, this would be the bucket name.
+ remote_directory: gitlab-elt.test
+ # Fog storage connection settings, see http://fog.io/storage/
+ connection:
+ provider: AWS # Only AWS supported at the moment
+ aws_access_key_id: AWS_ACCESS_KEY_ID
+ aws_secret_access_key: AWS_SECRET_ACCESS_KEY
+ region: us-east-1
gitlab_shell:
path: tmp/tests/gitlab-shell/
authorized_keys_file: tmp/tests/authorized_keys
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index 0c8d94ccaed..6cca7a3b75f 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -117,6 +117,15 @@ if github_settings
end
end
+# SAML should be enabled for the tests automatically, but only for EE.
+saml_provider_enabled = Settings.omniauth.providers.any? do |provider|
+ provider['name'] == 'group_saml'
+end
+
+if Gitlab.ee? && Rails.env.test? && !saml_provider_enabled
+ Settings.omniauth.providers << Settingslogic.new({ 'name' => 'group_saml' })
+end
+
Settings['shared'] ||= Settingslogic.new({})
Settings.shared['path'] = Settings.absolute(Settings.shared['path'] || "shared")
@@ -291,6 +300,11 @@ Settings.gravatar['host'] = Settings.host_without_www(Settings.gravatar[
# Cron Jobs
#
Settings['cron_jobs'] ||= Settingslogic.new({})
+
+if Gitlab.ee? && Settings['ee_cron_jobs']
+ Settings.cron_jobs.merge!(Settings.ee_cron_jobs)
+end
+
Settings.cron_jobs['stuck_ci_jobs_worker'] ||= Settingslogic.new({})
Settings.cron_jobs['stuck_ci_jobs_worker']['cron'] ||= '0 * * * *'
Settings.cron_jobs['stuck_ci_jobs_worker']['job_class'] = 'StuckCiJobsWorker'
diff --git a/config/settings.rb b/config/settings.rb
index 1b94df785a7..6df2132332c 100644
--- a/config/settings.rb
+++ b/config/settings.rb
@@ -1,5 +1,11 @@
require 'settingslogic'
+# We can not use `Rails.root` here, as this file might be loaded without the
+# full Rails environment being loaded. We can not use `require_relative` either,
+# as Rails uses `load` for `require_dependency` (used when loading the Rails
+# environment). This could then lead to this file being loaded twice.
+require_dependency File.expand_path('../lib/gitlab', __dir__)
+
class Settings < Settingslogic
source ENV.fetch('GITLAB_CONFIG') { Pathname.new(File.expand_path('..', __dir__)).join('config/gitlab.yml') }
namespace ENV.fetch('GITLAB_ENV') { Rails.env }