gitlab: Add ruby script for continuous extending of bot tokens

We are not on top of expiring bot tokens and we usually only notice when someone else points it out. It is also a bit cumbersome to add new bot tokens, so avoid the issue altogether, by just extending the lifetime of the bot tokens continuously. Fix #617

gitlab: Add ruby script for continuous extending of bot tokens
639101e6 · Kristian Klausen · 7de29235 · 639101e6 · 639101e6 · 639101e6
Verified Commit 639101e6 authored 4 months ago by Kristian Klausen
--- a/roles/gluebuddy/defaults/main.yml
+++ b/roles/gluebuddy/defaults/main.yml
--- a/roles/gitlab/files/gitlab-bot-token-extender.service
+++ b/roles/gitlab/files/gitlab-bot-token-extender.service
+[Unit]
+Description=GitLab Bot Token Extender
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/docker exec -t gitlab gitlab-rails runner /opt/gitlab-scripts/gitlab-bot-token-extender.rb
--- a/roles/gitlab/files/gitlab-bot-token-extender.timer
+++ b/roles/gitlab/files/gitlab-bot-token-extender.timer
+[Unit]
+Description=GitLab Bot Token Extender
+
+[Timer]
+OnCalendar=weekly
+Persistent=true
+RandomizedDelaySec=24h
+
+[Install]
+WantedBy=timers.target
--- a/roles/gitlab/tasks/main.yml
+++ b/roles/gitlab/tasks/main.yml
@@ -4,8 +4,11 @@
 - name: Start docker
  service: name=docker enabled=yes state=started

- name: Create directory for gitlab
-  file: path=/srv/gitlab state=directory owner=root group=root mode=0755
+- name: Create directories for gitlab
+  file: path={{ item }} state=directory owner=root group=root mode=0755
+  loop:
+    - /srv/gitlab
+    - /srv/gitlab/scripts

 - name: Start docker gitlab image
  docker_container:
@@ -102,6 +105,7 @@
      - "/srv/gitlab/config:/etc/gitlab"
      - "/srv/gitlab/logs:/var/log/gitlab"
      - "/srv/gitlab/data:/var/opt/gitlab"
+      - "/srv/gitlab/scripts:/opt/gitlab-scripts:ro"

 - name: Prune unused docker images
  docker_prune:
@@ -124,11 +128,19 @@
  tags:
    - firewall

- name: Copy gitlab-cleanup timer and service
+- name: Install ruby script for extending bot tokens
+  template: src=gitlab-bot-token-extender.rb.j2 dest=/srv/gitlab/scripts/gitlab-bot-token-extender.rb owner=root group=root mode=0644
+
+- name: Copy {gitlab-cleanup,gitlab-bot-token-extender} timer and service
  copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
  with_items:
    - gitlab-cleanup.timer
    - gitlab-cleanup.service
+    - gitlab-bot-token-extender.timer
+    - gitlab-bot-token-extender.service

 - name: Activate systemd timers for gitlab-cleanup
-  systemd: name=gitlab-cleanup.timer enabled=yes state=started daemon-reload=yes
+  systemd: name={{ item }} enabled=yes state=started daemon-reload=yes
+  loop:
+    - gitlab-cleanup.timer
+    - gitlab-bot-token-extender.timer
--- a/roles/gitlab/templates/gitlab-bot-token-extender.rb.j2
+++ b/roles/gitlab/templates/gitlab-bot-token-extender.rb.j2
+bots = [{{ gitlab_bots | map("to_json") | join(', ') }}]
+
+bots.each do |username|
+  puts "Bot user: #{username}"
+  user = User.find_by_username(username)
+  user.personal_access_tokens.update_all(expires_at: 12.months.from_now)
+end