►
From YouTube: Distribution Team Demo - 2020-01-21
Description
The distribution team discusses how we might introduce automatic oauth applications for gitlab pages and grafana into the gitlab helm chart.
A
I'm
essentially
gonna
use
this
demo
time
to
discuss
on
one
strategy
to
implement
automatic,
auth
integration
with
our
charts,
so
this
is
required
to
enable
integrate
using
gitlab
as
a
identity
provider
or
what
provided
for
different
apps
that
we
ship,
like
gitlab
pages
for
access,
control
or
graphana
for
gitlab,
sso
and
method,
most
working
levels
also
they
in
a
nutshell
the
problem
is,
we
need
gitlab
to
be
up
and
running
for
us
to
register
an
application
s
and
or
the
application.
A
At
the
same
time,
we
need
these
credentials
to
be
present
in
the
service,
whether
it
be
gitlab
pages
or
mathematical
graphene.
We
need
these
credentials
to
be
present
in
their
configuration
so
right
now
we
don't
have
a
way
to
intervene
between
the
rails,
spot,
spinning
up
and
other
service
ports.
Spinning
up
so
we
cannot
like,
after
the
rail
spots,
have
spin
up
create
this
application,
then
put
those
values
in
configuration
file
then
spin
up
the
service
ports.
A
We
we
don't
have
such
an
option
right
now,
so
we
need
some
way
to
inject
these
variables
somewhere.
During
the
run
time
and
ensure
the
applications
pick
up
these
changes,
so
I
tried
something
and
it
seems
to
work.
A
I
have
linked
it
in
the
demo
notes:
it's
charts
mr1782,
essentially
what
it
does
is
we
tap
to
our
existing
system
of
where
we
run
database
migrations
when
we
spin
up
a
cluster
and
we
at
the
at
the
end
of
that
migrations
job,
we
kind
of
register
every
application
listed
in
the
values
file
as
auth
applications
directly
hitting
the
rails
console
so.
A
A
So
the
cng
side,
essentially
is
we
assume
there
are
secrets
present
in
the
directory
they
traverse
through
that
directory
and
pick
each
one
of
them
run
a
rails
command
to
register
them
as
earth
applications,
and
we
do
this
in
an
item
potentially
so
that
doing
it
repeatedly
will
not
change
anything
and
on
the
chart
side,
we
provide
everything
that
this
script
needs.
We
mount
these.
A
So
let
me
share
my
screen.
A
A
This
is
essentially
the
cng
script.
We
actually
tab
to
the
db
migrate
script.
A
We
already
have
some
a
custom,
instant
setup
kind
of
thing
where
we
enable
a
feature
flag
automatically
during
startup
so
similar
to
that
we
are
running
a
new
new
script
with
the
gitlab
rails
rails,
runner
command,
so
that
it
it
can
access
everyday
rails
context,
and
the
script
essentially
does
traverse
through
a
directory
and
read
the
secret
or
everything.
Each
of
them
are
stardust
files.
We
read
them
and
we
run
the
door
keeper
command.
So
this
command
is
what
we
use
in
omnibus
gitlab.
A
What
I
realized
today
is
we
can
provide
uadn
secret
and
we
can
choose
note
to
ask
door
people
to
create
them.
This
means
the
job
of
creating
the
secrets
can
be
delegated
to
someone
else
in.
In
our
case,
we
already
have
a
generate
secrets,
job
which
does
this,
so
we
can
make
that
job,
create
the
secrets
and
pass
them
on
to
doorkeeper.
A
A
Okay,
we
in
the
migrations
job
spec.
Okay,
before
that,
in
the
general
secrets,
we
create
the
necessary
secrets
so
for
all
the
applications,
we
technically
need
three
details:
one
is
a
application.
Id
one
is
a
secret
name
and
the
other
one
is
the
redirect
url,
where,
after
all
the
indication
it
should
redirect
to
so,
the
secret
contains
both
application,
id
and
application
secret,
and
we
created
it's
a.
A
It
can
be
anything
we
we
go
with
the
convention
of
a
32
character,
alphanumeric
string,
so
cigarettes
generation
will
create
that
we
will
mount
them
in
the
migration
job
spec
so
that
it
matches
whatever
that
script
is
expecting.
So
we
mount
it
to
slash,
etc.
Gitlab
or
sacred
spaces,
appady
app
secret
and
then
the
redirect
url
need
not
be
a
secret.
We,
we
can
compute
that,
so
we
put
that
in
a
config
map
and
mounts
that
also.
A
So
these
three
things
the
script
will
read
app
edit
app
secret
and
redirect
the
uri,
and
it
will
use
those
details
to
create
the
doorkeeper
application.
A
So
this
is
the
premise
there
are
few
things
we
need
to
discuss
and
decide.
One
is
where
should
these
settings
be
placed
so
that
if
users
want
they
can
overrate
them
like,
they
can
not
depend
on
our
general
secrets
but
provide
their
own
secrets
and
two?
A
How
can
we
hook
these
to
other
applications,
method
and
graphene,
of
which
we
are
using
the
upstream
charts,
and
we
currently
do
not
have
the
flexibility
of
using
templates
or
anything
like
that
to
compute
all
the
information
we
need
so
in
in
the
mr,
I
kind
of
went
with
a
global
setting
called
gitlab
auth,
to
which
we
can
append
pages,
mathematics,
graph
and
all
those
things,
but
one
problem
is
mathematic.
Has
its
own
settings
structure
for
this,
like
it
uses
config.json.gitlab
settings
for
this.
So
if
we
are
using
gitlab
dot
mattermost,
how?
A
The
then
the
question,
because
should
we
wait
for
that
or
should
we
go
ahead
with
using
it
globals
now
and
when
we
eventually
move
shared
secrets,
job
to
the
root
chart,
we
can
do
any
clean
up
or
refactor
we
want.
So
these
are
essentially
my
questions,
but
I'm
happy
to
hear
if
anyone
has
any
concerns
regarding
the
method
or
comments.
B
Yeah,
I
think
the
moving
it
into
the
migrations
job
seems
like
a
logical
place
to
me.
I
think,
on
the
cng
side,
it
would
be
ideal
if
we
were
able
to
reuse
the
custom
instance
runner
and
specifically
the
custom
instances
like
rails
environment.
So
it
doesn't
have
to
take
that
extra
time
to
boot
up
the
environment,
but
that's
the
the
only
call
out
I
have
on
that
side.
A
At
least
so,
once
we
open
up
the
rails
context,
let's
reuse
that
right,
yeah,
yeah.
A
B
We
can
use
that
same
yeah.
We
can
get
our
this
script
also
into
the
same
script
that
the
the
rails
runner
is
using
in
the
custom
instance
setup.
Then
we
would
shave
off.
You
know
10
to
30
seconds.
B
C
A
So
I
thought
of
that.
One
of
the
problem
is
it:
it
creates
two
sources
of
truth
for
applications.
It
can
already
be
done
via
the
ui.
If
we
add
some
sort
of
okay
here
is
a
list
of
applications.
Do
this
also,
we
will
go
to
the
problem
of
like
what
we
have
with
initial
root
password.
A
We
can't
do
that
because
we
want
this
to
be
applicable
everywhere,
not
just
the
first
first
run
or
before
the
database
is
seeded,
because
users
can
choose
to
flip
access
control
anytime
or
we
will
be
adding
a
second
way
of
setting
things
like
not
just
on
the
first
database
sheet,
but
always
look
at
this
file
or
this
location
to
automatically
register
applications.
So.
A
C
Okay,
I
see
where
you're
coming
from.
I
would
point
out
that
that
is
exactly
what
we're
doing.
By
putting
this
script
in
place,
though,
the
script
is
not
limited,
specifically
to
the
grafana
that
we
distribute
or
the
pages
that
we
distribute
it
is
set
up
currently
in
such
a
way
that
it
will
just
read
that
directory
and
then
take
every
one
of
them
and
then
go
do
the
registration
for
that
in
theory,
what
happens
if
somebody
alters
that
registration
say?
C
Somebody
goes
in
the
ui
and
changes
the
app
secret
and
then
migrations
job
comes
around
or
even
somebody
just
runs
db
migrate
or
runs
custom,
instant
setup
script
and
triggers
that
and
then
reruns
this
job.
Basically,
will
that
overwrite
things,
or
will
it
behave
in
such
a
way
that
if
the
database
already
has
the
entry
don't
touch
it.
A
So
right
now,
if
some,
you
cannot
change
the
secrets
directly
from
ui.
You
have
to
be
in
the
console
to
do
those.
A
A
So
what
we
can
do
is
essentially
split
this
into
two
first
check
for
an
entry
with
this
redirect
uri
and
this
name,
if
not
go
and
create
that
that
will
be
an
additional
check
because
maybe
not
all
four
of
them
will
match.
If
someone
has
changed
something
somehow
but
yeah,
we
can
ensure
almost
item
potency.
A
A
A
B
Yeah,
so
for
other
for
the
other
charts,
where
we've
had
to
do
this,
which
is
things
like
the
postgres
chart.
Basically,
we've
had
to
request
changes
of
the
upstream
charts
to
actually
like,
typically,
we
haven't
had
them
change
their
values.
What
we've
had
them
do
is,
instead
of
rendering,
like
the
grafana.ini.off.gitlab
directly
into
their
config
map,
we
have
them,
do
it
via
a
template.
B
A
A
B
Well,
so
it
looks
like
they
loop
through
they
do
a
a
range
loop.
B
B
C
Of
actually
reaching
out
to
another
provider
that
we
use
bitnami
and
asking
for
their
input
on
how
they're
dealing
with
some
of
these
things,
if
they're
dealing
with
some
of
these
things,
so
while
the
grafana
upstream
grafana
grafana,
is
where
we
should
look
first,
we
do
have
the
option
of
considering
actually
doing
something
different.
C
C
C
On
how
that
works,
it's
not
something
you
can
actually
template.
There
are
some
implementations
that
actually
allow
you
to
basically
include
a
template
into
your
values,
and
then
it
will
render
the
template
into
that
section.
B
Break
for
the
grafana
one
gerard,
maybe
you
remember,
did
we
did
we
encounter
something
like
this?
Did
we
get
around
it
by
basically
creating
our
own
config
map?
Obviously
this
doesn't
solve
the
the
mounting
problem,
but
did
we
for
grafana?
Aren't
we
already
creating
our
own
config
map
and
just
pointing
grafana
at
it,
so
we're
not
actually
using
theirs
for.
B
B
A
B
Already
wired
it
up
to
like
our
prometheus.
C
To
render
several
a
data
source
config
map
and
a
secret
import.
B
C
We
may
be
able
to
we'll
just
have
to
look
in
into
what
is
actually
required
to
do
that
in
order
to
get
this
kind
of
behavior
to
function
so
we'll
see,
it's
definitely
gonna
take
a
little
more
look
into
things
and
we
do
need
to
reach
out
to
see
what's
up
with
matter
most,
it's
still
a
scenario
right
now,
where
we
don't
include
matter
most.
We
don't
currently
plan
to
include
matter
most
and
we
need
to
see
the
state
of
their
chart.
A
A
B
Yeah,
so
on
the
the
the
mattermost
side,
as
long
as
we
can
like,
we
just
being
that
we're
not
including
it
directly,
people
have
to
install
it
separately.
C
A
A
So
if
we
could
get
the
refiner
to
support
something
like
extra
graphina.ini
like
for
for
some
way
for
us
to
provide
this
thing
technically,
that
might
solve
it
for
graphite
and
pages.
But
the
problem
is
the
next
step
may
have
something
entirely
different.
A
C
C
Like
the
the
current
state
of
how
we're
configuring
grafana
to
consume
the
prometheus
as
deployed
with
the
dashboards
little
that
we
have,
you
know
that's
it's,
it's
not
perfect,
but
we've
made
it
work
in
such
a
way
that
we
don't
actually
have
to
alter
the
upstream
chart.
In
order
to
get
that
to
function,
we
control
gitlab
pages.
We
can
do
whatever
we
need
to
get
that
to
work,
but
that
is
honestly
designed
to
be
a
very
straightforward
chart.
C
It's
just
the
application
and
there
should
be
very
little
of
anything
we
have
to
configure
to
it
besides.
Here
are
your
secrets?
Read
this
file?
Read
this
file
read
this
file
in
theory,
grafana.
We
need
to
get
it
to
that
same
point
of
here's.
Your
secrets
read
this
file.
Read
this
file
read
this
file.
How
we
manage
to
get
from
this
is
the
configuration
map
to
now
the
configuration.
These
are
the
configuration
properties,
and
this
is
the
end
result.
Everything
in
between
is
a
certain
amount
of
flexible.
C
A
C
So
I'm
generally
okay
with
that,
when
using
shared
secrets
that
will
function,
fine,
what
we
have
to
watch
out
for
is.
C
C
C
C
A
C
A
Okay,
we
are
at
the
out
of
time,
so
essentially
my
next
steps
will
be
to
think
more
about
how
to
hook
this
up
with
graphara
and
essentially,
how
can
we
do
this
with
minimal
changes
both
on
our
side
and
upstream
side.
A
C
Yeah
sounds
good
to
me.
I
expect
this
will
take
probably
the
better
part
of
a
week
to
get
through
everything
and
the
amount
of
items
that'll
have
to
be
touched
for
it.
So
don't
think
that
we
expect
this
light
tomorrow.