AWS Secret Manager is a secure way of storing and managing secrets. These scripts make use of it to retrieve sensitive information required to run gerrit, such as private keys and passwords.
In order to do that, such secrets must be previously uploaded to the secret manager, so that they can be found and used during deployment.
To store the secret you can run the relevant script to upload them to AWS Secret Manager: ./add_secrets_aws_secrets_manager.sh /path/to/your/keys/directory secret_prefix aws-region-id
for example:
./add_secrets_aws_secrets_manager.sh /tmp/secrets secret_prefix us-east-1`
When secret_prefix
is omitted, it is set to gerrit_secret
by default.
The script expects secrets to be available in a specified directory (e.g. /tmp/secrets
).
The expected secrets are the following.
The SSH keys you will need to add are the one usually created and used by Gerrit:
You will have to create the keys and place them for example in /tmp/secrets
directory, which you can then feed to the add_secrets_aws_secrets_manager.sh
script. These SSH host keys are generated by gerrit during the init script, so you could copy them from a previous installation (etc/*key*
files), if you have one.
cp <previous_installation>/etc/*key* /tmp/secrets
If you don't have a previous installation of gerrit you can initialize a new gerrit and copy the generated ones, as follows:
cd /tmp/ wget https://gerrit-releases.storage.googleapis.com/gerrit-<version>.war java -jar gerrit-<version>.war init -d /tmp/foobar --dev --batch --no-auto-start cp /tmp/foobar/etc/*key* /tmp/secrets
You will need to create a secret and put it in a file called registerEmailPrivateKey
in the same directory of the SSH keys (e.g. /tmp/secrets
).
You will need to put the admin LDAP password in a file called ldapPassword
in the same directory of the SSH keys (e.g. /tmp/secrets
).
You will need to put the SMTP password in a file called smtpPassword
in the same directory of the SSH keys (e.g. /tmp/secrets
).
Generate a bearer token to be used for monitoring with Prometheus:
openssl rand -hex 20 > /tmp/secrets/prometheus_bearer_token
You will also need to create private and public SSH keys used by the replication plugin to replicate from primaries to replicas, for example:
ssh-keygen -b 2048 -m PEM -t rsa -f /tmp/secrets/replication_user_id_rsa -q -N ""