►
From YouTube: Distribution Team Demo - 2020-01-21
Description
The distribution team discusses how we might introduce automatic oauth applications for gitlab pages and grafana into the gitlab helm chart.
A
At
the
same
time,
we
need
these
credentials
to
be
present
in
the
service,
whether
it
be
gitlab
pages
or
mathematical
graphene.
We
need
these
credentials
to
be
present
in
their
configuration
so
right
now
we
don't
have
a
way
to
intervene
between
the
rails,
spot,
spinning
up
and
other
service
ports.
Spinning
up
so
we
cannot
like,
after
the
rail
spots,
have
spin
up
create
this
application,
then
put
those
values
in
configuration
file
then
spin
up
the
service
ports.
A
A
A
So
the
cng
side,
essentially
is
we
assume
there
are
secrets
present
in
the
directory
they
traverse
through
that
directory
and
pick
each
one
of
them
run
a
rails
command
to
register
them
as
earth
applications,
and
we
do
this
in
an
item
potentially
so
that
doing
it
repeatedly
will
not
change
anything
and
on
the
chart
side,
we
provide
everything
that
this
script
needs.
We
mount
these.
A
A
We
already
have
some
a
custom,
instant
setup
kind
of
thing
where
we
enable
a
feature
flag
automatically
during
startup
so
similar
to
that
we
are
running
a
new
new
script
with
the
gitlab
rails
rails,
runner
command,
so
that
it
it
can
access
everyday
rails
context,
and
the
script
essentially
does
traverse
through
a
directory
and
read
the
secret
or
everything.
Each
of
them
are
stardust
files.
We
read
them
and
we
run
the
door
keeper
command.
So
this
command
is
what
we
use
in
omnibus
gitlab.
A
What
I
realized
today
is
we
can
provide
uadn
secret
and
we
can
choose
note
to
ask
door
people
to
create
them.
This
means
the
job
of
creating
the
secrets
can
be
delegated
to
someone
else
in.
In
our
case,
we
already
have
a
generate
secrets,
job
which
does
this,
so
we
can
make
that
job,
create
the
secrets
and
pass
them
on
to
doorkeeper.
A
A
Okay,
we
in
the
migrations
job
spec.
Okay,
before
that,
in
the
general
secrets,
we
create
the
necessary
secrets
so
for
all
the
applications,
we
technically
need
three
details:
one
is
a
application.
Id
one
is
a
secret
name
and
the
other
one
is
the
redirect
url,
where,
after
all
the
indication
it
should
redirect
to
so,
the
secret
contains
both
application,
id
and
application
secret,
and
we
created
it's
a.
A
It
can
be
anything
we
we
go
with
the
convention
of
a
32
character,
alphanumeric
string,
so
cigarettes
generation
will
create
that
we
will
mount
them
in
the
migration
job
spec
so
that
it
matches
whatever
that
script
is
expecting.
So
we
mount
it
to
slash,
etc.
Gitlab
or
sacred
spaces,
appady
app
secret
and
then
the
redirect
url
need
not
be
a
secret.
We,
we
can
compute
that,
so
we
put
that
in
a
config
map
and
mounts
that
also.
A
A
How
can
we
hook
these
to
other
applications,
method
and
graphene,
of
which
we
are
using
the
upstream
charts,
and
we
currently
do
not
have
the
flexibility
of
using
templates
or
anything
like
that
to
compute
all
the
information
we
need
so
in
in
the
mr,
I
kind
of
went
with
a
global
setting
called
gitlab
auth,
to
which
we
can
append
pages,
mathematics,
graph
and
all
those
things,
but
one
problem
is
mathematic.
Has
its
own
settings
structure
for
this,
like
it
uses
config.json.gitlab
settings
for
this.
So
if
we
are
using
gitlab
dot
mattermost,
how?
A
The
then
the
question,
because
should
we
wait
for
that
or
should
we
go
ahead
with
using
it
globals
now
and
when
we
eventually
move
shared
secrets,
job
to
the
root
chart,
we
can
do
any
clean
up
or
refactor
we
want.
So
these
are
essentially
my
questions,
but
I'm
happy
to
hear
if
anyone
has
any
concerns
regarding
the
method
or
comments.
B
Yeah,
I
think
the
moving
it
into
the
migrations
job
seems
like
a
logical
place
to
me.
I
think,
on
the
cng
side,
it
would
be
ideal
if
we
were
able
to
reuse
the
custom
instance
runner
and
specifically
the
custom
instances
like
rails
environment.
So
it
doesn't
have
to
take
that
extra
time
to
boot
up
the
environment,
but
that's
the
the
only
call
out
I
have
on
that
side.
A
B
B
C
A
A
We
can't
do
that
because
we
want
this
to
be
applicable
everywhere,
not
just
the
first
first
run
or
before
the
database
is
seeded,
because
users
can
choose
to
flip
access
control
anytime
or
we
will
be
adding
a
second
way
of
setting
things
like
not
just
on
the
first
database
sheet,
but
always
look
at
this
file
or
this
location
to
automatically
register
applications.
So.
A
C
Okay,
I
see
where
you're
coming
from.
I
would
point
out
that
that
is
exactly
what
we're
doing.
By
putting
this
script
in
place,
though,
the
script
is
not
limited,
specifically
to
the
grafana
that
we
distribute
or
the
pages
that
we
distribute
it
is
set
up
currently
in
such
a
way
that
it
will
just
read
that
directory
and
then
take
every
one
of
them
and
then
go
do
the
registration
for
that
in
theory,
what
happens
if
somebody
alters
that
registration
say?
C
Somebody
goes
in
the
ui
and
changes
the
app
secret
and
then
migrations
job
comes
around
or
even
somebody
just
runs
db
migrate
or
runs
custom,
instant
setup
script
and
triggers
that
and
then
reruns
this
job.
Basically,
will
that
overwrite
things,
or
will
it
behave
in
such
a
way
that
if
the
database
already
has
the
entry
don't
touch
it.
A
A
So
what
we
can
do
is
essentially
split
this
into
two
first
check
for
an
entry
with
this
redirect
uri
and
this
name,
if
not
go
and
create
that
that
will
be
an
additional
check
because
maybe
not
all
four
of
them
will
match.
If
someone
has
changed
something
somehow
but
yeah,
we
can
ensure
almost
item
potency.
A
A
A
B
Yeah,
so
for
other
for
the
other
charts,
where
we've
had
to
do
this,
which
is
things
like
the
postgres
chart.
Basically,
we've
had
to
request
changes
of
the
upstream
charts
to
actually
like,
typically,
we
haven't
had
them
change
their
values.
What
we've
had
them
do
is,
instead
of
rendering,
like
the
grafana.ini.off.gitlab
directly
into
their
config
map,
we
have
them,
do
it
via
a
template.
B
A
A
B
B
C
C
B
Break
for
the
grafana
one
gerard,
maybe
you
remember,
did
we
did
we
encounter
something
like
this?
Did
we
get
around
it
by
basically
creating
our
own
config
map?
Obviously
this
doesn't
solve
the
the
mounting
problem,
but
did
we
for
grafana?
Aren't
we
already
creating
our
own
config
map
and
just
pointing
grafana
at
it,
so
we're
not
actually
using
theirs
for.
B
B
A
B
C
We
may
be
able
to
we'll
just
have
to
look
in
into
what
is
actually
required
to
do
that
in
order
to
get
this
kind
of
behavior
to
function
so
we'll
see,
it's
definitely
gonna
take
a
little
more
look
into
things
and
we
do
need
to
reach
out
to
see
what's
up
with
matter
most,
it's
still
a
scenario
right
now,
where
we
don't
include
matter
most.
We
don't
currently
plan
to
include
matter
most
and
we
need
to
see
the
state
of
their
chart.
A
A
C
A
A
A
C
Like
the
the
current
state
of
how
we're
configuring
grafana
to
consume
the
prometheus
as
deployed
with
the
dashboards
little
that
we
have,
you
know
that's
it's,
it's
not
perfect,
but
we've
made
it
work
in
such
a
way
that
we
don't
actually
have
to
alter
the
upstream
chart.
In
order
to
get
that
to
function,
we
control
gitlab
pages.
We
can
do
whatever
we
need
to
get
that
to
work,
but
that
is
honestly
designed
to
be
a
very
straightforward
chart.
C
It's
just
the
application
and
there
should
be
very
little
of
anything
we
have
to
configure
to
it
besides.
Here
are
your
secrets?
Read
this
file?
Read
this
file
read
this
file
in
theory,
grafana.
We
need
to
get
it
to
that
same
point
of
here's.
Your
secrets
read
this
file.
Read
this
file
read
this
file.
How
we
manage
to
get
from
this
is
the
configuration
map
to
now
the
configuration.
These
are
the
configuration
properties,
and
this
is
the
end
result.
Everything
in
between
is
a
certain
amount
of
flexible.