init

edb06ab2 · 徐豪 · edb06ab2 · edb06ab2 · edb06ab2 · edb06ab2
Commit edb06ab2 authored Jul 16, 2024 by 徐豪
20 changed files
--- a/files/gitlab-cookbooks/gitlab-kas/attributes/default.rb
+++ b/files/gitlab-cookbooks/gitlab-kas/attributes/default.rb
+####
+# GitLab Kubernetes Agent Server
+####
+default['gitlab_kas']['enable'] = false
+default['gitlab_kas']['agent_configuration_poll_period'] = 300
+default['gitlab_kas']['agent_gitops_poll_period'] = 300
+default['gitlab_kas']['agent_gitops_project_info_cache_ttl'] = 300
+default['gitlab_kas']['agent_gitops_project_info_cache_error_ttl'] = 60
+default['gitlab_kas']['agent_info_cache_ttl'] = 300
+default['gitlab_kas']['agent_info_cache_error_ttl'] = 60
+default['gitlab_kas']['gitlab_address'] = ''
+default['gitlab_kas']['gitlab_external_url'] = nil
+default['gitlab_kas']['api_secret_key'] = nil
+default['gitlab_kas']['listen_address'] = 'localhost:8150'
+default['gitlab_kas']['listen_network'] = 'tcp'
+default['gitlab_kas']['listen_websocket'] = true
+default['gitlab_kas']['certificate_file'] = nil
+default['gitlab_kas']['key_file'] = nil
+default['gitlab_kas']['observability_listen_address'] = 'localhost:8151'
+default['gitlab_kas']['observability_listen_network'] = 'tcp'
+default['gitlab_kas']['internal_api_listen_address'] = 'localhost:8153'
+default['gitlab_kas']['internal_api_listen_network'] = 'tcp'
+default['gitlab_kas']['internal_api_certificate_file'] = nil
+default['gitlab_kas']['internal_api_key_file'] = nil
+default['gitlab_kas']['kubernetes_api_listen_address'] = 'localhost:8154'
+default['gitlab_kas']['kubernetes_api_certificate_file'] = nil
+default['gitlab_kas']['kubernetes_api_key_file'] = nil
+default['gitlab_kas']['private_api_secret_key'] = nil
+default['gitlab_kas']['private_api_listen_address'] = 'localhost:8155'
+default['gitlab_kas']['private_api_listen_network'] = 'tcp'
+default['gitlab_kas']['private_api_certificate_file'] = nil
+default['gitlab_kas']['private_api_key_file'] = nil
+default['gitlab_kas']['metrics_usage_reporting_period'] = 60
+default['gitlab_kas']['sentry_dsn'] = nil
+default['gitlab_kas']['sentry_environment'] = nil
+default['gitlab_kas']['log_level'] = 'info'
+default['gitlab_kas']['grpc_log_level'] = 'error'
+default['gitlab_kas']['dir'] = '/var/opt/gitlab/gitlab-kas'
+default['gitlab_kas']['log_directory'] = '/var/log/gitlab/gitlab-kas'
+default['gitlab_kas']['env_directory'] = '/opt/gitlab/etc/gitlab-kas/env'
+default['gitlab_kas']['env'] = {
+  'SSL_CERT_DIR' => "#{node['package']['install-dir']}/embedded/ssl/certs/",
+  'OWN_PRIVATE_API_URL' => 'grpc://localhost:8155'
+}
+
+default['gitlab-kas'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab_kas'].to_h }, "node['gitlab-kas']", "node['gitlab_kas']")
+
+# Defaults of the following settings are computed from `gitlab_rails`, and are
+# set in the library. If a new key is added here that needs to be computed from
+# the Rails counterpart, make sure it is added to the list in the library too
+default['gitlab_kas']['redis_socket'] = nil
+default['gitlab_kas']['redis_host'] = nil
+default['gitlab_kas']['redis_port'] = nil
+default['gitlab_kas']['redis_password'] = nil
+default['gitlab_kas']['redis_sentinels'] = []
+default['gitlab_kas']['redis_sentinels_master_name'] = nil
+default['gitlab_kas']['redis_sentinels_password'] = nil
+default['gitlab_kas']['redis_ssl'] = nil
+default['gitlab_kas']['redis_tls_ca_cert_file'] = nil
+default['gitlab_kas']['redis_tls_client_cert_file'] = nil
+default['gitlab_kas']['redis_tls_client_key_file'] = nil
+
+default['gitlab_kas']['extra_config_command'] = nil
--- a/files/gitlab-cookbooks/gitlab-kas/libraries/gitlab_kas.rb
+++ b/files/gitlab-cookbooks/gitlab-kas/libraries/gitlab_kas.rb
+#
+# Copyright:: Copyright (c) 2020 GitLab Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative '../../package/libraries/helpers/secrets_helper'
+
+module GitlabKas
+  class << self
+    def parse_variables
+      parse_address
+      parse_gitlab_external_url
+      parse_gitlab_kas_enabled
+      parse_gitlab_kas_external_url
+      parse_gitlab_kas_internal_url
+      parse_redis_settings
+    end
+
+    def parse_address
+      Gitlab['gitlab_kas']['gitlab_address'] ||= Gitlab['external_url']
+    end
+
+    def parse_gitlab_kas_enabled
+      # explicitly enabled or disabled, possibly external to this Omnibus instance
+      key = 'gitlab_kas_enabled'
+      return unless Gitlab['gitlab_rails'][key].nil?
+
+      # implicitly enable if installed and gitlab integration not explicitly disabled
+      Gitlab['gitlab_rails'][key] = gitlab_kas_attr('enable')
+    end
+
+    def parse_gitlab_kas_internal_url
+      key = 'gitlab_kas_internal_url'
+      return unless Gitlab['gitlab_rails'][key].nil?
+
+      return unless gitlab_kas_attr('enable')
+
+      network = gitlab_kas_attr('internal_api_listen_network')
+      case network
+      when 'unix'
+        scheme = 'unix'
+      when 'tcp', 'tcp4', 'tcp6'
+        scheme = 'grpc'
+      else
+        raise "gitlab_kas['internal_api_listen_network'] should be 'tcp', 'tcp4', 'tcp6' or 'unix' got '#{network}'"
+      end
+
+      address = gitlab_kas_attr('internal_api_listen_address')
+      Gitlab['gitlab_rails'][key] = "#{scheme}://#{address}"
+    end
+
+    def parse_gitlab_kas_external_url
+      return unless gitlab_kas_attr('enable')
+
+      # we need to return if `external_url` is not set because this is needed
+      # - to set the kas_url if `gitlab_kas_external_url` is not set
+      # - to check the domain of `gitlab_kas_external_url` against the GitLab url
+      return unless Gitlab['external_url']
+
+      Gitlab['gitlab_kas_external_url'] ||= build_default_gitlab_kas_external_url
+
+      if kas_domain_matches_gitlab_domain?
+        parse_gitlab_kas_external_url_with_gitlab_domain
+        parse_gitlab_kas_external_k8s_proxy_url_with_gitlab_domain
+      else
+        parse_gitlab_kas_external_url_using_own_subdomain
+        parse_gitlab_kas_external_k8s_proxy_url_using_own_subdomain
+      end
+    end
+
+    def parse_gitlab_external_url
+      return if Gitlab['external_url'].nil?
+
+      gitlab_uri = URI(Gitlab['external_url'])
+
+      Gitlab['gitlab_kas']['gitlab_external_url'] ||= "#{gitlab_uri.scheme}://#{gitlab_uri.host}"
+    end
+
+    def parse_secrets
+      Gitlab['gitlab_kas']['api_secret_key'] ||= Base64.strict_encode64(SecretsHelper.generate_hex(16))
+      Gitlab['gitlab_kas']['private_api_secret_key'] ||= Base64.strict_encode64(SecretsHelper.generate_hex(16))
+    end
+
+    def validate_secrets
+      if Gitlab['gitlab_kas']['api_secret_key']
+        # KAS and GitLab expects exactly 32 bytes, encoded with base64
+        api_secret_key = Base64.strict_decode64(Gitlab['gitlab_kas']['api_secret_key'])
+        raise "gitlab_kas['api_secret_key'] should be exactly 32 bytes" if api_secret_key.length != 32
+      end
+
+      return unless Gitlab['gitlab_kas']['private_api_secret_key']
+
+      private_api_secret_key = Base64.strict_decode64(Gitlab['gitlab_kas']['private_api_secret_key'])
+      raise "gitlab_kas['private_api_secret_key'] should be exactly 32 bytes" if private_api_secret_key.length != 32
+    end
+
+    def parse_redis_settings
+      # If KAS has separate Redis instance specified, do not copy any other settings
+      return if Gitlab['gitlab_kas'].key?('redis_host') || Gitlab['gitlab_kas'].key?('redis_socket')
+
+      settings_copied_from_gitlab_rails = %w[
+        redis_socket
+        redis_host
+        redis_port
+        redis_password
+        redis_sentinels
+        redis_sentinels_password
+        redis_ssl
+        redis_tls_ca_cert_file
+        redis_tls_client_cert_file
+        redis_tls_client_key_file
+      ]
+      settings_copied_from_gitlab_rails.each do |setting|
+        Gitlab['node'].default['gitlab_kas'][setting] = Gitlab['node']['gitlab']['gitlab_rails'][setting]
+        Gitlab['gitlab_kas'][setting] = Gitlab['gitlab_rails'][setting] unless Gitlab['gitlab_kas'].key?(setting)
+      end
+
+      Gitlab['node'].default['gitlab_kas']['redis_sentinels_master_name'] = Gitlab['node']['redis']['master_name']
+      Gitlab['gitlab_kas']['redis_sentinels_master_name'] = Gitlab['redis']['master_name'] unless Gitlab['gitlab_kas'].key?('redis_sentinels_master_name')
+    end
+
+    private
+
+    def parse_gitlab_kas_external_url_with_gitlab_domain
+      key = 'gitlab_kas_external_url'
+      return unless Gitlab['gitlab_rails'][key].nil?
+
+      Gitlab['gitlab_rails'][key] = Gitlab[key]
+    end
+
+    def parse_gitlab_kas_external_k8s_proxy_url_with_gitlab_domain
+      key = 'gitlab_kas_external_k8s_proxy_url'
+      return unless Gitlab['gitlab_rails'][key].nil?
+
+      gitlab_external_url = Gitlab['external_url']
+      return unless gitlab_external_url
+
+      # For now, the default external proxy URL is on the subpath /-/kubernetes-agent/k8s-proxy/
+      # See https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/5784
+      Gitlab['gitlab_rails'][key] = "#{gitlab_external_url}/-/kubernetes-agent/k8s-proxy/"
+    end
+
+    def parse_gitlab_kas_external_url_using_own_subdomain
+      key = 'gitlab_kas_external_url'
+      return unless Gitlab['gitlab_rails'][key].nil?
+
+      kas_uri = URI(Gitlab[key].to_s)
+
+      raise "gitlab_kas_external_url must include a scheme and FQDN, e.g. wss://kas.gitlab.example.com/" unless kas_uri.host
+
+      # We are temporarily not supporting grpc/grpcs as this requires a bigger change in the NGINX configuration
+      raise "gitlab_kas_external_url scheme must be 'ws' or 'wss'" unless ws_scheme?(kas_uri.scheme)
+      raise "gitlab_kas['listen_websocket'] must be set to `true`" unless gitlab_kas_attr('listen_websocket')
+
+      use_ssl = kas_uri.scheme == 'wss'
+
+      Gitlab['gitlab_kas_nginx']['host'] ||= kas_uri.host
+      Gitlab['gitlab_kas_nginx']['port'] ||= use_ssl ? '443' : '80'
+
+      # set gitlab_kas_nginx configs
+      parse_gitlab_kas_nginx(kas_uri, use_ssl)
+
+      Gitlab['gitlab_rails'][key] = kas_uri.to_s
+    end
+
+    def parse_gitlab_kas_nginx(kas_uri, use_ssl)
+      Gitlab['gitlab_kas_nginx']['enable'] = true
+
+      Gitlab['gitlab_kas_nginx']['https'] ||= use_ssl
+
+      if use_ssl
+        Gitlab['gitlab_kas_nginx']['ssl_certificate'] ||= "/etc/gitlab/ssl/#{kas_uri.host}.crt"
+        Gitlab['gitlab_kas_nginx']['ssl_certificate_key'] ||= "/etc/gitlab/ssl/#{kas_uri.host}.key"
+
+        LetsEncryptHelper.add_service_alt_name('gitlab_kas')
+      end
+
+      Nginx.parse_proxy_headers('gitlab_kas_nginx', use_ssl, true)
+    end
+
+    def parse_gitlab_kas_external_k8s_proxy_url_using_own_subdomain
+      key = 'gitlab_kas_external_k8s_proxy_url'
+      return unless Gitlab['gitlab_rails'][key].nil?
+
+      kas_uri = URI(Gitlab['gitlab_kas_external_url'].to_s)
+      scheme = kas_uri.scheme == 'wss' ? 'https' : 'http'
+
+      Gitlab['gitlab_rails'][key] = "#{scheme}://#{kas_uri.host}/k8s-proxy/"
+    end
+
+    def build_default_gitlab_kas_external_url
+      # For now, the default external URL is on the subpath /-/kubernetes-agent/
+      # so whether to use TLS is determined from the primary external_url.
+      # See https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/5784
+      gitlab_uri = URI(Gitlab['external_url'])
+
+      case gitlab_uri.scheme
+      when 'https'
+        scheme = gitlab_kas_attr('listen_websocket') ? 'wss' : 'grpcs'
+        port = gitlab_uri.port == 443 ? '' : ":#{port}"
+      when 'http'
+        scheme = gitlab_kas_attr('listen_websocket') ? 'ws' : 'grpc'
+        port = gitlab_uri.port == 80 ? '' : ":#{port}"
+      else
+        raise "external_url scheme should be 'http' or 'https', got '#{gitlab_uri.scheme}"
+      end
+
+      "#{scheme}://#{gitlab_uri.host}#{port}#{gitlab_uri.path}/-/kubernetes-agent/"
+    end
+
+    def kas_domain_matches_gitlab_domain?
+      gitlab_uri = URI(Gitlab['external_url'])
+      gitlab_kas_uri = URI(Gitlab['gitlab_kas_external_url'])
+
+      gitlab_uri.host == gitlab_kas_uri.host
+    end
+
+    def gitlab_kas_attr(key)
+      configured = Gitlab['gitlab_kas'][key]
+      return configured unless configured.nil?
+
+      Gitlab['node']['gitlab_kas'][key]
+    end
+
+    def ws_scheme?(scheme)
+      %w[ws wss].include?(scheme)
+    end
+  end
+end
--- a/files/gitlab-cookbooks/gitlab-kas/metadata.rb
+++ b/files/gitlab-cookbooks/gitlab-kas/metadata.rb
+name 'gitlab-kas'
+maintainer 'GitLab.com'
+maintainer_email 'support@gitlab.com'
+license 'Apache 2.0'
+description 'Installs/Configures GitLab KAS'
+long_description 'Installs/Configures the GitLab Kubernetes Agent Server'
+version '0.1.0'
+chef_version '>= 12.1' if respond_to?(:chef_version)
+
+issues_url 'https://gitlab.com/gitlab-org/omnibus-gitlab/issues'
+source_url 'https://gitlab.com/gitlab-org/omnibus-gitlab'
+
+depends 'package'
+depends 'gitlab'
--- a/files/gitlab-cookbooks/gitlab-kas/recipes/disable.rb
+++ b/files/gitlab-cookbooks/gitlab-kas/recipes/disable.rb
+#
+# Copyright:: Copyright (c) 2020 GitLab Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+runit_service 'gitlab-kas' do
+  action :disable
+end
--- a/files/gitlab-cookbooks/gitlab-kas/recipes/enable.rb
+++ b/files/gitlab-cookbooks/gitlab-kas/recipes/enable.rb
+#
+# Copyright:: Copyright (c) 2020 GitLab Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+account_helper = AccountHelper.new(node)
+omnibus_helper = OmnibusHelper.new(node)
+redis_helper = NewRedisHelper::GitlabKAS.new(node)
+logfiles_helper = LogfilesHelper.new(node)
+logging_settings = logfiles_helper.logging_settings('gitlab-kas')
+
+working_dir = node['gitlab_kas']['dir']
+env_directory = node['gitlab_kas']['env_directory']
+gitlab_kas_static_etc_dir = '/opt/gitlab/etc/gitlab-kas'
+gitlab_kas_config_file = File.join(working_dir, 'gitlab-kas-config.yml')
+gitlab_kas_authentication_secret_file = File.join(working_dir, 'authentication_secret_file')
+gitlab_kas_private_api_authentication_secret_file = File.join(working_dir, 'private_api_authentication_secret_file')
+
+redis_params = redis_helper.redis_params
+
+redis_password = redis_params[:password]
+redis_password_present = redis_password && !redis_password.empty?
+gitlab_kas_redis_password_file = File.join(working_dir, 'redis_password_file')
+
+redis_sentinels_password = redis_params[:sentinelPassword]
+redis_sentinels_password_present = redis_sentinels_password && !redis_sentinels_password.empty?
+gitlab_kas_redis_sentinels_password_file = File.join(working_dir, 'redis_sentinels_password_file')
+
+redis_tls_ca_cert_file = node['gitlab_kas']['redis_tls_ca_cert_file']
+redis_tls_client_cert_file = node['gitlab_kas']['redis_tls_client_cert_file']
+redis_tls_client_key_file = node['gitlab_kas']['redis_tls_client_key_file']
+
+extra_config_command = node['gitlab_kas']['extra_config_command']
+
+[
+  working_dir,
+  gitlab_kas_static_etc_dir
+].each do |dir|
+  directory dir do
+    owner account_helper.gitlab_user
+    mode '0700'
+    recursive true
+  end
+end
+
+# Create log_directory
+directory logging_settings[:log_directory] do
+  owner logging_settings[:log_directory_owner]
+  mode logging_settings[:log_directory_mode]
+  if log_group = logging_settings[:log_directory_group]
+    group log_group
+  end
+  recursive true
+end
+
+version_file 'Create version file for Gitlab KAS' do
+  version_file_path File.join(working_dir, 'VERSION')
+  version_check_cmd '/opt/gitlab/embedded/bin/gitlab-kas --version'
+  notifies :restart, 'runit_service[gitlab-kas]' if omnibus_helper.should_notify?('gitlab-kas')
+end
+
+file gitlab_kas_authentication_secret_file do
+  content node['gitlab_kas']['api_secret_key']
+  owner 'root'
+  group account_helper.gitlab_group
+  mode '0640'
+  notifies :restart, 'runit_service[gitlab-kas]' if omnibus_helper.should_notify?('gitlab-kas')
+end
+
+file gitlab_kas_private_api_authentication_secret_file do
+  content node['gitlab_kas']['private_api_secret_key']
+  owner 'root'
+  group account_helper.gitlab_group
+  mode '0640'
+  notifies :restart, 'runit_service[gitlab-kas]' if omnibus_helper.should_notify?('gitlab-kas')
+end
+
+file gitlab_kas_redis_password_file do
+  content redis_password
+  owner 'root'
+  group account_helper.gitlab_group
+  mode '0640'
+  notifies :restart, 'runit_service[gitlab-kas]' if omnibus_helper.should_notify?('gitlab-kas')
+  only_if { redis_password_present }
+  sensitive true
+end
+
+file gitlab_kas_redis_sentinels_password_file do
+  content redis_sentinels_password
+  owner 'root'
+  group account_helper.gitlab_group
+  mode '0640'
+  notifies :restart, 'runit_service[gitlab-kas]' if omnibus_helper.should_notify?('gitlab-kas')
+  only_if { redis_sentinels_password_present }
+  sensitive true
+end
+
+template gitlab_kas_config_file do
+  source 'gitlab-kas-config.yml.erb'
+  owner 'root'
+  group account_helper.gitlab_group
+  mode '0640'
+  variables(
+    node['gitlab_kas'].to_hash.merge(
+      authentication_secret_file: gitlab_kas_authentication_secret_file,
+      private_api_authentication_secret_file: gitlab_kas_private_api_authentication_secret_file,
+      redis_network: redis_params[:network],
+      redis_address: redis_params[:address],
+      redis_ssl: redis_params[:ssl],
+      redis_tls_ca_cert_file: redis_tls_ca_cert_file,
+      redis_tls_client_cert_file: redis_tls_client_cert_file,
+      redis_tls_client_key_file: redis_tls_client_key_file,
+      redis_default_port: URI::Redis::DEFAULT_PORT,
+      redis_password_file: redis_password_present ? gitlab_kas_redis_password_file : nil,
+      redis_sentinels_master_name: redis_params[:sentinelMaster],
+      redis_sentinels: redis_params[:sentinels],
+      redis_sentinels_password_file: redis_sentinels_password_present ? gitlab_kas_redis_sentinels_password_file : nil,
+      extra_config_command: extra_config_command
+    )
+  )
+  notifies :restart, 'runit_service[gitlab-kas]' if omnibus_helper.should_notify?('gitlab-kas')
+end
+
+env_dir env_directory do
+  variables node['gitlab_kas']['env']
+  notifies :restart, 'runit_service[gitlab-kas]' if omnibus_helper.should_notify?('gitlab-kas')
+end
+
+runit_service 'gitlab-kas' do
+  options({
+    log_directory: logging_settings[:log_directory],
+    log_user: logging_settings[:runit_owner],
+    log_group: logging_settings[:runit_group],
+    env_directory: env_directory,
+    user: account_helper.gitlab_user,
+    groupname: account_helper.gitlab_group,
+    config_file: gitlab_kas_config_file,
+  }.merge(params))
+  log_options logging_settings[:options]
+  sensitive true
+end
--- a/files/gitlab-cookbooks/gitlab-kas/templates/default/gitlab-kas-config.yml.erb
+++ b/files/gitlab-cookbooks/gitlab-kas/templates/default/gitlab-kas-config.yml.erb
+agent:
+  listen:
+    address: <%= @listen_address %>
+    network: <%= @listen_network %>
+    websocket: <%= @listen_websocket %>
+    <%- if @certificate_file and @key_file %>
+    certificate_file: <%= @certificate_file %>
+    key_file: <%= @key_file %>
+    <%- end %>
+  configuration:
+    poll_period: <%= @agent_configuration_poll_period %>s
+  gitops:
+    poll_period: <%= @agent_gitops_poll_period %>s
+    project_info_cache_ttl: <%= @agent_gitops_project_info_cache_ttl %>s
+    project_info_cache_error_ttl: <%= @agent_gitops_project_info_cache_error_ttl %>s
+  kubernetes_api:
+    listen:
+      address: <%= @kubernetes_api_listen_address %>
+      <%- if @kubernetes_api_certificate_file and @kubernetes_api_key_file %>
+      certificate_file: <%= @kubernetes_api_certificate_file %>
+      key_file: <%= @kubernetes_api_key_file %>
+      <%- end %>
+    url_path_prefix: /
+  info_cache_ttl: <%= @agent_info_cache_ttl %>s
+  info_cache_error_ttl: <%= @agent_info_cache_error_ttl %>s
+gitlab:
+  address: <%= @gitlab_address %>
+  external_url: <%= @gitlab_external_url %>
+  authentication_secret_file: <%= @authentication_secret_file %>
+observability:
+  listen:
+    address: <%= @observability_listen_address %>
+    network: <%=  @observability_listen_network %>
+  usage_reporting_period: <%= @metrics_usage_reporting_period %>s
+  <%- if @sentry_dsn -%>
+  sentry:
+    dsn: <%= @sentry_dsn %>
+    <%- if @sentry_environment -%>
+    environment: <%= @sentry_environment %>
+    <%- end %>
+  <%- end %>
+  logging:
+    level: <%= @log_level %>
+    grpc_level: <%= @grpc_log_level %>
+redis:
+  network: <%= @redis_network %>
+  tls:
+    enabled: <%= @redis_ssl %>
+    <%- if @redis_ssl %>
+    <%- if @redis_tls_ca_cert_file %>
+    ca_certificate_file: "<%= @redis_tls_ca_cert_file %>"
+    <% end %>
+    <%- if @redis_tls_client_cert_file %>
+    certificate_file: "<%= @redis_tls_client_cert_file %>"
+    <% end %>
+    <%- if @redis_tls_client_key_file %>
+    key_file: "<%= @redis_tls_client_key_file %>"
+    <% end %>
+    <% end %>
+  <%- if @redis_password_file %>
+  password_file: <%= @redis_password_file %>
+  <%- end %>
+  <%- if @redis_sentinels.empty? %>
+  server:
+    address: '<%= @redis_address %>'
+  <%- else %>
+  sentinel:
+    master_name: <%= @redis_sentinels_master_name %>
+    addresses:
+    <%- @redis_sentinels.each do |sentinel| %>
+      - '<%= sentinel['host'] %>:<%= sentinel['port'] || @redis_default_port %>'
+    <%- end %>
+    <%- if @redis_sentinels_password_file %>
+    sentinel_password_file: <%= @redis_sentinels_password_file %>
+    <%- end %>
+  <%- end %>
+api:
+  listen:
+    network: <%= @internal_api_listen_network %>
+    address: <%= @internal_api_listen_address %>
+    authentication_secret_file: <%= @authentication_secret_file %>
+    <%- if @internal_api_certificate_file and @internal_api_key_file %>
+    certificate_file: <%= @internal_api_certificate_file %>
+    key_file: <%= @internal_api_key_file %>
+    <%- end %>
+private_api:
+  listen:
+    network: <%= @private_api_listen_network %>
+    address: <%= @private_api_listen_address %>
+    authentication_secret_file: <%= @private_api_authentication_secret_file %>
+    <%- if @private_api_certificate_file and @private_api_key_file %>
+    certificate_file: <%= @private_api_certificate_file %>
+    key_file: <%= @private_api_key_file %>
+    <%- end %>
+config:
+  <%- if @extra_config_command %>
+  command: "<%= @extra_config_command %>"
+  <%- end %>
--- a/files/gitlab-cookbooks/gitlab-kas/templates/default/sv-gitlab-kas-log-config.erb
+++ b/files/gitlab-cookbooks/gitlab-kas/templates/default/sv-gitlab-kas-log-config.erb
+<%= "s#@svlogd_size" if @svlogd_size %>
+<%= "n#@svlogd_num" if @svlogd_num %>
+<%= "t#@svlogd_timeout" if @svlogd_timeout %>
+<%= "!#@svlogd_filter" if @svlogd_filter %>
+<%= "u#@svlogd_udp" if @svlogd_udp %>
+<%= "p#@svlogd_prefix" if @svlogd_prefix %>
--- a/files/gitlab-cookbooks/gitlab-kas/templates/default/sv-gitlab-kas-log-run.erb
+++ b/files/gitlab-cookbooks/gitlab-kas/templates/default/sv-gitlab-kas-log-run.erb
+#!/bin/sh
+exec chpst -P \
+  -U root:<%= @options[:log_group] || 'root' %> \
+  -u root:<%= @options[:log_group] || 'root' %> \
+  svlogd -tt <%= @options[:log_directory] %>
--- a/files/gitlab-cookbooks/gitlab-kas/templates/default/sv-gitlab-kas-run.erb
+++ b/files/gitlab-cookbooks/gitlab-kas/templates/default/sv-gitlab-kas-run.erb
+#!/bin/bash
+
+# Let runit capture all script error messages
+exec 2>&1
+
+<%= render('mount_point_check.erb', cookbook: 'gitlab') %>
+
+exec chpst -e <%= @options[:env_directory] %> -P \
+  -u <%= @options[:user] %>:<%= @options[:groupname] %> \
+  -U <%= @options[:user] %>:<%= @options[:groupname] %> \
+  /opt/gitlab/embedded/bin/gitlab-kas --configuration-file <%= @options[:config_file] %>
\ No newline at end of file
--- a/files/gitlab-cookbooks/gitlab-pages/attributes/default.rb
+++ b/files/gitlab-cookbooks/gitlab-pages/attributes/default.rb
+####
+# GitLab Pages Daemon
+####
+default['gitlab_pages']['enable'] = false
+default['gitlab_pages']['external_http'] = []
+default['gitlab_pages']['external_https'] = []
+default['gitlab_pages']['external_https_proxyv2'] = []
+default['gitlab_pages']['listen_proxy'] = "localhost:8090"
+default['gitlab_pages']['gitlab_server'] = nil
+default['gitlab_pages']['internal_gitlab_server'] = nil
+default['gitlab_pages']['metrics_address'] = nil
+default['gitlab_pages']['pages_path'] = nil
+default['gitlab_pages']['enable_disk'] = nil
+default['gitlab_pages']['domain'] = nil
+default['gitlab_pages']['cert'] = nil
+default['gitlab_pages']['cert_key'] = nil
+default['gitlab_pages']['redirect_http'] = false
+default['gitlab_pages']['use_http2'] = true
+default['gitlab_pages']['dir'] = "/var/opt/gitlab/gitlab-pages"
+default['gitlab_pages']['log_directory'] = "/var/log/gitlab/gitlab-pages"
+default['gitlab_pages']['status_uri'] = nil
+default['gitlab_pages']['max_connections'] = nil
+default['gitlab_pages']['max_uri_length'] = nil
+default['gitlab_pages']['log_format'] = "json"
+default['gitlab_pages']['artifacts_server'] = true
+default['gitlab_pages']['artifacts_server_url'] = nil
+default['gitlab_pages']['artifacts_server_timeout'] = 10
+default['gitlab_pages']['propagate_correlation_id'] = false
+default['gitlab_pages']['log_verbose'] = false
+default['gitlab_pages']['access_control'] = false
+default['gitlab_pages']['gitlab_id'] = nil
+default['gitlab_pages']['gitlab_secret'] = nil
+default['gitlab_pages']['auth_redirect_uri'] = nil
+default['gitlab_pages']['auth_secret'] = nil
+default['gitlab_pages']['auth_scope'] = nil
+default['gitlab_pages']['auth_timeout'] = nil
+default['gitlab_pages']['auth_cookie_session_timeout'] = nil
+default['gitlab_pages']['insecure_ciphers'] = false
+default['gitlab_pages']['tls_min_version'] = nil
+default['gitlab_pages']['tls_max_version'] = nil
+default['gitlab_pages']['sentry_enabled'] = false
+default['gitlab_pages']['sentry_dsn'] = nil
+default['gitlab_pages']['sentry_environment'] = nil
+default['gitlab_pages']['headers'] = nil
+default['gitlab_pages']['api_secret_key'] = nil
+default['gitlab_pages']['gitlab_client_http_timeout'] = nil
+default['gitlab_pages']['server_shutdown_timeout'] = nil
+default['gitlab_pages']['gitlab_client_jwt_expiry'] = nil
+default['gitlab_pages']['env_directory'] = '/opt/gitlab/etc/gitlab-pages/env'
+# Serving from zip archives fine grained configuration.
+# The recommended default values are set inside GitLab Pages.
+default['gitlab_pages']['zip_cache_expiration'] = nil
+default['gitlab_pages']['zip_cache_cleanup'] = nil
+default['gitlab_pages']['zip_cache_refresh'] = nil
+default['gitlab_pages']['zip_open_timeout'] = nil
+default['gitlab_pages']['zip_http_client_timeout'] = nil
+# API-based fine grained configuration.
+# The recommended default values are set inside GitLab Pages.
+default['gitlab_pages']['gitlab_cache_expiry'] = nil
+default['gitlab_pages']['gitlab_cache_refresh'] = nil
+default['gitlab_pages']['gitlab_cache_cleanup'] = nil
+default['gitlab_pages']['gitlab_retrieval_timeout'] = nil
+default['gitlab_pages']['gitlab_retrieval_interval'] = nil
+default['gitlab_pages']['gitlab_retrieval_retries'] = nil
+# Rate-limiting
+default['gitlab_pages']['rate_limit_source_ip'] = nil
+default['gitlab_pages']['rate_limit_source_ip_burst'] = nil
+default['gitlab_pages']['rate_limit_domain'] = nil
+default['gitlab_pages']['rate_limit_domain_burst'] = nil
+default['gitlab_pages']['rate_limit_tls_source_ip'] = nil
+default['gitlab_pages']['rate_limit_tls_source_ip_burst'] = nil
+default['gitlab_pages']['rate_limit_tls_domain'] = nil
+default['gitlab_pages']['rate_limit_tls_domain_burst'] = nil
+# HTTP Server timeouts
+default['gitlab_pages']['server_read_timeout'] = nil
+default['gitlab_pages']['server_read_header_timeout'] = nil
+default['gitlab_pages']['server_write_timeout'] = nil
+default['gitlab_pages']['server_keep_alive'] = nil
+# _redirects file fine grained configuration.
+# The recommended default values are set inside GitLab Pages.
+default['gitlab_pages']['redirects_max_config_size'] = nil
+default['gitlab_pages']['redirects_max_path_segments'] = nil
+default['gitlab_pages']['redirects_max_rule_count'] = nil
+default['gitlab_pages']['register_as_oauth_app'] = true
+# Experimental - Enable namespace in path
+default['gitlab_pages']['namespace_in_path'] = false
+# Mutual TLS used with GitLab API
+default['gitlab_pages']['client_cert'] = nil
+default['gitlab_pages']['client_key'] = nil
+default['gitlab_pages']['client_ca_certs'] = nil
+
+# Temporarily retain support for `node['gitlab-pages'][*]` usage in
+# `/etc/gitlab/gitlab.rb`
+# TODO: Remove support in 16.0
+default['gitlab-pages'] = Gitlab::Deprecations::NodeAttribute.new(proc { node['gitlab_pages'].to_h }, "node['gitlab-pages']", "node['gitlab_pages']")
--- a/files/gitlab-cookbooks/gitlab-pages/libraries/gitlab_pages.rb
+++ b/files/gitlab-cookbooks/gitlab-pages/libraries/gitlab_pages.rb
+#
+# Copyright:: Copyright (c) 2016 GitLab Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative '../../gitlab/libraries/helpers/authorizer_helper'
+require_relative '../../package/libraries/helpers/shell_out_helper'
+require_relative '../../package/libraries/helpers/logging_helper'
+
+module GitlabPages
+  class << self
+    include ShellOutHelper
+    include AuthorizeHelper
+
+    def parse_variables
+      parse_pages_external_url
+      parse_gitlab_pages_daemon
+      # Only call parse_secrets when not generating a defaults secrets file.
+      parse_secrets unless Gitlab['node'][SecretsHelper::SECRETS_FILE_CHEF_ATTR]
+      parse_automatic_oauth_registration
+    end
+
+    def parse_pages_external_url
+      return unless Gitlab['pages_external_url']
+
+      Gitlab['gitlab_rails']['pages_enabled'] = true if Gitlab['gitlab_rails']['pages_enabled'].nil?
+      Gitlab['gitlab_pages']['enable'] = true if Gitlab['gitlab_pages']['enable'].nil?
+
+      uri = URI(Gitlab['pages_external_url'].to_s)
+
+      raise "GitLab Pages external URL must include a schema and FQDN, e.g. http://pages.example.com/" unless uri.host
+
+      Gitlab['gitlab_rails']['pages_host'] = uri.host
+      Gitlab['gitlab_rails']['pages_port'] = uri.port
+
+      case uri.scheme
+      when "http"
+        Gitlab['gitlab_rails']['pages_https'] = false
+        Nginx.parse_proxy_headers('pages_nginx', false)
+      when "https"
+        Gitlab['gitlab_rails']['pages_https'] = true
+        Gitlab['pages_nginx']['ssl_certificate'] ||= "/etc/gitlab/ssl/#{uri.host}.crt"
+        Gitlab['pages_nginx']['ssl_certificate_key'] ||= "/etc/gitlab/ssl/#{uri.host}.key"
+        Nginx.parse_proxy_headers('pages_nginx', true)
+      else
+        raise "Unsupported GitLab Pages external URL scheme: #{uri.scheme}"
+      end
+
+      raise "Unsupported GitLab Pages external URL path: #{uri.path}" unless ["", "/"].include?(uri.path)
+
+      # FQDN are prepared to be used as regexp: the dot is escaped
+      Gitlab['pages_nginx']['fqdn_regex'] = uri.host.gsub('.', '\.')
+    end
+
+    def parse_gitlab_pages_daemon
+      return unless Gitlab['gitlab_pages']['enable']
+
+      Gitlab['gitlab_pages']['domain'] = Gitlab['gitlab_rails']['pages_host']
+
+      if Gitlab['gitlab_pages']['external_https'] || Gitlab['gitlab_pages']['external_https_proxyv2']
+        Gitlab['gitlab_pages']['cert'] ||= "/etc/gitlab/ssl/#{Gitlab['gitlab_pages']['domain']}.crt"
+        Gitlab['gitlab_pages']['cert_key'] ||= "/etc/gitlab/ssl/#{Gitlab['gitlab_pages']['domain']}.key"
+      end
+
+      Gitlab['gitlab_pages']['pages_root'] ||= (Gitlab['gitlab_rails']['pages_path'] || File.join(Gitlab['gitlab_rails']['shared_path'], 'pages'))
+
+      Gitlab['gitlab_pages']['gitlab_server'] ||= Gitlab['external_url']
+      Gitlab['gitlab_pages']['artifacts_server_url'] ||= Gitlab['gitlab_pages']['gitlab_server'].chomp('/') + '/api/v4'
+
+      Gitlab['pages_nginx']['namespace_in_path'] = Gitlab['gitlab_pages']['namespace_in_path'] if Gitlab['gitlab_pages']['namespace_in_path']
+
+      parse_auth_redirect_uri
+    end
+
+    def parse_auth_redirect_uri
+      return unless Gitlab['gitlab_pages']['access_control']
+      return if Gitlab['gitlab_pages']['auth_redirect_uri']
+
+      pages_uri = URI(Gitlab['pages_external_url'].to_s)
+      parsed_port = [80, 443].include?(pages_uri.port) ? "" : ":#{pages_uri.port}"
+
+      Gitlab['gitlab_pages']['auth_redirect_uri'] =
+        if Gitlab['gitlab_pages']['namespace_in_path']
+          "#{pages_uri.scheme}://#{pages_uri.host}#{parsed_port}/projects/auth"
+        else
+          "#{pages_uri.scheme}://projects.#{pages_uri.host}#{parsed_port}/auth"
+        end
+    end
+
+    def authorize_with_gitlab
+      redirect_uri = Gitlab['gitlab_pages']['auth_redirect_uri']
+      app_name = 'GitLab Pages'
+      oauth_uid = Gitlab['gitlab_pages']['gitlab_id']
+      oauth_secret = Gitlab['gitlab_pages']['gitlab_secret']
+
+      o = query_gitlab_rails(redirect_uri, app_name, oauth_uid, oauth_secret)
+      if o.exitstatus.zero?
+        Gitlab['gitlab_pages']['register_as_oauth_app'] = false
+
+        SecretsHelper.write_to_gitlab_secrets
+        info('Updated the gitlab-secrets.json file.')
+      else
+        warn('Something went wrong while executing gitlab-rails runner command to get or create the app ID and secret.')
+      end
+    end
+
+    def parse_secrets
+      Gitlab['gitlab_pages']['auth_secret'] ||= SecretsHelper.generate_hex(64) if Gitlab['gitlab_pages']['access_control']
+      Gitlab['gitlab_pages']['gitlab_id'] ||= SecretsHelper.generate_urlsafe_base64
+      Gitlab['gitlab_pages']['gitlab_secret'] ||= SecretsHelper.generate_urlsafe_base64
+      Gitlab['gitlab_pages']['api_secret_key'] ||= Base64.strict_encode64(SecureRandom.random_bytes(32))
+    end
+
+    def validate_secrets
+      return unless Gitlab['gitlab_pages']['api_secret_key']
+
+      # Pages and GitLab expects exactly 32 bytes, encoded with base64
+      bytes = Base64.strict_decode64(Gitlab['gitlab_pages']['api_secret_key'])
+      raise "gitlab_pages['api_secret_key'] should be exactly 32 bytes" if bytes.length != 32
+    end
+
+    def parse_automatic_oauth_registration
+      # If GitLab Pages isn't enabled, do nothing.
+      return unless Gitlab['gitlab_pages']['enable']
+
+      # If writing to gitlab-secrets.json file is not explicitly disabled, do
+      # nothing.
+      return if Gitlab['package']['generate_secrets_json_file'] != false
+
+      Gitlab['gitlab_pages']['register_as_oauth_app'] = false
+
+      LoggingHelper.warning("Writing secrets to `gitlab-secrets.json` file is disabled. Hence, not automatically registering GitLab Pages as an Oauth App. So, GitLab SSO will not be available as a login option.")
+    end
+  end
+end
--- a/files/gitlab-cookbooks/gitlab-pages/metadata.rb
+++ b/files/gitlab-cookbooks/gitlab-pages/metadata.rb
+name 'gitlab-pages'
+maintainer 'GitLab.com'
+maintainer_email 'support@gitlab.com'
+license 'Apache-2.0'
+description 'Installs/Configures a GitLab Pages instance'
+long_description 'Installs/Configures a GitLab Pages instance'
+version '0.1.0'
+chef_version '>= 12.1' if respond_to?(:chef_version)
+
+depends 'package'
+depends 'gitlab'
+
+issues_url 'https://gitlab.com/gitlab-org/omnibus-gitlab/issues'
+source_url 'https://gitlab.com/gitlab-org/omnibus-gitlab'
--- a/files/gitlab-cookbooks/gitlab-pages/recipes/disable.rb
+++ b/files/gitlab-cookbooks/gitlab-pages/recipes/disable.rb
+#
+# Copyright:: Copyright (c) 2016 GitLab B.V.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+runit_service "gitlab-pages" do
+  action :disable
+end
--- a/files/gitlab-cookbooks/gitlab-pages/recipes/enable.rb
+++ b/files/gitlab-cookbooks/gitlab-pages/recipes/enable.rb
+#
+# Copyright:: Copyright (c) 2016 GitLab B.V.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+account_helper = AccountHelper.new(node)
+omnibus_helper = OmnibusHelper.new(node)
+
+working_dir = node['gitlab_pages']['dir']
+env_directory = node['gitlab_pages']['env_directory']
+logfiles_helper = LogfilesHelper.new(node)
+logging_settings = logfiles_helper.logging_settings('gitlab-pages')
+gitlab_pages_static_etc_dir = "/opt/gitlab/etc/gitlab-pages"
+pages_secret_path = File.join(working_dir, ".gitlab_pages_secret")
+
+[
+  working_dir,
+  gitlab_pages_static_etc_dir
+].each do |dir|
+  directory dir do
+    owner account_helper.gitlab_user
+    mode '0700'
+    recursive true
+  end
+end
+
+# Create log_directory
+directory logging_settings[:log_directory] do
+  owner logging_settings[:log_directory_owner]
+  mode logging_settings[:log_directory_mode]
+  if log_group = logging_settings[:log_directory_group]
+    group log_group
+  end
+  recursive true
+end
+
+include_recipe 'gitlab::rails_pages_shared_path'
+
+ruby_block "authorize pages with gitlab" do
+  block do
+    GitlabPages.authorize_with_gitlab
+  end
+
+  only_if { node['gitlab_pages']['access_control'] && node['gitlab_pages']['register_as_oauth_app'] }
+end
+
+# Options may have changed in the previous step
+ruby_block "re-populate GitLab Pages configuration options" do
+  block do
+    node.consume_attributes(
+      { 'gitlab_pages' => Gitlab.sanitized_config['gitlab_pages'] }
+    )
+  end
+end
+
+version_file 'Create version file for Gitlab Pages' do
+  version_file_path File.join(working_dir, 'VERSION')
+  version_check_cmd '/opt/gitlab/embedded/bin/gitlab-pages --version'
+  notifies :restart, "runit_service[gitlab-pages]"
+end
+
+# Delete old admin.secret file
+file File.join(working_dir, "admin.secret") do
+  action :delete
+end
+
+template pages_secret_path do
+  source "secret_token.erb"
+  owner 'root'
+  group account_helper.gitlab_group
+  mode "0640"
+  variables(secret_token: node['gitlab_pages']['api_secret_key'])
+  notifies :restart, "runit_service[gitlab-pages]"
+end
+
+template File.join(working_dir, "gitlab-pages-config") do
+  source "gitlab-pages-config.erb"
+  owner 'root'
+  group account_helper.gitlab_group
+  mode "0640"
+  variables(
+    lazy do
+      {
+        pages_external_http: [node['gitlab_pages']['external_http']].flatten.compact,
+        pages_external_https: [node['gitlab_pages']['external_https']].flatten.compact,
+        pages_external_https_proxyv2: [node['gitlab_pages']['external_https_proxyv2']].flatten.compact,
+        pages_headers: [node['gitlab_pages']['headers']].flatten.compact,
+        api_secret_key_path: pages_secret_path
+      }.merge(node['gitlab_pages'].to_hash)
+    end
+  )
+  notifies :restart, "runit_service[gitlab-pages]"
+end
+
+node.default['gitlab_pages']['env'] = {
+  'SSL_CERT_DIR' => "#{node['package']['install-dir']}/embedded/ssl/certs/",
+}
+
+env_dir env_directory do
+  variables node['gitlab_pages']['env']
+  notifies :restart, "runit_service[gitlab-pages]" if omnibus_helper.should_notify?('gitlab-pages')
+end
+
+runit_service 'gitlab-pages' do
+  options({
+    log_directory: logging_settings[:log_directory],
+    log_user: logging_settings[:runit_owner],
+    log_group: logging_settings[:runit_group],
+    env_dir: env_directory,
+  }.merge(params))
+  log_options logging_settings[:options]
+end
--- a/files/gitlab-cookbooks/gitlab-pages/templates/default/gitlab-pages-config.erb
+++ b/files/gitlab-cookbooks/gitlab-pages/templates/default/gitlab-pages-config.erb
+pages-domain=<%= @domain %>
+pages-root=<%= @pages_root %>
+api-secret-key=<%= @api_secret_key_path %>
+<%- if @access_control -%>
+<%- if @gitlab_id -%>
+auth-client-id=<%= @gitlab_id %>
+<%- end -%>
+<%- if @auth_redirect_uri -%>
+auth-redirect-uri=<%= @auth_redirect_uri %>
+<%- end -%>
+<%- if @gitlab_secret -%>
+auth-client-secret=<%= @gitlab_secret %>
+<%- end -%>
+<%- if @auth_secret -%>
+auth-secret=<%= @auth_secret %>
+<%- end -%>
+<%- if @auth_scope -%>
+auth-scope=<%= @auth_scope %>
+<%- end -%>
+<%- if @auth_timeout -%>
+auth-timeout=<%= @auth_timeout %>
+<%- end -%>
+<%- if @auth_cookie_session_timeout -%>
+auth-cookie-session-timeout=<%= @auth_cookie_session_timeout %>
+<%- end -%>
+<%- end -%>
+<%- if @zip_cache_expiration -%>
+zip-cache-expiration=<%= @zip_cache_expiration %>
+<%- end -%>
+<%- if @zip_cache_cleanup-%>
+zip-cache-cleanup=<%= @zip_cache_cleanup %>
+<%- end -%>
+<%- if @zip_cache_refresh-%>
+zip-cache-refresh=<%= @zip_cache_refresh %>
+<%- end -%>
+<%- if @zip_open_timeout-%>
+zip-open-timeout=<%= @zip_open_timeout %>
+<%- end -%>
+<%- if @zip_http_client_timeout-%>
+zip-http-client-timeout=<%= @zip_http_client_timeout %>
+<%- end -%>
+<%- if @listen_proxy-%>
+listen-proxy=<%= @listen_proxy %>
+<%- end -%>
+<%- if @metrics_address-%>
+metrics-address=<%= @metrics_address %>
+<%- end -%>
+<%- if @status_uri -%>
+pages-status=<%= @status_uri %>
+<%- end -%>
+<%- if @max_connections -%>
+max-conns=<%= @max_connections %>
+<%- end -%>
+<%- if @max_uri_length -%>
+max-uri-length=<%= @max_uri_length %>
+<%- end -%>
+<%- if @propagate_correlation_id -%>
+propagate-correlation-id=<%= @propagate_correlation_id %>
+<%- end -%>
+<%- if @log_format -%>
+log-format=<%= @log_format %>
+<%- end -%>
+<%- if @log_verbose -%>
+log-verbose
+<%- end -%>
+<%- if @sentry_enabled -%>
+<%-   if @sentry_dsn-%>
+sentry-dsn=<%= @sentry_dsn %>
+<%-   end -%>
+<%-   if @sentry_environment-%>
+sentry-environment=<%= @sentry_environment %>
+<%-   end -%>
+<%- end -%>
+<%- if @redirect_http-%>
+redirect-http=<%= @redirect_http %>
+<%- end -%>
+<%- if @use_http2-%>
+use-http2=<%= @use_http2 %>
+<%- end -%>
+<%- if @artifacts_server -%>
+<%-   if @artifacts_server_url-%>
+artifacts-server=<%= @artifacts_server_url %>
+<%-   end -%>
+<%-   if @artifacts_server_timeout -%>
+artifacts-server-timeout=<%= @artifacts_server_timeout %>
+<%-   end -%>
+<%- end -%>
+<%- if @gitlab_server -%>
+gitlab-server=<%= @gitlab_server %>
+<%- end -%>
+<%- if @internal_gitlab_server -%>
+internal-gitlab-server=<%= @internal_gitlab_server %>
+<%- end -%>
+<%- if @insecure_ciphers -%>
+insecure-ciphers
+<%- end -%>
+<%- if @tls_min_version -%>
+tls-min-version=<%= @tls_min_version %>
+<%- end -%>
+<%- if @tls_max_version-%>
+tls-max-version=<%= @tls_max_version %>
+<%- end -%>
+<%- if @server_shutdown_timeout -%>
+server-shutdown-timeout=<%= @server_shutdown_timeout %>
+<%- end -%>
+<%- if @gitlab_client_http_timeout -%>
+gitlab-client-http-timeout=<%= @gitlab_client_http_timeout %>
+<%- end -%>
+<%- if @gitlab_client_jwt_expiry -%>
+gitlab-client-jwt-expiry=<%= @gitlab_client_jwt_expiry %>
+<%- end -%>
+<%- unless @pages_external_http.empty? -%>
+listen-http=<%= @pages_external_http.join(',') %>
+<%- end -%>
+<%- unless @pages_external_https.empty? -%>
+listen-https=<%= @pages_external_https.join(',') %>
+<%- end -%>
+<%- unless @pages_external_https_proxyv2.empty? -%>
+listen-https-proxyv2=<%= @pages_external_https_proxyv2.join(',') %>
+<%- end -%>
+<%- unless @pages_external_https.empty? && @pages_external_https_proxyv2.empty? -%>
+root-cert=<%= @cert %>
+root-key=<%= @cert_key %>
+<%- end -%>
+<%- if @gitlab_cache_expiry -%>
+gitlab-cache-expiry=<%= @gitlab_cache_expiry %>
+<%- end -%>
+<%- if @gitlab_cache_refresh -%>
+gitlab-cache-refresh=<%= @gitlab_cache_refresh %>
+<%- end -%>
+<%- if @gitlab_cache_cleanup -%>
+gitlab-cache-cleanup=<%= @gitlab_cache_cleanup %>
+<%- end -%>
+<%- if @gitlab_retrieval_timeout -%>
+gitlab-retrieval-timeout=<%= @gitlab_retrieval_timeout %>
+<%- end -%>
+<%- if @gitlab_retrieval_interval -%>
+gitlab-retrieval-timeout=<%= @gitlab_retrieval_interval %>
+<%- end -%>
+<%- if @gitlab_retrieval_retries -%>
+gitlab-retrieval-retries=<%= @gitlab_retrieval_retries %>
+<%- end -%>
+<%- unless @enable_disk.nil? -%>
+enable-disk=<%= @enable_disk %>
+<%- end -%>
+<%- if @rate_limit_source_ip -%>
+rate-limit-source-ip=<%= @rate_limit_source_ip %>
+<%-end -%>
+<%- if @rate_limit_source_ip_burst -%>
+rate-limit-source-ip-burst=<%= @rate_limit_source_ip_burst %>
+<%-end -%>
+<%- if @rate_limit_domain -%>
+rate-limit-domain=<%= @rate_limit_domain %>
+<%-end -%>
+<%- if @rate_limit_domain_burst -%>
+rate-limit-domain-burst=<%= @rate_limit_domain_burst %>
+<%-end -%>
+<%- if @rate_limit_tls_source_ip -%>
+rate-limit-tls-source-ip=<%= @rate_limit_tls_source_ip %>
+<%-end -%>
+<%- if @rate_limit_tls_source_ip_burst -%>
+rate-limit-tls-source-ip-burst=<%= @rate_limit_tls_source_ip_burst %>
+<%-end -%>
+<%- if @rate_limit_tls_domain -%>
+rate-limit-tls-domain=<%= @rate_limit_tls_domain %>
+<%-end -%>
+<%- if @rate_limit_tls_domain_burst -%>
+rate-limit-tls-domain-burst=<%= @rate_limit_tls_domain_burst %>
+<%-end -%>
+<%- if @server_read_timeout -%>
+server-read-timeout=<%= @server_read_timeout %>
+<%-end -%>
+<%- if @server_read_header_timeout -%>
+server-read-header-timeout=<%= @server_read_header_timeout %>
+<%-end -%>
+<%- if @server_write_timeout -%>
+server-write-timeout=<%= @server_write_timeout %>
+<%-end -%>
+<%- if @server_keep_alive -%>
+server-keep-alive=<%= @server_keep_alive %>
+<%-end -%>
+<%- if @redirects_max_config_size -%>
+redirects-max-config-size=<%= @redirects_max_config_size %>
+<%-end -%>
+<%- if @redirects_max_path_segments -%>
+redirects-max-path-segments=<%= @redirects_max_path_segments %>
+<%-end -%>
+<%- if @redirects_max_rule_count -%>
+redirects-max-rule-count=<%= @redirects_max_rule_count %>
+<%-end -%>
+<%- if @headers -%>
+header=<%= @headers.join(';;') %>
+<%-end -%>
+<%- if @namespace_in_path -%>
+namespace-in-path=<%= @namespace_in_path %>
+<%-end -%>
+<%- if @client_cert -%>
+client-cert=<%= @client_cert %>
+<%-end -%>
+<%- if @client_key -%>
+client-key=<%= @client_key %>
+<%-end -%>
+<%- if @client_ca_certs -%>
+client-ca-certs=<%= @client_ca_certs %>
+<%-end -%>
--- a/files/gitlab-cookbooks/gitlab-pages/templates/default/mount_point_check.erb
+++ b/files/gitlab-cookbooks/gitlab-pages/templates/default/mount_point_check.erb
+<% [node['gitlab']['high_availability']['mountpoint']].flatten.compact.each do |mountpoint| %>
+if ! mountpoint -q '<%= mountpoint %>' ; then
+  echo 'Refusing to start because <%= mountpoint %> is not a mountpoint.'
+  exit 1
+fi
+<% end %>
--- a/files/gitlab-cookbooks/gitlab-pages/templates/default/secret_token.erb
+++ b/files/gitlab-cookbooks/gitlab-pages/templates/default/secret_token.erb
+<%= @secret_token %>
--- a/files/gitlab-cookbooks/gitlab-pages/templates/default/sv-gitlab-pages-log-config.erb
+++ b/files/gitlab-cookbooks/gitlab-pages/templates/default/sv-gitlab-pages-log-config.erb
+<%= "s#@svlogd_size" if @svlogd_size %>
+<%= "n#@svlogd_num" if @svlogd_num %>
+<%= "t#@svlogd_timeout" if @svlogd_timeout %>
+<%= "!#@svlogd_filter" if @svlogd_filter %>
+<%= "u#@svlogd_udp" if @svlogd_udp %>
+<%= "p#@svlogd_prefix" if @svlogd_prefix %>
--- a/files/gitlab-cookbooks/gitlab-pages/templates/default/sv-gitlab-pages-log-run.erb
+++ b/files/gitlab-cookbooks/gitlab-pages/templates/default/sv-gitlab-pages-log-run.erb
+#!/bin/sh
+exec chpst -P \
+  -U root:<%= @options[:log_group] || 'root' %> \
+  -u root:<%= @options[:log_group] || 'root' %> \
+  svlogd <% unless node['gitlab-pages']['log_format'].eql?('json') %>-tt <% end %><%= @options[:log_directory] %>
--- a/files/gitlab-cookbooks/gitlab-pages/templates/default/sv-gitlab-pages-run.erb
+++ b/files/gitlab-cookbooks/gitlab-pages/templates/default/sv-gitlab-pages-run.erb
+#!/bin/bash
+set -e # fail on errors
+
+# Redirect stderr -> stdout
+exec 2>&1
+<%= render("mount_point_check.erb") %>
+
+cd <%= node['gitlab_pages']['dir'] %>
+
+<% headers = [ node['gitlab_pages']['headers'] ].flatten.compact  %>
+
+exec chpst -e <%= @options[:env_dir] %> \
+    /opt/gitlab/embedded/bin/gitlab-pages \
+    -config="<%= node['gitlab_pages']['dir'] %>/gitlab-pages-config" \