Schedule background migration for encrypting runners tokens

2018-11-21 12:35:40 +01:00 · 2018-11-21 12:35:40 +01:00 · c7a39ffa91
parent 64c2377854
commit c7a39ffa91
3 changed files with 59 additions and 1 deletions
--- a/db/post_migrate/20181121111200_schedule_runners_token_encryption.rb
+++ b/db/post_migrate/20181121111200_schedule_runners_token_encryption.rb
@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+class ScheduleRunnersTokenEncryption < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+  BATCH_SIZE = 10000
+  RANGE_SIZE = 100
+  MIGRATION = 'EncryptRunnersTokens'
+
+  MODELS = [
+    ::Gitlab::BackgroundMigration::Models::EncryptColumns::Settings,
+    ::Gitlab::BackgroundMigration::Models::EncryptColumns::Namespace,
+    ::Gitlab::BackgroundMigration::Models::EncryptColumns::Project,
+    ::Gitlab::BackgroundMigration::Models::EncryptColumns::Runner
+  ].freeze
+
+  disable_ddl_transaction!
+
+  def up
+    MODELS.each do |model|
+      model.each_batch(of: BATCH_SIZE) do |relation, index|
+        delay = index * 2.minutes
+
+        relation.each_batch(of: RANGE_SIZE) do |relation|
+          range = relation.pluck('MIN(id)', 'MAX(id)').first
+          args = [model, model.encrypted_attributes.keys, *range]
+
+          BackgroundMigrationWorker.perform_in(delay, MIGRATION, args)
+        end
+      end
+    end
+  end
+
+  def down
+    # no-op
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema.define(version: 20181121101802) do
+ActiveRecord::Schema.define(version: 20181121111200) do

  # These are extensions that must be enabled in order to support this database
  enable_extension "plpgsql"
--- a/lib/gitlab/background_migration/encrypt_runners_tokens.rb
+++ b/lib/gitlab/background_migration/encrypt_runners_tokens.rb
@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module BackgroundMigration
+    # EncryptColumn migrates data from an unencrypted column - `foo`, say - to
+    # an encrypted column - `encrypted_foo`, say.
+    #
+    # We only create a subclass here because we want to isolate this migration
+    # (migrating unencrypted runner registration tokens to encrypted columns)
+    # from other `EncryptColumns` migration. This class name is going to be
+    # serialized and stored in Redis and later picked by Sidekiq, so we need to
+    # create a separate class name in order to isolate these migration tasks.
+    #
+    # We can solve this differently, see tech debt issue:
+    #
+    # https://gitlab.com/gitlab-org/gitlab-ce/issues/54328
+    #
+    class EncryptRunnersTokens < EncryptColumns; end
+  end
+end