From c1b043bdb764c39c9d1af4b141b65185b71efae6 Mon Sep 17 00:00:00 2001 From: Pawel Chojnacki Date: Mon, 3 Jul 2017 22:41:33 +0200 Subject: [PATCH] Bring back healthcheck token access to monitoring resources, but mark this as deprecated --- .../requires_whitelisted_monitoring_client.rb | 13 +++++++++-- config/gitlab.yml.example | 3 ++- .../admin_area/monitoring/health_check.md | 23 +++++++++++++++---- .../health_check_controller_spec.rb | 16 +++++++++++++ 4 files changed, 47 insertions(+), 8 deletions(-) diff --git a/app/controllers/concerns/requires_whitelisted_monitoring_client.rb b/app/controllers/concerns/requires_whitelisted_monitoring_client.rb index 92ed559ba8a..25122ddbefa 100644 --- a/app/controllers/concerns/requires_whitelisted_monitoring_client.rb +++ b/app/controllers/concerns/requires_whitelisted_monitoring_client.rb @@ -7,11 +7,20 @@ module RequiresWhitelistedMonitoringClient private def validate_ip_whitelisted! - render_404 unless client_ip_whitelisted? + render_404 unless client_ip_whitelisted? || token_valid? end def client_ip_whitelisted? - Settings.monitoring.ip_whitelist.any? {|e| e.include?(Gitlab::RequestContext.client_ip) } + Settings.monitoring.ip_whitelist.any? { |e| e.include?(Gitlab::RequestContext.client_ip) } + end + + def token_valid? + token = params[:token].presence || request.headers['TOKEN'] + token.present? && + ActiveSupport::SecurityUtils.variable_size_secure_compare( + token, + current_application_settings.health_check_access_token + ) end def render_404 diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index a49929a05b2..c31b7e12fdc 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -552,7 +552,8 @@ production: &base # Built in monitoring settings monitoring: # IP whitelist to access monitoring endpoints - access_whitelist: 127.0.0.0/8 + ip_whitelist: + - 127.0.0.0/8 # # 5. Extra customization diff --git a/doc/user/admin_area/monitoring/health_check.md b/doc/user/admin_area/monitoring/health_check.md index a954840b8a6..23747532d0b 100644 --- a/doc/user/admin_area/monitoring/health_check.md +++ b/doc/user/admin_area/monitoring/health_check.md @@ -5,6 +5,7 @@ - The `health_check` endpoint was [introduced][ce-3888] in GitLab 8.8 and will be deprecated in GitLab 9.1. Read more in the [old behavior](#old-behavior) section. + - [Access token](#access-token) has been deprecated in GitLab 9.4 in favor of [IP Whitelist](#ip-whitelist) GitLab provides liveness and readiness probes to indicate service health and reachability to required services. These probes report on the status of the @@ -12,7 +13,19 @@ database connection, Redis connection, and access to the filesystem. These endpoints [can be provided to schedulers like Kubernetes][kubernetes] to hold traffic until the system is ready or restart the container as needed. -## Access Token +## IP Whitelist + +To access monitoring resources client IP needs to be included in the whitelist. +To add or remove hosts or ip ranges from the list you can edit `gitlab.yml`. + +Example whitelist configuration: +```yaml +monitoring: + ip_whitelist: + - 127.0.0.0/8 # by default only local IPs are allowed to access monitoring resources +``` + +## Access Token (Deprecated) An access token needs to be provided while accessing the probe endpoints. The current accepted token can be found under the **Admin area ➔ Monitoring ➔ Health check** @@ -47,10 +60,10 @@ which will then provide a report of system health in JSON format: ## Using the Endpoint -Once you have the access token, the probes can be accessed: +With default whitelist settings, the probes can be accessed from localhost: -- `https://gitlab.example.com/-/readiness?token=ACCESS_TOKEN` -- `https://gitlab.example.com/-/liveness?token=ACCESS_TOKEN` +- `http://localhost/-/readiness` +- `http://localhost/-/liveness` ## Status @@ -71,7 +84,7 @@ the database connection, the state of the database migrations, and the ability t and access the cache. This endpoint can be provided to uptime monitoring services like [Pingdom][pingdom], [Nagios][nagios-health], and [NewRelic][newrelic-health]. -Once you have the [access token](#access-token), health information can be +Once you have the [access token](#access-token) or your client IP is [whitelisted](#ip-whitelist), health information can be retrieved as plain text, JSON, or XML using the `health_check` endpoint: - `https://gitlab.example.com/health_check?token=ACCESS_TOKEN` diff --git a/spec/controllers/health_check_controller_spec.rb b/spec/controllers/health_check_controller_spec.rb index 15b3cacf623..6c545169450 100644 --- a/spec/controllers/health_check_controller_spec.rb +++ b/spec/controllers/health_check_controller_spec.rb @@ -5,6 +5,7 @@ describe HealthCheckController do let(:json_response) { JSON.parse(response.body) } let(:xml_response) { Hash.from_xml(response.body)['hash'] } + let(:token) { current_application_settings.health_check_access_token } let(:whitelisted_ip) { '127.0.0.1' } let(:not_whitelisted_ip) { '127.0.0.2' } @@ -23,6 +24,21 @@ describe HealthCheckController do get :index expect(response).to be_not_found end + + context 'when services are accessed with token' do + it 'supports passing the token in the header' do + request.headers['TOKEN'] = token + get :index + expect(response).to be_success + expect(response.content_type).to eq 'text/plain' + end + + it 'supports successful plaintest response' do + get :index, token: token + expect(response).to be_success + expect(response.content_type).to eq 'text/plain' + end + end end context 'when services are up and accessed from whitelisted ips' do